Palo Alto - Panorama logs, log queue - LPS support

@Reaper Hello Reaper, thanks for your answer, some questions, when you say "If the flood lasts for a longer time, firewalls will eventually reach their maximum capacity of log retention (same as all the other logs they are able to store locally" this means For example, one of the firewalls, if it cannot forward the logs to Panorama, because Panorama is already at that moment saturated and exceeded its LPS, will it start saving the logs on its local disk? or a local buffer? And when it can, it will forward them a Panorama Let's say that if it is a 3200 computer that has a 240 SSD disk, then when that capacity is exceeded, only then will it begin to discard and delete the logs?

Once you reach the outer limits of what panorama can handle, it becomes a bit of a race condition. Once the ingestion buffers get flooded, panorama will throttle the firewalls The firewalls in turn will "fifo" logs (all forwarded logs are marked with a serial number) out to panorama at the available rate, any "overflow" will fill a backlog on the firewall If the "burst" on panorama is short, logs will simply be delayed and catch up after the rush dies down If the flood lasts for a longer time, firewalls will eventually reach their maximum capacity of log retention (same as all the other logs they are able to store locally, the firewall simply "remembers" the serial numbers it already forwarded and will continue with the next available oldest serial) and start purging older logs that have not been forwarded, deleting them.permanently