Centralized Logging and Reporting
Panorama aggregates data from all managed firewalls and provides visibility across all the traffic on the network. It also provides an audit trail for all policy modifications and configuration changes made to the managed firewalls. In addition to aggregating logs, Panorama can aggregate and forward Simple Network Management Protocol (SNMP) traps, email notifications, and syslog messages to an external destination.
The Application Command Center (ACC) on Panorama provides a single pane for unified reporting across all the firewalls. It enables you to centrally Monitor Network Activity, to analyze, investigate, and report on traffic and security incidents. On Panorama, you can view logs and generate reports from logs forwarded to Panorama or to the managed Log Collectors, if configured, or you can query the managed firewalls directly. For example, you can generate reports about traffic, threat, and/or user activity in the managed network based on logs stored on Panorama (and the managed collectors) or by accessing the logs stored locally on the managed firewalls.
If you choose not to Configure Log Forwarding to Panorama, you can schedule reports to run on each managed firewall and forward the results to Panorama for a combined view of user activity and network traffic. Although this view does not provide a granular drill-down on specific data and activities, it still provides a unified reporting approach.
Logging Options
Both the Panorama virtual appliance and M-Series appliance can collect logs that the managed firewalls forward. You can then Configure Log Forwarding from Panorama to External Destinations (syslog server, email server, or Simple Network Management Protocol [SNMP] trap server). The logging options vary on each Panorama appliance.
The PA-7000 Series firewall can’t forward logs to Panorama, only to external services directly. However, when you monitor logs or generate reports for a device group that includes a PA-7000 Series firewall, Panorama queries the firewall in real-time to display its log data.
Panorama Appliance Logging Options
Virtual appliance Offers three logging options: Use the approximately 11GB of internal storage space allocated for logging as soon as you install the virtual appliance. Add a virtual disk. Panorama running on VMware vCloud Air or ESXi 5.5 and later versions can support a virtual disk of up to 8TB. Earlier versions of the ESXi server support a virtual disk of up to 2TB. Mount a Network File System (NFS) datastore in which you can configure the storage capacity that is allocated for logging.
M-Series appliance The default shipping configuration for the M-100 appliance includes two disks with a total of 1TB storage capacity. For the M-500 appliance, the default configuration includes eight disks for 4TB of storage. Both appliances use RAID 1 to protect against disk failures. You can Increase Storage on the M-Series Appliance to 4TB on the M-100 appliance and 8TB on the M-500 appliance. When an M-Series appliance is in Panorama mode, you can enable the RAID disks to serve as the default Log Collector. If you have an M-Series appliance is in Log Collector mode (Dedicated Log Collector), you use Panorama to assign firewalls to the Dedicated Log Collectors. In a deployment with multiple Dedicated Log Collectors, Panorama queries all managed Log Collectors to generate an aggregated view of traffic and cohesive reports. For easy scaling, begin with a single Panorama and incrementally add Dedicated Log Collectors as your needs expand.
Managed Collectors and Collector Groups
A Log Collector can be local to an M-Series appliance in Panorama mode (default Log Collector) or can be an M-Series appliance in Log Collector mode (Dedicated Log Collector). Because you use Panorama to configure and manage Log Collectors, they are also known as managed collectors . An M-Series appliance in Panorama mode or a Panorama virtual appliance can manage Dedicated Log Collectors. To administer Dedicated Log Collectors using the Panorama web interface, you must add them as managed collectors. Otherwise, administrative access to a Dedicated Log Collector is only available through its CLI using the default administrative user (admin) account. Dedicated Log Collectors do not support additional administrative user accounts.
A Collector Group is 1 to 16 managed collectors that operate as a single logical log collection unit. If the group contains Dedicated Log Collectors, the logs are uniformly distributed across all the disks in each Log Collector and across all members in the Collector Group. This distribution maximizes the use of the available storage space. To manage a Log Collector, you must add it to a Collector Group. If you assign more than one Log Collector to a Collector Group, see Caveats for a Collector Group with Multiple Log Collectors.
The Collector Group configuration specifies which managed firewalls can send logs to the Log Collectors in the group. After you configure the Log Collectors and enable the firewalls to forward logs, each firewall forwards its logs to the assigned Log Collector.
Managed collectors and Collector Groups are integral to a distributed log collection deployment on Panorama. A distributed log collection deployment allows for easy scalability and incremental addition of Dedicated Log Collectors as your logging needs grow. The M-Series appliance in Panorama mode can log to its default Collector Group and then be expanded to a distributed log collection deployment with one or more Collector Groups that include Dedicated Log Collectors.
To configure Log Collectors and Collector Groups, see Manage Log Collection.
Caveats for a Collector Group with Multiple Log Collectors
You can Configure a Collector Group with multiple Log Collectors (up to 16) to ensure log redundancy, increase the log retention period, or accommodate logging rates that exceed the capacity of a single Log Collector (see Panorama Platforms for capacity information). All the Log Collectors in any particular Collector Group must be the same model, such as all M-500 appliances or all M-100 appliances. For example, if a single managed firewall generates 16TB of logs, the Collector Group that receives those logs will require at least four Log Collectors that are M-100 appliances or two Log Collectors that are M-500 appliances.
A Collector Group with multiple Log Collectors uses the available storage space as one logical unit and uniformly distributes the logs across all its Log Collectors. The log distribution is based on the disk capacity of the Log Collectors (1TB to 8TB, depending on the number of disk pairs and the M-Series appliance) and a hash algorithm that dynamically decides which Log Collector owns the logs and writes to disk. Although Panorama uses a preference list to prioritize the list of Log Collectors to which a managed firewall can forward logs, Panorama does not necessarily write the logs to the first Log Collector specified in the preference list. For example, consider the following preference list:
Managed Firewall Log Forwarding Preference List Defined on a Collector Group
FW1 L1,L2,L3
FW2 L4,L5,L6
Using this list, FW1 will forward logs to L1, its primary Log Collector, but the hash algorithm could determine that the logs will be written on L2. If L2 becomes inaccessible or has a chassis failure, FW1 will not know about its failure because it is still able to connect to L1, its primary Log Collector.
In the case where a Collector Group has only one Log Collector and the Log Collector fails, the firewall stores the logs to its HDD/SSD (the available storage space varies by hardware model), and resumes forwarding logs to the Log Collector where it left off before the failure occurred as soon as connectivity is restored.
With multiple Log Collectors in a Collector Group, the firewall does not buffer logs to its local storage when it can connect to its primary Log Collector. Therefore, FW1 will continue sending logs to L1. Because L2 is unavailable, the primary Log Collector L1 buffers the logs to its HDD, which has 10GB of log space. If L2 remains unavailable and the logs pending for L2 exceed 10GB, L1 will overwrite the older log entries to continue logging. In such an event, loss of logs is a risk.
Palo Alto Networks recommends the following mitigations if using multiple Log Collectors in a Collector Group:
Enable log redundancy when you Configure a Collector Group. This ensures that no logs are lost if any one Log Collector in the Collector Group becomes unavailable. Each log will have two copies and each copy will reside on a different Log Collector. Log redundancy is available only if each Log Collector in the Collector Group has the same number of logging disks.
Because enabling redundancy creates more logs, this configuration requires more storage capacity. When a Collector Group runs out of space, it deletes older logs. Enabling redundancy doubles the log processing traffic in a Collector Group, which reduces its maximum logging rate by half, as each Log Collector must distribute a copy of each log it receives.
Obtain an On-Site-Spare (OSS) to enable prompt replacement if a Log Collector failure occurs. In addition to forwarding logs to Panorama, configure forwarding to an external service as backup storage. The external service can be a syslog server, email server, or Simple Network Management Protocol (SNMP) trap server.
Centralized Reporting
Panorama aggregates logs from all managed firewalls and enables reporting on the aggregated data for a global view of application use, user activity, and traffic patterns across the entire network infrastructure. As soon as the firewalls are added to Panorama, the ACC can display all traffic traversing your network. With logging enabled, clicking into a log entry in the ACC provides direct access to granular details about the application.
For generating reports, Panorama uses two sources: the local Panorama database and the remote firewalls that it manages. The Panorama database refers to the local storage on Panorama that is allocated for storing both summarized logs and some detailed logs. If you have a distributed Log Collection deployment, the Panorama database includes the local storage on Panorama and all the managed Log Collectors. Panorama summarizes the information—traffic, application, threat— collected from all managed firewalls at 15-minute intervals. Using the local Panorama database allows for faster response times, however, if you prefer to not forward logs to Panorama, Panorama can directly access the remote firewall and run reports on data that is stored locally on the managed firewalls.
Panorama offers more than 40 predefined reports that can be used as is, or they can be customized by combining elements of other reports to generate custom reports and report groups that can be saved. Reports can be generated on demand, on a recurring schedule, and can be scheduled for email delivery. These reports provide information on the user and the context so that you correlate events and identify patterns, trends, and potential areas of interest. With the integrated approach to logging and reporting, the ACC enables correlation of entries from multiple logs relating to the same event.
For more information, see Monitor Network Activity.

Related Documentation