: Configure a Managed Collector
Focus
Focus

Configure a Managed Collector

Table of Contents

Configure a Managed Collector

Add a Log Collector to the Panorama™ management server to forward logs from your managed firewalls for centralized monitoring.
To enable the Panorama management server to manage a Log Collector, you must add it as a managed collector. Log Collectors support communication using a public or private IPv4 or IPv6 address only, including when you configure custom certificates for mutual authentication.
You can add two types of managed collectors:
  • Dedicated Log Collector
    —To set up a new M-600, M-500, M-200, M-100 appliance, or Panorama virtual appliance as a Log Collector or switch an existing M-Series appliance or Panorama virtual appliance from Panorama mode to Log Collector mode, see Set Up the M-Series Appliance as a Log Collector. Keep in mind that switching from Panorama Mode to Log Collector Mode removes the local Log Collector that is predefined on the M-Series appliance in Panorama mode.
  • Local Log Collector
    —A Log Collector can run locally on the M-600, M-500, M-200, M-100 appliance, or Panorama virtual appliance in Panorama mode. On the M-Series appliances, the Log Collector is predefined; on the virtual appliance, you must add the Log Collector. When the Panorama management server has a high availability (HA) configuration, each HA peer can have a local Log Collector. However, relative to the primary Panorama, the Log Collector on the secondary Panorama is remote, not local. Therefore, to use the Log Collector on the secondary Panorama, you must manually add it to the primary Panorama (for details, see Deploy Panorama M-Series Appliances with Local Log Collectors or Deploy Panorama Virtual Appliances with Local Log Collectors). If you delete a local Log Collector, you can later add it back. The following steps describe how to add a local Log Collector.
If the Panorama virtual appliance is in Legacy mode, you must switch to Panorama mode to create a Log Collector. For details, see Set Up the Panorama Virtual Appliance with Local Log Collector.
As a best practice, retain a local Log Collector and Collector Group on the Panorama management server, regardless of whether it manages Dedicated Log Collectors.
(
Panorama evaluation only
) If you are evaluating a Panorama virtual appliance with a local Log Collector, Configure Log Forwarding from Panorama to External Destinations to preserve logs generated during your evaluation period.
Logs stored on the local Log Collector cannot be preserved when you Convert Your Evaluation Panorama to a Production Panorama with Local Log Collector.
  1. Record the serial number of the Log Collector.
    You will need this when you add the Log Collector as a managed collector.
    1. Access the Panorama web interface.
    2. Select
      Dashboard
      and record the
      Serial #
      in the General Information section.
  2. Add the Log Collector as a managed collector.
    1. Select
      Panorama
      Managed Collectors
      and
      Add
      a new Log Collector.
    2. In the
      General
      settings, enter the serial number (
      Collector S/N
      ) you recorded for the Log Collector.
    3. Click
      OK
      to save your changes.
    4. Select
      Commit
      Commit to Panorama
      .
  3. (
    Optional
    ) Configure the Log Collector admin authentication.
    1. Select
      Panorama
      Managed Collectors
      and edit the Log Collector by clicking its name.
    2. Configure the Log Collector admin password:
      1. Select the password
        Mode
        .
      2. If you selected
        Password
        mode, enter a plaintext
        Password
        and
        Confirm Password
        . If you selected
        Password Hash
        mode, enter a hashed password string of up to 63 characters.
    3. Configure the admin login security requirements:
      If you set the
      Failed Attempts
      to a value other than 0 but leave the
      Lockout Time
      at 0, then the admin user is indefinitely locked out until another administrator manually unlocks the locked out admin. If no other administrator has been created, you must reconfigure the
      Failed Attempts
      and
      Lockout Time
      settings on Panorama and push the configuration change to the Log Collector. To ensure that an admin is never locked out, use the default 0 value for both
      Failed Attempts
      and
      Lockout Time
      .
      1. Enter the number of login
        Failed Attempts
        value. The range is between the default value
        0
        to the maximum of
        10
        where the value
        0
        specifies unlimited login attempts.
      2. Enter the
        Lockout Time
        value between the default value
        0
        to the maximum of
        60
        minutes.
    4. Click
      OK
      to save your changes.
  4. Enable the logging disks.
    1. Select
      Panorama
      Managed Collectors
      and edit the Log Collector by clicking its name.
      The Log Collector name has the same value as the hostname of the Panorama management server.
    2. Select
      Disks
      and
      Add
      each disk pair.
    3. Click
      OK
      to save your changes.
    4. Select
      Commit
      Commit to Panorama
      .
  5. (
    Optional
    ) If your deployment is using custom certificates for authentication between Panorama and managed devices, deploy the custom client device certificate. For more information, see Set Up Authentication Using Custom Certificates.
    1. Select
      Panorama
      Certificate Management
      Certificate Profile
      and choose the certificate profile from the drop-down or click
      New Certificate Profile
      to create one.
    2. Select
      Panorama
      Managed Collectors
      and
      Add
      a new Log Collector or select an existing one. Select
      Communication
      .
    3. Select the type of device certificate the Type drop-down.
      • If you are using a local device certificate, select the
        Certificate
        and
        Certificate Profile
        from the respective drop-downs.
      • If you are using SCEP as the device certificate, select the
        SCEP Profile
        and
        Certificate Profile
        from the respective drop-downs.
    4. Click
      OK
      .
  6. (
    Optional
    ) Configure
    Secure Server Communication
    on a Log Collector. For more information, see Set Up Authentication Using Custom Certificates.
    1. Select
      Panorama
      Managed Collectors
      and click
      Add
      . Select
      Communication
      .
    2. Verify that the
      Custom Certificate Only
      check box is not selected. This allows you to continue managing all devices while migrating to custom certificates.
      When the Custom Certificate Only check box is selected, the Log Collector does not authenticate and cannot receive logs from devices using predefined certificates.
    3. Select the SSL/TLS service profile from the
      SSL/TLS Service Profile
      drop-down. This SSL/TLS service profile applies to all SSL connections between the Log Collector and devices sending it logs.
    4. Select the certificate profile from the
      Certificate Profile
      drop-down.
    5. Select
      Authorize Client Based on Serial Number
      to have the server check clients against the serial numbers of managed devices. The client certificate must have the special keyword $UDID set as the CN to authorize based on serial numbers.
    6. In
      Disconnect Wait Time (min)
      , enter the number of minutes Panorama should before breaking and reestablishing the connection with its managed devices. This field is blank by default and the range is 0 to 44,640 minutes.
      The disconnect wait time does not begin counting down until you commit the new configuration.
    7. (
      Optional
      ) Configure an authorization list.
      1. Click
        Add
        under Authorization List.
      2. Select the
        Subject
        or
        Subject Alt Name
        as the Identifier type.
      3. Enter an identifier of the selected type.
      4. Click
        OK
        .
      5. Select
        Check Authorization List
        to enforce the authorization list.
    8. Click
      OK
      .
    9. Select
      Commit
      Commit to Panorama
      .
  7. Verify your changes.
    1. Verify that the
      Panorama
      Managed Collectors
      page lists the Log Collector you added. The Connected column displays a check mark to indicate that the Log Collector is connected to Panorama. You might have to wait a few minutes before the page displays the updated connection status.
      Until you Configure a Collector Group and push configuration changes to the Collector Group, the Configuration Status column displays Out of Sync, the Run Time Status column displays disconnected, and the CLI command
      show interface all
      displays the interfaces as
      down
      .
    2. Click
      Statistics
      in the last column to verify that the logging disks are enabled.
  8. Next steps...
    Before a Log Collector can receive firewall logs, you must:
    1. Configure a Collector Group—On the M-Series appliances, a default Collector Group is predefined and already contains the local Log Collector as a member. On the Panorama virtual appliance, you must add the Collector Group and add the local Log Collector as a member. On both models, assign firewalls to the local Log Collector for log forwarding.
      You must add the Log Collector to a Collector Group before it can start ingesting firewall logs.

Recommended For You