: Switch Priority after Panorama Failover to Resume NFS Logging
Focus
Focus

Switch Priority after Panorama Failover to Resume NFS Logging

Table of Contents

Switch Priority after Panorama Failover to Resume NFS Logging

The Panorama virtual appliance in Legacy mode running on an ESXi server can use an NFS datastore for logging. In an HA configuration, only the primary Panorama peer is mounted to the NFS-based log partition and can write to the NFS. When a failover occurs and the passive Panorama becomes active, its state becomes active-secondary. Although a secondary Panorama peer can actively manage the firewalls, it cannot receive logs or write to the NFS because it does not own the NFS partition. When the firewalls cannot forward logs to the primary Panorama peer, each firewall writes the logs to its local disk. The firewalls maintain a pointer for the last set of log entries that they forwarded to Panorama so that when the passive-primary Panorama becomes available again, they can resume forwarding logs to it.
Use the instructions in this section to manually switch priority on the active-secondary Panorama peer so that it can begin logging to the NFS partition. The typical scenarios in which you might need to trigger this change are as follows:
  • Preemption is disabled. By default, preemption is enabled on Panorama and the primary peer resumes as active when it becomes available again. When preemption is disabled, you need to switch the priority on the secondary peer to primary so that it can mount the NFS partition, receive logs from the managed firewalls, and write to the NFSĀ partition.
  • The active Panorama fails and cannot recover from the failure in the short term. If you do not switch the priority, when the maximum log storage capacity on the firewall is reached, the oldest logs will be overwritten to enable it to continue logging to its local disk. This situation can lead to loss of logs.
  1. Log in to the currently passive-primary Panorama, select
    Panorama
    Setup
    Operations
    and, in the Device Operations section, click
    Shutdown Panorama
    .
  2. Log in to the active-secondary Panorama, select
    Panorama
    High Availability
    , edit the Election Settings, and set the
    Priority
    to
    Primary
    .
  3. Click
    OK
    to save your changes.
  4. Select
    Commit
    Commit to Panorama
    and
    Commit
    your changes.
    Do not reboot when prompted.
  5. Log in to the Panorama CLI and enter the following command to change the ownership of the NFS partition to this peer:
    request high-availability convert-to-primary
  6. Select
    Panorama
    Setup
    Operations
    and, in the Device Operations section, click
    Reboot Panorama
    .
  7. Power on the Panorama peer that you powered off in step 1. This peer will now be in a passive-secondary state.

Recommended For You