Palo Alto – Log Forwarding Cards

If you operate Palo Alto Networks firewalls, are you taking full advantage of the critical log data they generate? Palo Alto’s flexible log-forwarding architecture makes getting firewall logs into your SIEM, analytics tools, and long-term storage easy. This post will explore the key benefits of implementing log-forwarding cards.

Centralized Logging and Analysis

A core benefit of log forwarding cards is easy centralization. You can direct logs from all your distributed Palo Alto firewalls into an SIEM platform like Splunk or IBM QRadar. This consolidates logs in one place for correlation, monitoring, and reporting. Security analytics software can then parse the standardized log data to detect anomalies, identify threats, and speed up investigations.

No Need for TAPs

Palo Alto firewalls forward logs directly from the data plane where traffic is processed. This avoids the need for dedicated TAPs (test access points) to copy production traffic solely for logging purposes. TAPs add cost and infrastructure complexity. Data plane logging provides complete traffic visibility without loss risks from mirrored traffic.

Better Threat Intelligence

Enable forwarding of WildFire threat analysis logs to get granular forensics on malware, including C2 calls, exploited vulnerabilities, evasion techniques, and more. This enhances threat intel to improve prevention.

Faster Incident Response

Security analysts no longer manually collect logs from multiple firewalls during investigations. Automated forwarding to your SIEM means logs are already centralized, allowing faster incident response.

Regulatory Compliance

Centralized logging enables log retention and auditing needed for regulatory compliance. All firewall activity is preserved in long-term storage for forensics.

Increased Uptime

Forwarding logs offloads storage from your firewalls, preventing log disk fills that can impact performance. It also avoids manual log rotations.

Template-Driven Deployment

Log forwarding cards support cloning and templates, enabling automated, consistent policy deployment across your firewall fleet.

The LFC for Scalable Log Forwarding

The PA-7000 Series firewalls support optional Log Forwarding Cards (LFCs) with 40 Gbps throughput for high-volume log collection. The LFC offloads the firewall, reduces log loss risks, and improves log management efficiency. Logs can be forwarded in real-time or batch mode.

Platforms that Support LFCs

Here are the Palo Alto Networks firewall models that support Log Forwarding Cards (LFCs):

  • PA-7050 – Supports up to 4 LFCs
  • PA-7080 – Supports up to 4 LFCs
  • PA-7000 Series ML Powered Models:
    • PA-7030 – Supports up to 2 LFCs
    • PA-7050 ML – Supports up to 4 LFCs
    • PA-7080 ML – Supports up to 4 LFCs

In summary, the high-end PA-7000 Series firewalls, including the PA-7050, PA-7080, and the ML-powered models in this series all support optional LFCs to provide dedicated, high-throughput log forwarding capabilities.

The lower-end PA-7000 models like the PA-700, PA-7020, and PA-7030 do not support LFCs.

Outside of the PA-7000 Series, no other Palo Alto firewalls currently support LFCs. The 4000 Series, 5000 Series, 900 Series, etc., do not have slots to add LFC cards, so log forwarding is handled via built-in software capabilities on those platforms.