Introduction to Log Collection

Palo Alto Networks firewalls generate logs detailing various activities, crucial for auditing, monitoring, and threat analysis. Panorama™ centralizes this log data, either by storing it on its own appliances (M-Series or virtual in Panorama mode with local Log Collectors), dedicated Log Collector appliances, or by forwarding it to the cloud-based Strata Logging Service.

Effective log management is a cornerstone of network security operations and a key topic for the PCNSE exam.

Key benefits of centralized logging with Panorama:

High-level overview of log collection paths with Panorama.

Centralized Logging and Reporting Overview

Centralized Logging and Reporting is a core function of Panorama. Firewalls forward their logs to Panorama's infrastructure, which can include:

Once logs are centralized, Panorama can optionally forward them to external logging destinations like syslog servers or SIEM solutions.

Understand the different components involved in centralized logging: Firewalls, Panorama (management server), Log Collectors (local/dedicated), and Strata Logging Service. Know where logs are sent initially and where they can be forwarded subsequently.

Sequence of log forwarding in a Panorama environment.

Panorama Modes & Logging

Panorama can operate in different modes, which impacts its logging capabilities:

Be able to differentiate between Panorama modes and their implications for log collection. Particularly, understand when a "local Log Collector" needs to be explicitly added versus when it's inherent or predefined.

stateDiagram-v2 [*] --> PanoramaMode : Virtual Appliance / M-Series PanoramaMode --> LogCollectorMode : Switch Mode (Data Loss) LogCollectorMode --> PanoramaMode : Switch Mode (Data Loss) state PanoramaMode { direction LR [*] --> Management Management --> LocalLogCollection : Can enable LocalLogCollection --> ManagesDedicatedLCs : Can manage } state LogCollectorMode { [*] --> DedicatedLogIngestion : Sole Purpose note right of DedicatedLogIngestion : Cannot manage firewalls } LegacyModeVirtualOnly: Virtual Appliance Only (Legacy) LegacyModeVirtualOnly --> DirectLogStorage LegacyModeVirtualOnly --> PanoramaMode : Switch Mode (Recommended for advanced features) ManagementOnlyMode : Panorama / Virtual ManagementOnlyMode --> NoLocalLogging NoLocalLogging --> ReliesOnDedicatedOrCloudLCs note left of LegacyModeVirtualOnly To use Collector Groups, must switch to Panorama Mode. end note

State diagram illustrating Panorama modes and their logging characteristics.

Panorama's "Hats": Understanding Its Different Jobs (Modes) for Logging

Imagine Panorama is like a versatile employee who can wear different "hats" (modes) depending on the job you need it to do, especially when it comes to handling information (logs) from your security firewalls.

1. The Manager & Record Keeper (Panorama Mode)

Think of this as Panorama's main role. It's the boss that manages all your firewalls. In this mode, it can also keep its own records (logs) locally.

  • If Panorama is a big physical box (M-Series), it comes with a built-in filing cabinet (local Log Collector) ready to use.
  • If Panorama is a software version running on a server (virtual appliance), you need to tell it, "Okay, set up your filing cabinet here" (you add the local Log Collector).

This "Manager & Record Keeper" hat is good for most situations, and if the records get too much, it can ask specialized "Archivists" (Dedicated Log Collectors) to help out.

2. The Dedicated Archivist (Log Collector Mode)

Sometimes, you have SO MANY records coming in that you need a machine whose ONLY job is to receive and store them. That's this mode.

  • The Panorama appliance (physical M-Series or virtual) puts on its "Archivist ONLY" hat.
  • It stops being a manager. It can't tell firewalls what to do anymore.
  • Its entire focus is on collecting and filing away logs.

Important: If you take a "Manager & Record Keeper" (Panorama Mode) and tell it to become an "Archivist ONLY" (Log Collector Mode), it's a big change! It forgets all its old management tasks and clears out its old filing cabinet to make space for its new focused job. It only remembers how to let you log in to check on it.

3. The Old-School Manager (Legacy Mode - Virtual Only)

This is like an older way the software version of Panorama (virtual appliance) used to work.

  • It could manage firewalls AND collect logs directly without a lot of fuss about setting up a separate "local filing cabinet" in the system menu. The logs just went into its available storage.
  • However, if you want to use some of the fancier organizing tools for logs (like "Collector Groups" which are like teams of archivists), this old-school manager needs to update to the main "Manager & Record Keeper" (Panorama Mode) style.
  • It could also send copies of records to other departments (external logging) directly.

4. The Manager Who Delegates ALL Record Keeping (Management Only Mode)

In this mode, Panorama is purely a manager. It tells the firewalls what to do, but it says, "I'm not keeping any records myself."

  • It relies entirely on either the "Dedicated Archivists" (Dedicated Log Collectors) or a "Cloud Archiving Service" (Strata Logging Service) to handle all the logs.

Big Gotcha: If Panorama is wearing this "Manager ONLY" hat and you haven't told the firewalls where to send their records (i.e., no Dedicated Archivists or Cloud Service is set up), then all those important records (logs) from the firewalls just get thrown away!

For the Exam: It's like knowing which hat your Panorama is wearing. Sometimes the filing cabinet (local Log Collector) is already there (M-Series in Panorama Mode), and sometimes you have to point and say "put one here" (Virtual Appliance in Panorama Mode). Understanding these differences is key!

Local vs. Distributed Log Collection

The choice between local and distributed log collection depends on logging volume, retention requirements, and network architecture.

The document references a link to "Local and Distributed Log Collection" for deciding which to deploy. This typically involves assessing current and future logging rates, storage needs, and redundancy requirements.

Understand when to use local log collection versus deploying Dedicated Log Collectors. The primary driver is usually the volume of logs generated by the managed firewalls.

Strata Logging Service Overview

The Strata Logging Service (formerly Cortex Data Lake or Logging Service) is Palo Alto Networks' cloud-based logging infrastructure. It offers a scalable and resilient solution for long-term log storage and analysis without requiring on-premise Log Collector hardware.

Key Features:

To use Strata Logging Service:

  1. Purchase a license based on log volume.
  2. Install the cloud services plugin on Panorama.
  3. Configure firewalls (via Panorama templates/device groups) to forward logs to the Strata Logging Service.

For firewalls running PAN-OS 8.1 or later, you can enable Enable Duplicate Logging (Cloud and On-Premise) to send logs to both Strata Logging Service and your on-premise Panorama/Log Collector setup. You can select either this option or "Enable Strata Logging Service," but not both simultaneously for the same log forwarding configuration.

Configuring Managed Collectors

To enable Panorama to manage a Log Collector (either local or dedicated), you must add it as a "managed collector." Log Collectors use IPv4 or IPv6 for communication with Panorama.

Two types of managed collectors:

A best practice is to retain a local Log Collector and Collector Group on the Panorama management server, even if it also manages Dedicated Log Collectors.

(Panorama evaluation only) If evaluating a Panorama virtual appliance with a local Log Collector, logs stored on it cannot be preserved when converting to a production instance with a local Log Collector. Forward logs externally to preserve them during evaluation.

Dedicated Log Collectors

To set up a new M-Series (M-700, M-600, M-500, M-300, M-200) or Panorama virtual appliance as a Dedicated Log Collector, or to switch an existing one from Panorama mode to Log Collector mode:

  1. The appliance must be Set Up as a Log Collector . This involves changing its system mode via CLI (e.g., `request system system-mode logger`).

  2. CRITICAL: Switching to Log Collector mode deletes existing configurations (except management access) and all log data. The web interface becomes inaccessible; management is via CLI or Panorama.

  3. If switching an M-Series appliance that was in Panorama mode, its predefined local Log Collector is removed.

Local Log Collectors

A Log Collector can run locally on an M-Series or Panorama virtual appliance that is in Panorama mode .

Device Registration Authentication Key

A device registration authentication key is used for secure initial authentication and connection between the Panorama management server and a new managed Log Collector (or firewall/WildFire appliance).

Configuration Steps (on Panorama):

  1. Navigate to Panorama > Device Registration Auth Key .
  2. Click Add .
  3. Configure the key parameters:
    • Name: Descriptive name.
    • Lifetime: How long the key can be used to onboard new Log Collectors.

      The auth key itself expires 90 days *after* this specified lifetime expires. A system log is generated if an attempt is made to use an expired key, and you'll be prompted to re-certify to maintain validity if within the 90-day grace period.

    • Count: How many times the key can be used to onboard new Log Collectors.
    • Device Type: Select Log Collector (or Any for broader use).
    • (Optional) Devices: Enter specific Log Collector serial numbers for which this key is valid. This enhances security by restricting key usage.
  4. Click OK .
Panorama Device Registration Auth Key Configuration screen.
Configuring a Device Registration Authentication Key in Panorama.
  1. Copy Auth Key and then Close . This key will be applied to the Log Collector.
Panorama Device Registration Auth Key copied.
Copying the generated Authentication Key.

Applying the Auth Key to a Dedicated Log Collector (via CLI):

  1. Log in to the Log Collector CLI.
  2. Run the command: request authkey set <auth-key> (paste the copied key).
CLI command to set auth key on Log Collector.
Setting the Authentication Key on the Log Collector CLI.

The auth key is used by the Log Collector to authenticate Panorama upon first connection, at which point Panorama delivers a device certificate used for all subsequent communications. A Panorama in Panorama mode does not need to authenticate its own local Log Collector using this method.

Adding a Managed Collector

After preparing the Log Collector (setting mode, applying auth key if dedicated), you add it to Panorama for management.

High-level steps:

  1. Record Log Collector Serial Number:
    • For a Dedicated Log Collector: Use CLI command show system info | match serial .
    • For a Local Log Collector on a Panorama virtual appliance: Get the Panorama serial number from Dashboard > General Information .
  2. (Panorama Web Interface) Add the Log Collector:
    1. Navigate to Panorama > Managed Collectors .
    2. Click Add .
    3. In the General tab, enter the Collector S/N (serial number).
    4. Click OK .
    5. Commit to Panorama . (This commit is often crucial before further steps like adding disks).

Flowchart for adding a Managed Log Collector.

Until you configure a Collector Group and push the configuration, the Log Collector's Configuration Status will be "Out of Sync," and Run Time Status will be "disconnected."

PAN-OS Version Compatibility for Log Collectors

Panorama's ability to onboard and manage Dedicated Log Collectors depends on PAN-OS versions.

There is no impact to Dedicated Log Collectors already managed by Panorama when Panorama is upgraded to PAN-OS 10.2 or later.

If experiencing issues adding a Dedicated Log Collector, you might need to recover managed device connectivity to Panorama .

Enabling Logging Disks

After adding a Log Collector as managed and committing to Panorama, you must enable its logging disks.

Steps (on Panorama Web Interface):

  1. Navigate to Panorama > Managed Collectors .
  2. Click the name of the Log Collector to edit it. (The name is often the hostname/serial).
  3. Select the Disks tab.
  4. Click Add for each disk pair (for M-Series with RAID) or virtual logging disk (for Panorama virtual appliances).
  5. Click OK .
  6. Commit to Panorama .

Logging disks must be explicitly enabled. If the Log Storage value in Collector Group settings shows 0MB, verify disks are enabled and committed.

The Log Collector cannot ingest logs until its disks are enabled AND it is part of a configured Collector Group with devices assigned to it.

(Optional) Log Collector Admin Authentication

You can configure local administrator password settings for managed Log Collectors from Panorama.

Steps (on Panorama Web Interface, after adding the collector):

  1. Select Panorama > Managed Collectors and click the Log Collector's name.
  2. (General Tab - for basic password) Configure Password:
    • Mode: Password or Password Hash.
    • If Password mode: Enter and confirm the plaintext password.
    • If Password Hash mode: Enter a hashed password string.
  3. Configure Admin Login Security (Failed Attempts, Lockout Time):
    • Failed Attempts: 0 (unlimited) to 10.
    • Lockout Time (minutes): 0 to 60.

    • If Failed Attempts is non-zero and Lockout Time is 0, the admin user is locked out indefinitely until manually unlocked by another admin or by pushing a config change from Panorama. Default of 0 for both means no lockout.

  4. Click OK and Commit to Panorama .

Palo Alto Networks recommends adding at least one Local Administrator with Superuser privileges if you configure an authorization list for the managed collector. This is required if you add any Imported Panorama Admin Users.

More advanced authentication for Dedicated Log Collectors (RADIUS, TACACS+, LDAP, multiple local/imported admins) is covered in the "Advanced Configurations" section.

(Optional) Custom Certificates for Panorama-Collector Communication

For enhanced security, you can use custom certificates for mutual authentication between Panorama and its managed Log Collectors, instead of relying solely on the device registration auth key and Panorama-issued certificates.

Key steps involve:

  1. Obtain/Generate Certificates: CA certificate, server certificate/key for Panorama, client certificate/key for the Log Collector.
  2. Import Certificates: Import necessary CA certificates and device certificates/keys into Panorama ( Panorama > Certificate Management ).
  3. Create Certificate Profile: ( Panorama > Certificate Management > Certificate Profile ) to define trusted CAs.
  4. Assign to Log Collector:
    1. Select Panorama > Managed Collectors , select the Log Collector.
    2. Go to the Communication tab.
    3. Select the Device Certificate Type (e.g., Local Device Certificate, SCEP).
    4. Assign the appropriate Certificate and Certificate Profile .
    5. Click OK and Commit .
  5. (Optional) Configure Secure Server Communication on Log Collector (via Panorama):
    1. In the Log Collector's Communication tab.
    2. Do not select "Custom Certificate Only" initially to allow migration.

      Selecting "Custom Certificate Only" means the Log Collector will only accept connections from devices using custom certificates that validate against its configuration. Devices using predefined certificates will be unable to send logs.

    3. Select an SSL/TLS Service Profile .
    4. Select a Certificate Profile (for validating client certs sending logs to this Collector).
    5. (Optional) Authorize Client Based on Serial Number (requires client cert CN to be `$UDID`).
    6. (Optional) Configure Disconnect Wait Time .
    7. (Optional) Configure an Authorization List (checks client cert Subject/SAN).
    8. Click OK and Commit .

This process ensures that Panorama and the Log Collector mutually authenticate each other using a custom chain of trust. Refer to "Set Up Authentication Using Custom Certificates" in official docs for full details.

Collector Groups & Log Forwarding

Managing Collector Groups

A Collector Group is a logical unit of 1 to 16 Log Collectors that work together to collect firewall logs. Firewalls are assigned to forward logs to a Collector Group.

A Log Collector must be assigned to a Collector Group to receive and ingest firewall logs. If no Collector Group is configured, or if Log Collectors are not assigned to one, firewall logs will be dropped.

Key characteristics and considerations:

The ElasticSearch health status on a Log Collector will display as "degraded," and it cannot ingest logs until it's added to a Collector Group and the configuration is pushed.

Configuring a Collector Group

Before configuring a Collector Group:

  1. Ensure firewalls are added as managed devices to Panorama.
  2. Ensure Log Collectors are configured as managed collectors in Panorama.

Steps to configure a Collector Group (on Panorama Web Interface):

  1. Navigate to Panorama > Collector Groups .
  2. Click Add (or edit an existing one like "default").
  3. General Tab:
    • Name: Enter a name (cannot rename existing groups).
    • Minimum Retention Period (days): 1 to 2,000. Blank means retain indefinitely.
    • Collector Group Members: Add 1 to 16 Log Collectors.

      Remember: All members must be the same model type (e.g., all M-600 or all virtual).

    • (Recommended) Enable log redundancy across collectors: If adding multiple Log Collectors.

      • Requires each Log Collector to have the same number of logging disks .

      • Ensures each log has two copies, on different Log Collectors.
      • Impact: Doubles storage requirement (halves effective capacity) and doubles log processing traffic within the group (halves max logging rate).
    • Log Storage (link): Click to define storage quotas and expiration per log type (see step 4 below).
  4. Device Log Forwarding Tab:
    • Click Add to create log forwarding preference lists. This determines which firewalls send logs to which collectors in this group.
    • For each preference list:
      • Devices: Modify to select the firewalls.
      • Collectors: Add Log Collectors from this Collector Group to the preference list. Order matters; the first is primary. Move Up/Down to change priority.

        If redundancy is enabled, add at least two Log Collectors to the preference list for failover.

    • If a log forwarding preference list is not assigned:

      • Panorama in Management Only mode: Drops incoming logs.
      • Panorama in Panorama mode (local LC not managed): Drops incoming logs.
      • Panorama in Panorama mode (local LC managed, but no preference list): Logs go to local LC first, potentially creating a bottleneck.

  5. (Back on General Tab) Define Log Storage Quotas and Expiration:
    • Click the Log Storage value (if it shows 0MB, verify disks are enabled on collectors).
    • For each log type (Traffic, Threat, etc.):
      • Quota (%): Percentage of total storage allocated.
      • Max Days: Expiration period (1 to 2,000). Blank means never expire.
  6. Click OK to save the Collector Group.
  7. Commit and Push: Select Commit > Commit and Push . Critically, ensure you push to the Collector Group you just configured.

    This push is what makes the Log Collectors aware of their role in the group and allows them to start ingesting logs correctly.

Process flow for configuring a Collector Group.

Device Log Forwarding Preferences (within Collector Group)

Within a Collector Group configuration, the Device Log Forwarding tab is crucial for directing logs from specific firewalls to the Log Collectors in that group.

Without a log forwarding preference list assigning firewalls to collectors within a Collector Group, logs might be dropped or bottlenecked at a default local collector. This configuration is vital for logs to reach their intended destinations within the distributed collection architecture.

Log Storage Quotas and Expiration (within Collector Group)

After configuring Collector Group members and device forwarding, you define how the collective storage of the Log Collectors in that group is utilized and managed.

Access this by clicking the Log Storage value link on the General tab of the Collector Group configuration.

Log Deletion Behavior:

If the Log Storage field initially displays 0MB, it usually indicates that the logging disks on the member Log Collectors have not been enabled or the configuration hasn't been committed yet.

Enabling log redundancy in a Collector Group effectively halves the usable storage capacity because two copies of each log are stored.

Moving/Removing Log Collectors or Firewalls

Moving a Log Collector to a Different Collector Group

This might be done to rebalance logging load or consolidate resources.

All Log Collectors in the target Collector Group must still be of the same Panorama model.

If the Log Collector is local to an M-Series appliance in an HA pair, only move it if the appliance is the passive peer. Never move a Log Collector local to the active HA peer.

Steps:

  1. Remove from Current Collector Group:
    • Edit the current Collector Group.
    • Delete the Log Collector from the "Collector Group Members" list.
    • Go to "Device Log Forwarding" and remove the Log Collector from any preference lists it's part of. Reassign firewalls if necessary.
    • Click OK to save changes to the Collector Group.
  2. Remove from Panorama Management (as a Managed Collector):
    • Go to Panorama > Managed Collectors .
    • Select and Delete the Log Collector you are moving.
  3. Add to New Collector Group:
  4. Commit and Push: Push changes to Panorama and the relevant Collector Groups.

    Panorama will start redistributing logs. This can take hours per terabyte. The "Log Redistribution State" column in Panorama > Collector Groups shows progress.

Removing a Firewall from a Collector Group

This might be done if the firewall will send logs directly to a Panorama virtual appliance in Legacy mode, or if it's being decommissioned.

Steps:

  1. Select Panorama > Collector Groups and edit the Collector Group.
  2. Go to Device Log Forwarding .
  3. Click the firewall (or group of firewalls) in the "Devices" list.
  4. Click Modify , uncheck the firewall to remove, and click OK multiple times to save.
  5. Commit and Push changes to Panorama and the affected Collector Group.

If you only delete the log forwarding preference list on the firewall CLI, Panorama will re-apply the configuration on the next push unless you remove the firewall from the Collector Group configuration on Panorama itself.

Configuring Log Forwarding to Panorama/Log Collectors

For Panorama to receive logs from firewalls (either for its local Log Collector, Dedicated Log Collectors, or Strata Logging Service), you must configure the firewalls to forward logs.

This is typically done using Panorama Templates and Device Groups.

Panorama requires a Device Group to push a Log Forwarding Profile and a Template to push Log Settings to firewalls.

Steps:

  1. Create/Assign Device Group(s): For firewalls that will forward logs.
  2. Create/Assign Template(s): For firewalls that will forward logs.
  3. Create a Log Forwarding Profile: ( Objects > Log Forwarding , select target Device Group)
    • Name: Identify the profile.
    • Add Match List Profiles: For each log type (Traffic, Threat, URL, etc.) you want to forward.
      • Name: Identify this match list.
      • Log Type: Select the log type.
      • Filter: Use Filter Builder to specify criteria (e.g., forward only critical threats). Default is often to forward all logs of the selected type.
      • Destination: Select Panorama/Strata Logging Service .
    • Click OK to save the Log Forwarding Profile.
  4. Assign Log Forwarding Profile to Policy Rules/Network Zones:
    • For Security, Authentication, DoS Protection rules:
      • Edit the rule (e.g., Policies > Security > Pre Rules , select Device Group).
      • Go to Actions tab.
      • Select the created Log Forwarding profile.
      • Set Profile Type (Profiles/Group) and assign necessary Security Profiles (e.g., Antivirus, WildFire Analysis) to trigger Threat/WildFire log generation.
      • For Traffic logs: Select Log At Session Start and/or Log At Session End .

        Log At Session Start consumes more resources. Use primarily for troubleshooting, long-lived sessions (e.g., GRE tunnels), or OT/ICS visibility. Most common is Log At Session End .

  5. Configure Destinations for System, Config, User-ID, HIP Match Logs:
    • Select Device > Log Settings (select target Template).
    • For each relevant log type, add a match list profile similar to step 3, selecting Panorama/Strata Logging Service as the destination.
  6. (PA-7000 Series Only) Configure Log Card Interface (Optional):
    • If using a dedicated log card for forwarding, configure it under Network > Interfaces > Ethernet (select Template). Set Interface Type to Log Card .

    • If PA-7000s are managed by Panorama but not configured to forward logs, Panorama (PAN-OS 8.0.8+) can directly query them using CLI command: debug reportd send-request-to-7k yes . Disable with `no` if you later set up forwarding.

  7. Ensure Panorama/Log Collectors are Ready:
    • Managed Collectors configured (if not Legacy mode).
    • Collector Groups configured and firewalls assigned (if using Log Collectors).
  8. Commit and Push:
    • Select Commit > Commit and Push .
    • Click Edit Selections .
    • Ensure Merge with Device Candidate Config and Include Device and Network Templates are selected.
    • Verify target Collector Groups are selected.
    • Commit and Push .
Commit and Push selections for log forwarding.
Commit and Push dialog with relevant selections for log forwarding configuration.

Configuring Log Forwarding from Panorama/Log Collectors to External Destinations

Panorama can forward logs it has collected (from firewalls or generated by itself/Log Collectors) to external services like Syslog, Email, SNMP traps, or HTTP-based services.

Forwarded logs have a maximum record size of 4096 bytes; larger logs are truncated.

If Panorama is a virtual appliance in Legacy mode , it forwards logs directly without using Log Collectors for the conversion/forwarding step.

General Steps:

  1. Configure Firewalls to Forward to Panorama: (As covered previously). This is the prerequisite.
  2. Configure Server Profiles: ( Panorama > Server Profiles )
    • Syslog: Define server IP/FQDN, transport (UDP, TCP, SSL), port, format (BSD, IETF), facility.

      If SSL is used and client auth is required, create a certificate for Panorama/Log Collector under Panorama > Certificate Management > Certificates .

      (Optional) Custom Log Format can be selected for specific CEF formats.

    • Email: Configure SMTP server settings.
    • SNMP Trap: Configure SNMP manager details.
    • HTTP: Configure HTTP server URL, payload format, authentication.

      HTTP forwarding is not recommended for high-volume log forwarding due to potential log loss.

  3. Configure Destinations for Panorama/Log Collector Generated Logs (and Legacy Mode Firewall Logs):
    • Select Panorama > Log Settings .
    • For each log type (System, Config, Audit, Correlation, etc., and firewall logs if Legacy mode):
      • Add one or more match list profiles.
      • Name, Log Type, Filter (as needed).
      • Add Server Profiles: Select the Syslog, Email, SNMP, or HTTP server profiles configured in step 2.
  4. Configure Destinations for Firewall Logs Received by Log Collectors (Panorama/Log Collector Mode):
    • Select Panorama > Collector Groups and edit the relevant Collector Group.
    • Go to the Collector Log Forwarding tab.
    • Add configured match list profiles (similar to above, these profiles will use the server profiles from step 2).

      Each Collector Group can forward logs to different external destinations.

    • (Optional, SNMP trap forwarding only) Configure SNMP settings on the Monitoring tab of the Collector Group.
  5. (Syslog to Dedicated LCs with Client Auth) Assign Certificate:
    • If firewalls forward to Dedicated Log Collectors which then forward to a Syslog server requiring client auth:
      • Select Panorama > Managed Collectors , edit the Dedicated Log Collector.
      • Assign a Certificate for Secure Syslog .
  6. (SNMP) Load MIBs: Load Palo Alto Networks MIBs into your SNMP manager.
  7. Commit and Push: Commit to Panorama and push to relevant Device Groups, Templates, and Collector Groups.
  8. Verify: Check external services are receiving logs.

Configuring Syslog Forwarding over Ethernet

For high-rate log environments, forwarding syslogs over a dedicated Ethernet interface (instead of the MGT interface) can prevent log loss and reduce load on the management plane.

Supported only for Panorama in Panorama mode or Log Collector mode . Only a single Ethernet interface can be enabled for syslog forwarding at a time (per Panorama/Log Collector).

Steps:

  1. Prerequisites: Managed Collector and Collector Group configured. Syslog Server Profile created.
  2. Configure Ethernet Interface for Syslog Forwarding:
    • Local Log Collector (on Panorama in Panorama Mode) - via Panorama UI:
      1. Select Panorama > Setup > Interfaces .
      2. Select an Ethernet interface. Enable it and configure IP settings.
      3. In "Device Management Services," enable Syslog Forwarding . Confirm.
      4. Click OK, then Commit and Push .
      Enabling Syslog Forwarding on Panorama local LC interface.
      Enabling Syslog Forwarding on an Ethernet interface for a Local Log Collector (via Panorama Setup).
    • Dedicated Log Collector - via Panorama UI:
      1. Select Panorama > Managed Collectors , select the Dedicated LC.
      2. Go to Interfaces tab, select an Ethernet interface. Enable it and configure IP settings.
      3. In "Log Collection Services," enable Syslog Forwarding . Confirm.
      4. Click OK, then Commit and Push .
      Enabling Syslog Forwarding on Dedicated LC interface.
      Enabling Syslog Forwarding on an Ethernet interface for a Dedicated Log Collector.
    • Local or Dedicated Log Collector - via Panorama CLI:

      CRITICAL: From CLI, you must first disable syslog forwarding on the MGT interface, then enable it on the Ethernet interface. Panorama does not automatically disable MGT forwarding if you enable Ethernet forwarding via CLI.

      1. Login to Panorama CLI.
      2. Disable MGT syslog forwarding: admin@Panorama> configure
        admin@Panorama# set log-collector <Log Collector Serial Number> deviceconfig system service disable-syslog-forwarding yes
      3. Enable Ethernet syslog forwarding: admin@Panorama# set log-collector <Log Collector Serial Number> deviceconfig system eth<Interface Number> service disable-syslog-forwarding no
        admin@Panorama# commit
      4. Push to Collector Group: admin@Panorama> run commit-all log-collector-config log-collector-group <Collector Group name>
  3. Configure Log Forwarding to Panorama (firewalls to Panorama/LCs).
  4. Configure syslog forwarding from Panorama (Panorama/LCs to external syslog server via the new interface).

Forwarding Logs to Strata Logging Service

To send logs to Palo Alto Networks' cloud-based Strata Logging Service (SLS):

  1. License and Plugin:
    • Purchase an SLS license for your required log volume.
    • Install the Cloud Services plugin on Panorama ( Panorama > Plugins ).
  2. Configure Firewalls to Send Logs to SLS:
    • This is typically done via Panorama Templates.
    • When configuring log forwarding destinations (e.g., in Log Settings under a Template, or in a Log Forwarding Profile), you will select an option related to Strata Logging Service / Cloud Logging.

    • Enable Duplicate Logging (Cloud and On-Premise): For firewalls running PAN-OS 8.1+, this option in the Template's log settings ( Device > Log Settings > [Log Type] > Forwarding Options or similar path depending on exact UI for SLS) allows logs to be sent to both SLS and your on-premise Panorama/Log Collectors.

      You can select either "Enable Duplicate Logging" OR "Enable Strata Logging Service" (which sends only to SLS), but not both for the same log type configuration.

  3. Commit and Push changes to Templates and Device Groups.
Strata Logging Service configuration options in Panorama.
Illustrative UI showing options for Strata Logging Service, including Duplicate Logging.

Advanced Configurations & Deployments

Authentication for Dedicated Log Collectors

Panorama allows enhanced authentication configuration for Dedicated Log Collectors, managing local admin accounts and integrating with external authentication services like RADIUS, TACACS+, and LDAP for CLI access to the Log Collector.

Only Superuser administrators are supported when configuring administrative accounts (local, imported, or remote via RADIUS/TACACS+/LDAP) for a Dedicated Log Collector from Panorama. Other admin role types are not supported for this specific configuration context.

When you configure and push administrators from Panorama to a Dedicated Log Collector, it overwrites existing local administrators on that Log Collector with those configured on Panorama.

Administrators may be added as either a local administrator (unique to the DLC) or as an imported Panorama administrator—but not both with the same username. This will cause the Panorama commit to fail.

General Steps for Configuring Authentication on a Dedicated Log Collector (via Panorama):

  1. Log in to Panorama Web Interface.
  2. Ensure the Dedicated Log Collector is configured as a Managed Collector .
  3. Select Panorama > Managed Collectors and select the target Dedicated Log Collector to edit its settings. The authentication settings are typically within the main configuration dialog for the collector, often under a tab or section for "Authentication" or "Administrators."

A. Configure an Administrative Account (Local or Imported Panorama Admins)

  1. (Optional) Configure an Authentication Profile on Panorama if you plan to use RADIUS, TACACS+, or LDAP for some admins.
  2. (Optional) Configure Panorama Administrator Accounts if you plan to import them. (Remember: Superuser role only for DLC context).
  3. Configure Authentication for the Dedicated Log Collector:
    • In the Managed Collector's settings:
      • (Optional) Select an Authentication Profile (if using RADIUS/TACACS+ globally for it).
      • Configure Timeout Configuration : Failed Attempts, Lockout Time, Idle Timeout, Max Session Count, Max Session Time for DLC CLI access.
      • Add Administrators:
        • Add Local Administrators: Create new admins unique to this DLC. Configure their password, (optionally) an Authentication Profile for this specific local admin (e.g., if this admin should use LDAP while others use local passwords).
        • Add Imported Panorama Administrators: Select existing Superuser Panorama administrators to grant them access to this DLC.
  4. Click OK .
Dedicated Log Collector Authentication Configuration screen.
Configuring administrators and authentication settings for a Dedicated Log Collector.
  1. Commit and then Commit and Push changes to Panorama and the Dedicated Log Collector.
  2. Verify by logging into the DLC CLI with the configured admin user.

B. Configure RADIUS/TACACS+ Authentication

General flow for RADIUS (TACACS+ is very similar):

  1. Add Server Profile: ( Panorama > Server Profiles > RADIUS or TACACS+ )
    • Profile Name, Timeout, Authentication Protocol (CHAP is more secure than PAP).
    • Add RADIUS/TACACS+ Server details (Name, IP/FQDN, Secret, Port).
  2. Create Authentication Profile: ( Panorama > Authentication Profile )
    • Name, Type (RADIUS/TACACS+), select Server Profile created above.
    • (Optional) "Retrieve user group from RADIUS/TACACS+" if using VSAs.
    • Advanced Tab: Add users/groups to the Allow List.
  3. Assign to Dedicated Log Collector:
    • Edit the Managed Collector settings ( Panorama > Managed Collectors ).
    • Select the created Authentication Profile (this applies it globally for the DLC).
    • Configure Timeout Configuration (as above).
    • Add Local/Imported Administrators (as above). If a global Authentication Profile is set, local admins might use it by default or can have their own. Imported admins will use it if their Panorama account is configured for remote auth.
Dedicated Log Collector Authentication configuration with external auth profile.
Dedicated Log Collector authentication using an external Authentication Profile (e.g., RADIUS/TACACS+).
  1. Click OK , then Commit and Commit and Push .
  2. Verify CLI login to DLC.

(RADIUS and TACAS+) Only Superuser administrators are supported when configuring remote authentication for a Dedicated Log Collector.

C. Configure LDAP Authentication

LDAP is used to authenticate users accessing the Dedicated Log Collector (though primarily for CLI, as web UI is usually not active on DLCs).

  1. Add LDAP Server Profile: ( Panorama > Server Profiles > LDAP )
    • Profile Name, Server details (IP/FQDN, Port), Type (e.g., active-directory), Base DN, Bind DN/Password, Timeouts.
    • (Optional) SSL/TLS settings (Require SSL/TLS, Verify Server Certificate).

      If "Verify Server Certificate" is enabled, the server's CA cert must be trusted by Panorama (imported under Panorama > Certificate Management > Certificates ).

  2. Assign LDAP Authentication Profile to Individual Local Administrators on DLC:
    • Edit the Managed Collector ( Panorama > Managed Collectors ).
    • Configure Timeout Configuration.
    • Add Local Administrators:
      • Create a new local administrator.
      • For this administrator, assign the Authentication Profile (select the LDAP profile created in step 1).

        LDAP authentication profiles are typically assigned to individual local administrators on the DLC, not as a global auth profile for the entire DLC in the same way RADIUS/TACACS+ might be.

    • You can also add Imported Panorama Administrators (these would use their Panorama-defined auth method).
Dedicated Log Collector Authentication configuration with LDAP.
Dedicated Log Collector authentication configuration, showing assignment of an LDAP Authentication Profile to a local administrator.
  1. Click OK , then Commit and Commit and Push .
  2. Verify CLI login to DLC using LDAP credentials for the configured local admin.

LDAP Authentication Profiles are supported for individual local administrators on the Dedicated Log Collector, rather than as a global setting for the DLC itself.

Custom Certificates Between Log Collectors (Inter-LC Communication)

For secure communication between Log Collectors within the same Collector Group , you can enforce mutual authentication using custom certificates. This is especially important in environments with high security requirements.

Each Log Collector in the group acts as both a server and a client, so both server-side and client-side custom certificate configurations are needed on each LC.

Key Steps:

  1. Obtain Certificates: For each Log Collector in the group:
    • Server Key Pair (private key + certificate)
    • Client Key Pair (private key + certificate)
    • The CA certificate(s) that signed these LC certificates.
  2. Import to Panorama: ( Panorama > Certificate Management > Certificates > Import )
    • Import the CA certificate(s).
    • Import the server key pair for each LC.
    • Import the client key pair for each LC.
  3. Create Certificate Profile (for Server-Side Validation): ( Panorama > Certificate Management > Certificate Profile )
    • This profile will be used by an LC (acting as a server) to validate the client certificate of another LC connecting to it.
    • Include the root CA and any intermediate CAs that signed the LC client certificates.
  4. Create Certificate Profile (for Client-Side Certificate): ( Panorama > Certificate Management > Certificate Profile )
    • This profile is associated with the client certificate an LC will present when connecting to another LC. It typically specifies usage constraints or references the CA.
    • If using SCEP for client certificates, configure a SCEP profile instead.
  5. Create SSL/TLS Service Profile: ( Panorama > Certificate Management > SSL/TLS Service Profile )
    • Defines the server certificate the LC will present (when acting as a server) and the SSL/TLS protocols/ciphers to use.
  6. Enable Secure Inter-LC Communication in Collector Group:
    • Select Panorama > Collector Groups , edit the Collector Group.
    • On the General tab, check Enable secure inter LC Communication .

    • If the Collector Group includes a Local Log Collector (on Panorama itself), a link appears to configure its secure client settings directly from Panorama's Secure Communication Settings.

    • Click OK and Commit .
  7. Configure Secure Server Communication on EACH Log Collector: (via Panorama)
    • For Dedicated LCs: Panorama > Managed Collectors > [Select LC] > Communications tab.
    • For Local LC on Panorama: Panorama > Setup > Management > Secure Communication Settings > Edit (for Inter-LogCollector Communication section).
    • Enable Customize Secure Server Communication .
    • Select the SSL/TLS Service Profile (from step 5).
    • Select the Certificate Profile (from step 3, for validating connecting LCs).

    • Initially, ensure Custom Certificates Only is disabled (cleared) to allow communication with predefined certs during migration. Enable it only after all LCs are configured.

    • (Optional) Set Disconnect Wait Time.
    • (Optional) Configure Authorization List (checks Subject/SAN of connecting LC's client cert).
    • Click OK and Commit . (The disconnect wait time starts after this commit if set).
  8. Configure Secure Client Communication on EACH Log Collector: (via Panorama, same locations as server config)
    • Under "Secure Client Communications" (or similar section for Inter-LC client config).
    • Select Certificate Type , the specific Certificate (client cert from step 2), and Certificate Profile (from step 4).
    • Click OK and Commit .

After all LCs are configured with custom certificates for both server and client roles, you can then go back to the Secure Server Communication settings on each LC and enable "Custom Certificates Only" to enforce strict custom certificate authentication for inter-LC communication.

Deployment Scenario: Panorama with Dedicated Log Collectors

This is recommended for environments generating over 10,000 logs/second. Panorama (M-Series or virtual in Panorama mode, often in HA) manages Dedicated Log Collectors (M-Series or virtual in Log Collector mode).

Single Dedicated Log Collector Per Collector Group

Diagram: Panorama HA with a single Dedicated Log Collector per Collector Group.
Panorama HA managing firewalls forwarding to distinct Collector Groups, each with one Dedicated Log Collector.

Multiple Dedicated Log Collectors Per Collector Group (for Redundancy/Capacity)

Diagram: Panorama HA with multiple Dedicated Log Collectors in a single Collector Group.
Panorama HA managing firewalls forwarding to a Collector Group with multiple Dedicated Log Collectors.

Key Steps (Summarized - assuming initial Panorama/LC setup like IP, licenses, PAN-OS updates are done):

  1. Panorama Management Server(s):
    • Set up in Panorama mode (often HA).
    • Create Device Registration Auth Key ( Panorama > Device Registration Auth Key ).
      Panorama Device Registration Auth Key Configuration.
      Creating Auth Key on Panorama.
      Copying Auth Key.
      Copying the Auth Key.
  2. Dedicated Log Collector(s):
    • Switch mode to Log Collector: request system system-mode logger (deletes data/config). Verify with show system info | match system-mode .
    • Reset secure connection state (SC3): request sc3 reset , then debug software restart process management-server .
    • Apply Auth Key: request authkey set <auth-key> .
      Setting Auth Key on DLC CLI.
      Applying Auth Key on Dedicated Log Collector CLI.
    • Set Panorama server IP(s) for management: set deviceconfig system panorama-server <IP1> panorama-server-2 <IP2> , then commit .
    • Record serial number: show system info | match serial .
  3. On Panorama Management Server (Primary UI):
    • Add each Dedicated LC as a Managed Collector ( Panorama > Managed Collectors > Add ). Enter S/N. Configure MGT interface IP. (Optional) SNMP. Commit to Panorama.
    • Enable Logging Disks for each Managed Collector (Edit collector > Disks tab > Add pairs/disks). Commit to Panorama.
    • (Recommended) Configure dedicated Ethernet interfaces on LCs for Device Log Collection and Collector Group Communication (Edit collector > Interfaces tab). Commit to Panorama.
    • Add Firewalls as Managed Devices.
    • Configure Collector Group(s) ( Panorama > Collector Groups > Add ).
      • Add DLC members. Ensure same model if multiple in one group.
      • Enable redundancy if applicable (requires LCs to have same disk count).
      • Configure Device Log Forwarding (assign firewalls to LCs in the group, set priorities).
    • Commit and Push to Panorama and the Collector Group(s).
    • Verify LC status (Connected, In Sync).
  4. Configure Log Forwarding from Firewalls to Panorama (via Templates/Device Groups, as covered in Forwarding Logs to Panorama ).

Caveats for Collector Groups with multiple Log Collectors (model consistency, disk consistency for redundancy, network proximity) are critical for the exam.

Deployment Scenario: Panorama M-Series Appliances with Local Log Collectors

Panorama M-Series appliances in Panorama mode can use their predefined local Log Collectors. Often deployed in an HA pair.

Single Local Log Collector Per Collector Group (Primary's LC used, secondary's LC in another CG or standby)

Diagram: M-Series HA with single Local Log Collector per Collector Group.
M-Series HA, firewalls forward to primary's local LC. Secondary's LC could be for other firewalls or redundancy.

Multiple Local Log Collectors Per Collector Group (Both Primary and Secondary LCs in one CG)

Diagram: M-Series HA with both Local Log Collectors in one Collector Group.
M-Series HA, firewalls forward to a Collector Group containing local LCs from both HA peers.

Key Steps (Summarized - assuming M-Series initial setup, HA config are done):

  1. Prepare Panorama M-Series HA Peers:
    • On Primary Panorama CLI: set deviceconfig system panorama-server <Secondary_MGT_IP> , then commit .
    • On Secondary Panorama CLI: set deviceconfig system panorama-server <Primary_MGT_IP> , then commit .
    • On Secondary Panorama CLI, record its serial number: show system info | match serial .
  2. Configure Primary Panorama's Local Log Collector (via Primary UI):
    • Panorama > Managed Collectors : Select the "default" (local) Log Collector.
    • Disks tab: Add each logging disk pair. Click OK. (No need to Commit to Panorama yet, will do with secondary).
  3. Add Secondary Panorama's Local Log Collector as Managed (via Primary UI):
    • Panorama > Managed Collectors > Add .
    • Enter S/N of secondary Panorama.
    • Panorama Server IP (Primary MGT IP), Panorama Server IP 2 (Secondary MGT IP).
    • Configure Interfaces (MGT IP for secondary Panorama).
    • Click OK. Commit to Panorama .
    • Edit this newly added (secondary's) Log Collector. Go to Disks tab: Add its disk pairs. Click OK. Commit to Panorama .
  4. Add Firewalls as Managed Devices (Primary UI).
  5. Configure Collector Group(s) (Primary UI):
    • Edit the "default" Collector Group or Add new.
      • "default" CG already contains primary's local LC. Add secondary's local LC if using multiple LCs in one group.
      • Enable redundancy if applicable (both M-Series must have same disk count).
      • Configure Device Log Forwarding (assign firewalls, set priorities between primary/secondary LCs).
  6. Commit and Push to Panorama and Collector Group(s) (Primary UI).
  7. Configure Secondary Panorama for Primary's LC (Failover Scenario Prep):
    1. Manually fail over HA (Suspend primary Panorama).
    2. Log into now-active Secondary Panorama UI.
    3. Panorama > Managed Collectors : Select the Log Collector corresponding to the (now passive) primary Panorama.
    4. Ensure Panorama Server IP and IP 2 fields are correctly populated for primary and secondary MGT IPs.
    5. Configure its MGT interface IP settings (if not already synced).
    6. Click OK. Commit and Push .
    7. Fail back (Suspend secondary Panorama, make primary functional again).
  8. Configure Log Forwarding from Firewalls to Panorama (via Templates/Device Groups on Primary UI).

In an M-Series HA setup, the local Log Collector of the secondary peer is treated as "remote" by the primary and needs to be explicitly added and configured on the primary.

Deployment Scenario: Panorama Virtual Appliances with Local Log Collectors

Panorama virtual appliances in Panorama mode can have local Log Collectors (using added virtual logging disks). Often deployed in HA.

To start in Panorama mode, a virtual appliance needs an 81GB system disk and sufficient CPU/memory for logging. Add virtual logging disks (2-24TB).

Single Local Log Collector Per Collector Group

Diagram: Virtual Panorama HA, single Local LC per CG.
Virtual Panorama HA, each peer's local LC potentially in a separate Collector Group, or one active.

Multiple Local Log Collectors Per Collector Group

Diagram: Virtual Panorama HA, both Local LCs in one CG.
Virtual Panorama HA, local LCs from both peers in a single Collector Group for redundancy.

Key Steps (Summarized - assuming virtual appliance initial setup with logging disks, HA config are done):

  1. Add Primary Panorama's Local Log Collector (Primary UI):
    • Record Primary Panorama's S/N ( Dashboard ).
    • Panorama > Managed Collectors > Add . Enter S/N. OK. Commit to Panorama .
    • Edit this new LC. Disks tab: Add virtual logging disks. OK. Commit to Panorama .
  2. Add Secondary Panorama's Local Log Collector (Primary UI):
    • Record Secondary Panorama's S/N (from its Dashboard).
    • Panorama > Managed Collectors > Add . Enter Secondary's S/N.
    • Panorama Server IP (Primary MGT IP), Panorama Server IP 2 (Secondary MGT IP).
    • OK. Commit to Panorama .
    • Edit this new LC (secondary's). Disks tab: Add its virtual logging disks. OK. Commit to Panorama .
  3. Add Firewalls as Managed Devices (Primary UI).
  4. Configure Collector Group(s) (Primary UI):
    • Panorama > Collector Groups > Add .
    • Add local LCs of primary and/or secondary as members.

      All LCs in one group must be virtual appliance type (which they are here).

    • Enable redundancy if applicable (both virtual LCs should have same number/size of logging disks).
    • Configure Device Log Forwarding.
    • OK. Commit and Push to Panorama and Collector Group(s).
  5. Configure Secondary Panorama for Primary's LC (Failover Scenario Prep - similar to M-Series):
    1. Trigger HA failover (Suspend primary).
    2. Log into now-active Secondary Panorama UI.
    3. Panorama > Managed Collectors : Select the Log Collector corresponding to the (now passive) primary Panorama.
    4. Ensure Panorama Server IP and IP 2 fields are correctly populated.
    5. OK. Commit and Push .
    6. Restore HA on primary, then fail back (Suspend secondary, make it functional, verify roles).
  6. Configure Log Forwarding from Firewalls to Panorama (via Templates/Device Groups on Primary UI).

Unlike M-Series, Panorama virtual appliances in Panorama mode require you to manually add both their own local Log Collector and the secondary peer's local Log Collector as managed collectors on the primary.

Deployment Scenario: Panorama Virtual Appliances in Legacy Mode with Local Log Collection

This configuration is for Panorama virtual appliances in Legacy mode, typically in an HA setup, processing up to 10,000 logs/second. Logs are sent to NFS datastore (ESXi only) or local virtual disks.

To ensure Legacy mode, do not add a virtual logging disk during initial installation (Panorama uses ~11GB on system disk by default, expandable later up to 8TB with a dedicated logging disk). If a large logging disk is added during initial setup of recent PAN-OS versions, it might default to Panorama mode.

Panorama Virtual Appliances in Legacy Mode with Local Log Collection

Diagram: Virtual Panorama Legacy Mode HA.
Panorama Virtual Appliances in Legacy Mode HA, logging locally or to NFS.

Key Steps (Summarized - assuming initial setup, HA config are done):

  1. Initial Setup for Legacy Mode:
    • During Panorama virtual appliance installation, do not add a dedicated virtual logging disk if aiming for the default small partition. If more storage is needed, it can be added post-installation.
    • Complete initial configuration, registration, licensing, software updates.
  2. Set up HA for Panorama Virtual Appliances.
  3. Prepare Panorama for Log Collection:
    • Add Firewalls as Managed Devices.
    • Configure Log Forwarding to Panorama (firewalls send logs directly to Panorama MGT IP or service route IP).

      In Legacy mode, you don't configure "Managed Collectors" or "Collector Groups" in the same way as Panorama mode. Logs are sent directly to Panorama itself.

  4. Commit changes on Panorama.
  5. Log Forwarding/Buffering Defaults (Legacy HA): ( Panorama > Setup > Management > Logging and Reporting Settings > Log Export and Reporting )
    • Only Active Primary Logs to Local Disk (Default: Disabled): If enabled, only the primary HA peer saves logs to its local disk. Default means both peers receive/save logs. (For 5200/7000 series firewalls, only active peer receives logs anyway).
    • Get Only New Logs on Convert to Primary (Default: Disabled): For NFS logging on ESXi. If enabled, after HA failover, the newly promoted primary gets only new logs, not a flood of buffered logs. With NFS, only the primary peer mounts the datastore.

If logging rates exceed 10,000 lps, consider migrating to Panorama mode and using Dedicated Log Collectors or Strata Logging Service.

Monitoring Managed Collector Health Status

Monitor the health of managed Log Collectors to identify and resolve issues impacting log collection. Health is based on vital Log Collector processes.

Steps to View Health (on Panorama Web Interface):

  1. Ensure Managed Collector and Collector Group are configured.
  2. Navigate to Panorama > Managed Collectors .
  3. Observe the Health column:
    • Green circle Green health icon : Healthy.
    • Red circle Red health icon : One or more processes have degraded health.
  4. Click the health icon or a link/button in that row (often "Health Status" or similar, or by clicking the collector and finding a health tab) to view detailed health status of individual processes.
    Log Collector Health Status details screen.
    Detailed Health Status of Log Collection Processes.

Key Log Collection Processes:

Understanding these processes can help in troubleshooting log collection issues. For instance, an issue with 'es' could indicate problems with log indexing and searching, while 'logd' issues might mean logs aren't even being received properly from firewalls.

Verification, Troubleshooting & PCNSE Quiz

Verifying Log Forwarding to Panorama

After configuring log forwarding, verify its success.

Traffic logs might show "incomplete" sessions for TCP connections from firewalls to Log Collectors over Ethernet interfaces (except PA-5200/7000). This is normal and due to 60-second TCP timeouts, not a connectivity loss. Forwarding over the management port does not generate these incomplete traffic logs.

Verification Steps:

  1. Access Firewall CLI.
  2. Verify Log Forwarding Preference List (if using Log Collectors): > show log-collector preference-list

    Output should show the serial number and IP address of the preferred Log Collector(s).

  3. Verify Logging Status on Firewall: > show logging-status

    Output should indicate the log forwarding agent is active and connected.

    • Agent for Panorama virtual appliance (Legacy/Panorama mode local LC): Panorama
    • Agent for M-Series appliance / Dedicated LC: LogCollector
    • Agent for Strata Logging Service: Log CollectionService (and status like "Log Collection log forwarding agent is active and connected to <IP_address>")
  4. View Average Logging Rate:
    • If logs go to Log Collectors (via Panorama UI): Panorama > Managed Collectors , click Statistics link for the collector.
    • If logs go to Panorama virtual appliance (Legacy Mode) or M-Series (CLI): > debug log-collector log-collection-stats show incoming-logs (This command also works on M-Series LCs/Panorama directly).
  5. Check Logs in Panorama: Navigate to Monitor > Logs in Panorama and verify logs from the firewalls are appearing.

Modifying Log Forwarding and Buffering Defaults

These settings are found under Panorama > Setup > Management , edit Logging and Reporting Settings > Log Export and Reporting tab.

Log Forwarding Mode on Firewall:

Logging Option Description
(Best Practice) Buffered Log Forwarding from Device
Default: Enabled 		Firewall buffers logs and sends them to Panorama at 30-second intervals. Crucial for resilience if connectivity to Panorama is lost; firewall buffers locally and resumes forwarding from where it left off. If buffer fills, oldest logs are deleted.
Live Mode Log Forwarding from Device
(Enabled if Buffered Log Forwarding is cleared ) 		Firewall sends each log transaction to Panorama as it's recorded locally. Higher resource consumption, less resilient to network outages.

Buffered Log Forwarding is the default and recommended mode for its resilience.

Log Forwarding Preference (Panorama Virtual Appliance in Legacy Mode, HA Setup):

Logging Option Pertains to Description
Only Active Primary Logs to Local Disk
Default: Disabled 		Panorama virtual appliance in Legacy mode, logging to a virtual disk, in HA. If enabled, only the primary Panorama peer saves logs to its local disk. Default (disabled) means both peers receive and save logs. (Note: For 5200/7000 series firewalls, only the active peer receives logs anyway).
Get Only New Logs on Convert to Primary
Default: Disabled 		Panorama virtual appliance in Legacy mode, logging to NFS (ESXi server only), in HA. If enabled, when an HA failover occurs and the secondary becomes primary, firewalls send only newly generated logs. Prevents flooding Panorama with a large volume of buffered logs after a long disconnection. With NFS, only the primary peer mounts the datastore.

The "Abled" word at the end of the original text for this section seems to be a typo or leftover. The table name "Pertains to" from the original "Configure Log Forwarding from Panorama to External Destinations" was incorrectly placed here in the original source, it actually belongs to "Modify Log Forwarding and Buffering Defaults" as corrected.

Key PCNSE Exam Tips & Gotchas for Log Collection

General Concepts:

Configuration & Setup:

HA Considerations:

Authentication & Security:

Forwarding to External Systems:

Verification & Troubleshooting:

PCNSE Log Collection Interactive Quiz

Test your knowledge on Panorama log collection. Select the best answer for each question.

1. When configuring a Collector Group with multiple Log Collectors for redundancy, what is a critical requirement for all member Log Collectors?

Correct Answer: B. For log redundancy to function correctly within a Collector Group, all Log Collectors must have an identical count of logging disks. While being the same model is also a requirement for group membership, disk count is specific to redundancy.

2. You are adding a new Dedicated Log Collector to Panorama. What is the primary purpose of the Device Registration Authentication Key?

Correct Answer: C. The Device Registration Authentication Key is used for the initial secure handshake between Panorama and the new Log Collector. After this, Panorama delivers a device certificate for subsequent communications.

3. A Panorama M-Series appliance is operating in Panorama mode. What is true about its local Log Collector?

Correct Answer: D. On M-Series appliances in Panorama mode, the local Log Collector is predefined and is automatically part of the "default" Collector Group. You still need to enable its disks.

4. If a Panorama virtual appliance is in Legacy mode, and you want to utilize Collector Groups, what must you do?

Correct Answer: A. To use features like Collector Groups with a Panorama virtual appliance, it must be switched from Legacy mode to Panorama mode.

5. When configuring administrators for a Dedicated Log Collector via Panorama, which admin role type is exclusively supported?

Correct Answer: B. Only Superuser administrators are supported when configuring administrative accounts (local, imported, or remote) for a Dedicated Log Collector from Panorama.

6. What happens if you switch an M-Series appliance from Panorama mode to Log Collector mode?

Correct Answer: C. Switching to Log Collector mode removes the predefined local Log Collector, deletes existing configurations (except basic management access settings), and all log data.

7. You are configuring a Collector Group and want to ensure no logs are lost if one Log Collector becomes unavailable. What should you enable, and what is a key prerequisite?

Correct Answer: A. "Enable log redundancy across collectors" is the feature. A key prerequisite is that all Log Collectors in the group must have the same number of logging disks. Being the same model is a general group requirement, not specific just to redundancy.

8. After adding a new Log Collector to Panorama and committing, its Configuration Status shows "Out of Sync" and Run Time Status shows "disconnected." What is the most likely next step required to resolve this?

Correct Answer: D. A Log Collector will remain Out of Sync and disconnected until it's part of a fully configured Collector Group and that configuration is pushed to it. Enabling disks is also necessary but the CG configuration push is what syncs its operational role.

9. Which Panorama mode is required for a Panorama virtual appliance to support features like local Log Collectors that are members of Collector Groups?

Correct Answer: B. To use local Log Collectors as part of Collector Groups on a Panorama virtual appliance, it must be in Panorama mode. Legacy mode has different logging mechanisms.

10. When forwarding logs from Panorama to an external Syslog server over SSL that requires client authentication, where is the client certificate for Panorama/Log Collector typically configured/assigned?

Correct Answer: C. The client certificate used by Panorama or a Dedicated Log Collector for secure syslog forwarding is managed under Panorama's Certificate Management and then assigned appropriately (e.g., to the "Certificate for Secure Syslog" field for a Managed Collector).

11. A customer wants to send logs to both Strata Logging Service and their on-premise Log Collectors simultaneously from their PAN-OS 9.0 firewalls. Which option should they configure in Panorama Templates?

Correct Answer: A. The "Enable Duplicate Logging (Cloud and On-Premise)" option, available for firewalls running PAN-OS 8.1 and later, allows logs to be sent to both destinations.

12. What is a key characteristic of all Log Collectors within a single Collector Group?

Correct Answer: B. A strict requirement for Collector Group membership is that all Log Collectors within that group must be of the same Panorama model (e.g., all M-Series of a specific type, or all Panorama virtual appliances).

13. If a Panorama virtual appliance in Panorama mode has an HA configuration, how is the local Log Collector on the secondary HA peer managed by the primary Panorama?

Correct Answer: D. Relative to the primary Panorama, the local Log Collector on the secondary Panorama HA peer is treated as a remote collector. It needs to be manually added as a managed collector on the primary Panorama to be utilized and managed effectively.

14. Which CLI command on a firewall is used to verify that it has received a log forwarding preference list from Panorama?

Correct Answer: C. The command show log-collector preference-list on the firewall CLI displays the Log Collector(s) it's configured to forward logs to, based on the preference list pushed from Panorama.

15. When configuring syslog forwarding over a dedicated Ethernet interface on a Log Collector via the Panorama CLI, what is a critical prerequisite step?

Correct Answer: A. When using the CLI, Panorama does not automatically disable syslog forwarding on the MGT interface if you enable it on an Ethernet interface. You must explicitly disable MGT syslog forwarding first to ensure logs go out the intended Ethernet port.

16. What is the maximum number of Log Collectors that can be part of a single Collector Group?

Correct Answer: B. A Collector Group can contain 1 to 16 Log Collectors.

17. If you enable "log redundancy across collectors" in a Collector Group, what is the impact on storage capacity and maximum logging rate?

Correct Answer: C. Log redundancy means two copies of each log are stored, effectively halving usable storage. It also doubles log processing traffic within the group as copies are distributed, thus reducing the maximum logging rate by about half.

18. A Panorama administrator notices that the ElasticSearch health status for a newly added Log Collector is "degraded." What is a common reason for this state?

Correct Answer: D. The ElasticSearch health status will display as degraded, and the Log Collector cannot ingest logs properly, until it is added to a Collector Group and the Collector Group configuration is pushed to it.

19. When configuring log forwarding from firewalls to Panorama, which Panorama component is used to push Log Forwarding Profiles to a set of firewalls?

Correct Answer: A. Log Forwarding Profiles (found under Objects > Log Forwarding) are configured within the context of a Device Group and pushed to firewalls belonging to that Device Group. Templates are used for Log Settings (e.g., for System, Config logs).

20. What is the recommended log forwarding mode from a device (firewall) to Panorama for optimal resilience against network connectivity issues?

Correct Answer: C. Buffered Log Forwarding is the default and best practice. It allows the firewall to buffer logs locally if connectivity to Panorama is lost and send them once connectivity is restored.

21. What is the maximum log record size for logs forwarded from Panorama to external services before truncation occurs?

Correct Answer: B. Forwarded logs have a maximum log record size of 4,096 bytes. Logs larger than this will be truncated.

22. If Panorama is running PAN-OS 11.1, what is the minimum PAN-OS version a Dedicated Log Collector must be running to be onboarded?

Correct Answer: A. Panorama running PAN-OS 11.1 supports onboarding Dedicated Log Collectors running PAN-OS 10.1.3 or later. It cannot add those running 10.1.2 or earlier if Panorama is on 11.0/11.1.

23. When configuring custom certificates for secure inter-Log Collector communication within a Collector Group, what must be done on EACH Log Collector in the group?

Correct Answer: D. Each Log Collector in the group acts as both a server (listening for connections from other LCs) and a client (connecting to other LCs). Therefore, both secure server communication and secure client communication with custom certificates need to be configured on each member.

24. Which Panorama CLI command is used to switch an M-Series or Panorama virtual appliance to Log Collector mode?

Correct Answer: C. The command is request system system-mode logger .

25. If "Log At Session Start" is enabled for Traffic logs in a Security policy rule, what is a primary consideration?

Correct Answer: B. Logging at session start consumes more firewall resources. It's typically used for troubleshooting, visibility into long-lived sessions (like GRE tunnels or OT/ICS), or when ACC visibility for such sessions is needed.

26. In a Panorama M-Series HA deployment using local Log Collectors, where would you typically configure the Log Collector that is local to the passive (secondary) M-Series appliance?

Correct Answer: D. The local Log Collector on the secondary Panorama HA peer is considered "remote" from the perspective of the primary. It must be manually added as a managed collector on the primary Panorama's UI to be managed and included in Collector Groups.

27. What is the main purpose of the "Device Log Forwarding" tab within a Collector Group configuration?

Correct Answer: A. The "Device Log Forwarding" tab is where you create preference lists that map specific managed firewalls (or device groups) to the Log Collectors that are members of that Collector Group, defining the primary and failover order.

28. A Panorama virtual appliance is installed with an 81GB system disk and a 2TB virtual logging disk. It is intended to operate in Panorama mode with a local Log Collector. What is the first step to make this local Log Collector operational via the Panorama UI?

Correct Answer: C. For a Panorama virtual appliance in Panorama mode to use its local Log Collector capabilities, you must first add the Panorama appliance (using its own serial number) as a Managed Collector. Then you can enable its disks and add it to a Collector Group.

29. Which process on a Log Collector is primarily responsible for ingesting logs received from managed firewalls and transferring them to the vldmgr?

Correct Answer: B. The 'logd' process is responsible for ingesting logs from firewalls and transferring them to vldmgr for further processing and storage management.

30. When is it particularly recommended to configure syslog forwarding over a dedicated Ethernet interface instead of the MGT interface on Panorama or a Log Collector?

Correct Answer: D. Using a dedicated Ethernet interface for syslog forwarding is recommended in high-log-volume environments to optimize management operations and prevent potential log loss by offloading traffic from the MGT interface.

31. If an administrator configures a Device Registration Authentication Key with a Lifetime of 30 days, when does the key itself fully expire and become invalid if not re-certified?

Correct Answer: A. The key can be used to onboard new devices for the specified Lifetime. After the Lifetime expires, there's a 90-day grace period during which it can be re-certified. If not re-certified, it becomes invalid after Lifetime + 90 days.

32. When configuring an M-Series appliance as a Dedicated Log Collector, which interface is typically NOT available for user interaction after the mode switch?

Correct Answer: C. After an M-Series appliance (or Panorama virtual appliance) is switched to Log Collector mode, its web interface becomes inaccessible. Management is done via CLI or through Panorama.

33. What is the primary method for assigning specific firewalls to forward logs to a particular Log Collector or set of Log Collectors within a Collector Group?

Correct Answer: B. The "Device Log Forwarding" tab within the Collector Group configuration on Panorama is where you define preference lists. These lists associate firewalls with the Log Collectors in that group and set their forwarding priority.

34. What is a best practice recommended by Palo Alto Networks regarding local Log Collectors and Collector Groups, even when Dedicated Log Collectors are also managed?

Correct Answer: D. Palo Alto Networks recommends retaining a local Log Collector and Collector Group on the Panorama management server, regardless of whether it also manages Dedicated Log Collectors. This can be useful for Panorama's own logs or a small subset of firewalls.

35. In a Panorama virtual appliance HA setup (Panorama mode), if the primary peer fails, and the secondary peer takes over, what must have been configured on the original primary peer for the secondary's local Log Collector to be utilized effectively?

Correct Answer: A. For the secondary peer's local Log Collector to be part of the overall logging infrastructure managed by the primary (and thus available after failover), it must have been added as a managed collector on the primary Panorama.

36. Which type of logs are NOT typically configured for forwarding using a Log Forwarding Profile assigned to security policy rules?

Correct Answer: C. Log Forwarding Profiles (Objects > Log Forwarding) are primarily for logs generated by traffic passing through policies (Traffic, Threat, URL, Data Filtering, WildFire, Tunnel). System, Config, User-ID, and HIP Match logs are configured for forwarding under Device > Log Settings (via Templates).

37. If you see "incomplete" sessions in firewall traffic logs for connections to a Log Collector, and log forwarding is configured over an Ethernet interface (not MGT), what is the most likely explanation (excluding PA-5200/7000 series)?

Correct Answer: B. The documentation states that traffic logs showing "incomplete" sessions are generated by firewalls (except PA-5200/7000) when forwarding logs over a supported Ethernet interface due to 60-second TCP timeouts, and this does not indicate a loss of connection.

38. What is a key consequence of enabling the "Custom Certificate Only" checkbox in the Secure Server Communication settings for a Log Collector that communicates with other Log Collectors?

Correct Answer: D. When "Custom Certificate Only" is checked for inter-LC communication, the Log Collector will only authenticate and connect with other Log Collectors that present a custom certificate matching its configuration. Connections using predefined certificates will fail.

39. For a PA-7000 Series firewall managed by Panorama, if log forwarding to Panorama is NOT configured, how can an administrator view its logs via Panorama (assuming PAN-OS 8.0.8+ on both)?

Correct Answer: A. If log forwarding is not set up for PA-7000 Series firewalls, Panorama (PAN-OS 8.0.8+) can directly query them for logs if the command debug reportd send-request-to-7k yes is run on the Panorama CLI.

40. You need to configure LDAP authentication for administrators accessing a Dedicated Log Collector's CLI. Where is the LDAP Authentication Profile typically assigned in Panorama?

Correct Answer: B. LDAP Authentication Profiles are typically assigned to individual local administrator accounts that are created on Panorama specifically for that Dedicated Log Collector. This allows granular control over which local accounts use LDAP.

41. If a Panorama evaluation virtual appliance with a local Log Collector is converted to a production instance with a local Log Collector, what happens to the logs generated during the evaluation period?

Correct Answer: C. Logs stored on the local Log Collector of an evaluation Panorama cannot be preserved when converting to a production Panorama instance with a local Log Collector. It's recommended to forward logs externally to preserve them during the evaluation.

42. What is the system disk storage size requirement for a Panorama virtual appliance to ensure it starts in Panorama mode (as opposed to potentially Legacy mode if older PAN-OS or specific setup)?

Correct Answer: D. To ensure a Panorama virtual appliance starts in Panorama mode, it must be configured with a system disk of exactly 81GB. Other sizes might lead to Legacy mode or other states depending on the PAN-OS version and logging disk presence.

43. When configuring a Collector Group, if the "Log Storage" field shows 0MB, what is a primary item to verify on the member Log Collectors?

Correct Answer: A. If the Log Storage field in Collector Group settings shows 0MB, it typically means the logging disks for the member Log Collector(s) have not been enabled via Panorama (Managed Collectors > Edit > Disks tab) and the changes committed.

44. Which of the following is NOT a process whose health status contributes to the overall health of a managed Log Collector displayed in Panorama?

Correct Answer: B. The key processes monitored for Log Collector health are logd, vldmgr, vlds, and es. 'devsrvr' (device server) is a more general Panorama/firewall management process, not specific to log collection health on the LC.

45. An administrator wants to move a Dedicated Log Collector from CollectorGroupA to CollectorGroupB. What is a correct part of this procedure?

Correct Answer: C. The correct procedure involves removing it from its current group's membership and forwarding preferences, then deleting it as a managed collector, and then re-adding it to Panorama and assigning it to the new collector group.

46. If a Panorama HA pair uses Panorama virtual appliances in Legacy mode logging to an NFS datastore (ESXi only), what does the "Get Only New Logs on Convert to Primary" option achieve if enabled?

Correct Answer: D. This option, when enabled in a Legacy mode HA setup with NFS logging, prevents a newly promoted primary Panorama from being overwhelmed by a flood of buffered logs from firewalls after a potentially long disconnection. It will only request new logs.

47. To forward logs from a firewall to Panorama, where are settings for System, Configuration, and User-ID logs primarily configured?

Correct Answer: A. System, Configuration, User-ID, and HIP Match log forwarding destinations are configured under Device > Log Settings within a Panorama Template, which is then applied to firewalls.

48. An administrator configured Failed Attempts to 5 and Lockout Time to 0 for a managed Log Collector's admin user. What is the consequence if an admin user exceeds 5 failed login attempts?

Correct Answer: B. If Failed Attempts is non-zero and Lockout Time is 0, the admin user is locked out indefinitely until manually unlocked by another administrator or by pushing a configuration change from Panorama.

49. When would you select "Authorize Client Based on Serial Number" in the Secure Server Communication settings for a Log Collector?

Correct Answer: C. This option allows the server (Log Collector) to check clients against the serial numbers of managed devices. It requires the client certificate to have its Common Name (CN) set to the keyword $UDID for authorization based on serial numbers.

50. What action on Panorama is essential after adding a new Managed Collector (e.g., a Dedicated Log Collector) before you can successfully enable its logging disks?

Correct Answer: D. After adding the Log Collector as a managed collector (entering its serial number etc.), you must Commit to Panorama. This action registers the collector in Panorama's configuration, allowing you to then edit it further to enable its disks.