Configure Panorama in High Availability for Cortex Data Lake
Table of Contents
Expand all | Collapse all
- Cortex Data Lake for Panorama-Managed Firewalls
- Start Sending Logs to a New Cortex Data Lake Instance
- Configure Panorama in High Availability for Cortex Data Lake
- Allocate Storage Based on Log Type
- View Cortex Data Lake Status
- View Logs in Cortex Data Lake
- TCP Ports and FQDNs Required for Cortex Data Lake
- Sizing for Cortex Data Lake Storage
- Forward Logs from Cortex Data Lake to a Syslog Server
- Forward Logs from Cortex Data Lake to an HTTPS Server
- Forward Logs from Cortex Data Lake to an Email Server
- Log Record Formats
- Create Log Filters
- Server Certificate Validation
- List of Trusted Certificates for Syslog and HTTPS Forwarding
- Log Forwarding Errors
- Forward Logs With Log Replay
Configure Panorama in High Availability for Cortex
Cortex Data Lake
Deploying Panorama appliances in a high availability (HA) configuration provides redundancy in a system or network failure and ensures that you have continuous connectivity to
Cortex Data Lake. In an HA configuration, one Panorama appliance peer is the active-primary, and the other is the passive-secondary. In the event of a failover, the secondary peer becomes active and takes over sending data to
Cortex Data Lake.
To simplify the HA setup, configure the Panorama appliances in HA after purchasing
Cortex Data Lakeand associate the serial number of the primary Panorama appliance on which you plan to install the Cloud Services plugin with the
Cortex Data Lakeauth code, but before you Activate
Cortex Data Lake. However, you can also use this process to configure existing Panorama appliances.
Whether you are just getting started with a new pair of Panorama appliances, or you have already set up your standalone Panorama appliance and completed the licensing and installation procedures, make sure to check the prerequisites before you enable HA:
- The Panorama appliance peers must be of the same form factor (hardware appliances of the same model or identical virtual appliances) and same OS version and must have the same set of licenses.Cortex Data Lakerequires a valid support license.
- The serial number of the primary Panorama appliance is tied to yourCortex Data Lakeauth code. If you have installed and set up the plugin on a standalone Panorama appliance, ensure that you use that Panorama appliance as the primary peer. If you need to assign this standalone peer as the secondary Panorama appliance, contact Palo Alto Networks support for assistance with transferring the license to the primary Panorama appliance peer before you continue.
Set up your Panorama appliances in an HA configuration.
- Set the primary Panorama appliance asPrimaryand the secondary Panorama appliance asSecondary, and ensure that the serial number of your primary Panorama appliance is tied to yourCortex Data Lake.The HA configuration must havePeer HA Serialconfigured to be able to query logs fromCortex Data Lake. Otherwise, you will not be able to viewCortex Data Lakelogs in Panorama.
- Make sure that the primary (active) and secondary (passive) Panorama appliances are synchronized and that the HA link state between them is up.
- Access theDashboardon the primary Panorama appliance and selectto display the HA widget.WidgetsSystemHigh Availability
- Sync to peer, clickYes, and wait for theRunning Configto displaySynchronized.
- Make sure that theLocalpeer isactive.
- Access theDashboardon the passive Panorama appliance and selectto display the HA widget.WidgetsSystemHigh Availability
- Verify that theRunning ConfigdisplaysSynchronized.
- Make sure that theLocalpeer ispassive.
- (Panorama 10.1 or later) Install the device certificate on both Panorama appliances.
- (Panorama 10.1 or later) Onboard the primary Panorama to yourCortex Data Lakeinstance.
- On the primary Panorama appliance, Access the CLI and enter the following operational command:tail follow yes mp-log plugin_cloud_services.log
- Check that HA is enabled.
- Find the following text in the log output, whereXis the serial number of the primary Panorama appliance andYis the serial number of the secondary Panorama appliance:2017-11-06 15:14:07.790 -0800 INFO: [hainfo] Sending update to CSP for HA peer serial information to https://updates.paloaltonetworks.com/licensesvc/licenseservice.asmx/PanoramaHAInfo (https://updates.paloaltonetworks.com/licensesvc/licenseservice.asmx/PanoramaHAInfo) 2017-11-06 15:14:07.791 -0800 INFO: [hainfo] Data string is primarypanoramasn=<varname>X</varname> &secondarypanoramasn=<varname>Y</varname> 2017-11-06 15:14:17.595 -0800 INFO: [hainfo] HTTP_CODE 200, RESPONSE: <?xml version="1.0" encoding="utf-8"?> <PanoramaHA xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance (http://www.w3.org/2001/XMLSchema-instance)" xmlns:xsd="http://www.w3.org/2001/XMLSchema (http://www.w3.org/2001/XMLSchema)" xmlns="http://www.paloaltonetworks.com/ (http://www.paloaltonetworks.com/)"> <success>true</success> </PanoramaHA> 2017-11-06 15:14:17.596 -0800 INFO: [hainfo] Cached HA Peer's serial number <varname>Y</varname>
- Log in to the Customer Support Portal (CSP) and selectto verify that both Panorama peers are tied to yourAssetsCloud ServicesCortex Data Lakelicense.
- Check the fields for the primary and secondary Panorama appliance.The Auth Code, Model Name, License Description, and Expiration Date fields should be the same for the primary and secondary Panorama appliance, because Palo Alto Networks has associated theCortex Data Lakelicense automatically to the secondary Panorama appliance.
- Commit your changes on the primary and secondary Panorama appliance.
- your changes.CommitCommit and Push
- Verify that the primary and secondary Panorama appliances are still in a synchronized state.