Palo Alto 7050 is unique, syslog comes from at least two different IP addresses. One sends the messages we use to detect change and the other one sends traffic logs. The one that sends traffic logs is controlled by the Log Processing Card or LPC.
For this to work correctly both IPs that send syslog need to be created as Central Syslog Servers.
In each device's properties, only one central syslog server can be set. This doesn't mean that only messages from that one central syslog server will be matched for this device.
In order to have two central syslog servers active for each physical or vsys device in the 7050, set one central syslog server for all but one of the devices then set the second central syslog server for the last one.
This will cause the DC to look for both central syslog server IPs and match them to all the devices by serial number and vsys name (if vsys enabled).
More Information about Configuring the Log Port on a PA-7050 (See page 40 - Configure a Log Port for Log Forwarding):
If each VSYS has it's own log sub-interface then set that as the Central syslog server for each VSYS. The IP that change logs will come from needs to be set as the Central Syslog Server for a least one VSYS as well. If there are no virtual systems without traffic then a dummy device can be created that has the change log Central Syslog Server IP set.
More Information about Configuring the Log Port on a PA-7050 for Multiple Virtual Systems:
Comments
0 comments
Article is closed for comments.