Firewalls

1. If you haven’t done so already, Activate Strata Logging Service and onboard firewalls to Strata Logging Service.
2. In Strata Logging Service app, click Inventory > Firewall and enable store log data if you want to store logs from firewall.
3. Specify the log types to forward to Strata Logging Service.
   1. To forward System, Configuration, User-ID, and HIP Match logs:
      1. Select DeviceLog Settings.
      2. For each log type that you want to forward to Strata Logging Service, Add a match list filter. Give it a Name, optionally define a Filter, select Logging Service, and click OK.

   2. To forward log types that are generated when a policy match occurs—Traffic, Threat, WildFire^® Submission, URL Filtering, Data Filtering, and Authentication logs—create and attach a Log Forwarding profile to each policy rule for which you want to forward logs.
      1. Select ObjectsLog Forwarding to Add a profile. In the log forwarding profile match list, add each log type that you want to forward.

         If you enabled the Enhanced Application Logs feature, then fully Enable enhanced application logging to Strata Logging Service on the firewall to forward these log types. When you enable this feature, the match lists that specify the log types required for enhanced application logging are automatically added to the profile.
      2. Select Logging Service as the Forward Method to enable the firewalls in the device group to forward the logs to Strata Logging Service. You can monitor the logs and generate reports from Panorama.
      3. If you haven’t already done so, create basic Security policy rules.
         Until the firewall has interfaces and zones and a basic Security policy, it will not let any traffic through and, by default, only traffic that matches a Security policy rule will be logged.
      4. For each rule you create, select Actions and select the Log Forwarding profile that allows the firewall to send logs to Strata Logging Service.

4. (PA-7000 Series firewalls only) Configure a log card interface to perform log forwarding.
   As of PAN-OS 10.1, you can no longer forward system logs using the Management interface or using service routes through the Data Plane interfaces. The only way to forward system logs from a PA-7000 Series firewall running PAN-OS 10.1 or later is by configuring a Log Forwarding Card (LFC).
   1. Select NetworkInterfacesEthernet and click Add Interface.
   2. Select the Slot and Interface Name.
   3. Set the Interface Type to Log Card.
   4. Enter the IP Address, Default Gateway, and (for IPv4 only) Netmask.
   5. Select Advanced and specify the Link Speed, Link Duplex, and Link State.
      These fields default to auto, which specifies that the firewall automatically determines the values based on the connection. However, the minimum recommended Link Speed for any connection is 1000 (Mbps).
   6. Click OK to save your changes.
5. Commit your changes.
6. Verify that the firewall logs are forwarded to Strata Logging Service.
   • Click theExplore tab in Strata Logging Service app, so that you can view and filter Strata Logging Service logs.
   • On a firewall, enter the CLI command request logging-service-forwarding status to view detailed information on the connectivity status to Strata Logging Service:

     -----------------------------------------------------------------------------------------------------------------------------
     
     
     
           Type      Last Log Created        Last Log Fwded       Last Seq Num Fwded  Last Seq Num Acked         Total Logs Fwded
     
     
     
     -----------------------------------------------------------------------------------------------------------------------------
     
     
     
     > CMS 0
     
     
     
             Not Sending to CMS 0
     
     
     
     > CMS 1
     
     
     
             Not Sending to CMS 1
     
     
     
     
     
     
     
     >Log Collection Service
     
     
     
     'Log Collection log forwarding agent' is active and connected to xx.xxx.xxx.xx
     
     
     
     
     
     
     
         config   2017/07/26 16:33:20   2017/07/26 16:34:09                      323                 321                        2
     
     
     
         system   2017/07/31 12:23:10   2017/07/31 12:23:18                 13634645            13634637                    84831
     
     
     
         threat   2014/12/01 14:47:52   2017/07/26 16:34:24                557404252           557404169                       93
     
     
     
        traffic   2017/07/28 18:03:39   2017/07/28 18:03:50               3619306590          3619306590                     1740
     
     
     
       hipmatch         Not Available         Not Available                        0                   0                        0
     
     
     
     gtp-tunnel         Not Available         Not Available                        0                   0                        0
     
     
     
         userid         Not Available         Not Available                        0                   0                        0
     
     
     
           auth         Not Available         Not Available                        0                   0                        0

     Look for the ‘Log collection log forwarding agent’ is active and connected to <IP_address> line. You can also see that CMS 0 and CMS (the Log Collectors) are not receiving logs.
     Show Status (DeviceSetupManagement and click Strata Logging Service) to verify that the firewall is connected and sending logs to Strata Logging Service.
7. Next steps:
   • Use Explore tab to search, filter, and export log data. Explore offers you critical visibility into the network activity in your enterprise by enabling you to easily examine network and endpoint log data.
   • Archive Strata Logging Service logs by forwarding logs from Strata Logging Service to a Syslog server or email server for long-term storage, SOC, or internal audit.