>
    Configure Panorama in High Availability for Strata Logging Service
    Focus
    Download PDF
    Focus
    1. Home
    2. Strata Logging Service
    3. Deploy Strata Logging Service
    4. Deploy Strata Logging Service with Panorama
    5. Configure Panorama in High Availability for Strata Logging Service
    Download PDF
    Strata Logging Service

    Configure Panorama in High Availability for Strata Logging Service

    Table of Contents

    Configure Panorama in High Availability for
    Strata Logging Service

    Configure Panorama in high availability mode.
    Where Can I Use This?
    What Do I Need?
    • NGFW (PAN-OS or Panorama Managed)
    • Strata Logging Service
    Deploying Panorama appliances in a high availability (HA) configuration provides redundancy in a system or network failure and ensures that you have continuous connectivity to
    Strata Logging Service
    . In an HA configuration, one Panorama appliance peer is the active-primary, and the other is the passive-secondary. In the event of a failover, the secondary peer becomes active and takes over sending data to
    Strata Logging Service
    .

    HA Prerequisites

    To simplify the HA setup, configure the Panorama appliances in HA after purchasing
    Strata Logging Service
     and associate the serial number of the primary Panorama appliance on which you plan to install the Cloud Services plugin with the
    Strata Logging Service
     auth code, but before you Activate
    Strata Logging Service
    . However, you can also use this process to configure existing Panorama appliances.
    Whether you are just getting started with a new pair of Panorama appliances, or you have already set up your standalone Panorama appliance and completed the licensing and installation procedures, make sure to check the prerequisites before you enable HA:
    • You must register the Panorama appliance HA peers to the same customer account on the Customer Support Portal (CSP).
    • The Panorama appliance peers must be of the same form factor (hardware appliances of the same model or identical virtual appliances) and same OS version and must have the same set of licenses.
      Strata Logging Service
       requires a valid support license.
    • The serial number of the primary Panorama appliance is tied to your
      Strata Logging Service
       auth code. If you have installed and set up the plugin on a standalone Panorama appliance, ensure that you use that Panorama appliance as the primary peer. If you need to assign this standalone peer as the secondary Panorama appliance, contact Palo Alto Networks support for assistance with transferring the license to the primary Panorama appliance peer before you continue.

    Configure HA

    Set up your Panorama appliances in an HA configuration.
    1. Set the primary Panorama appliance as
      Primary
       and the secondary Panorama appliance as
      Secondary
      , and ensure that the serial number of your primary Panorama appliance is tied to your
      Strata Logging Service
      .
      The HA configuration must have
      Peer HA Serial
       configured to be able to query logs from
      Strata Logging Service
      . Otherwise, you will not be able to view
      Strata Logging Service
       logs in Panorama.
    2. Make sure that the primary (active) and secondary (passive) Panorama appliances are synchronized and that the HA link state between them is up.
      1. Access the
        Dashboard
         on the primary Panorama appliance and select
        Widgets
        System
        High Availability
         to display the HA widget.
      2. Sync to peer
        , click
        Yes
        , and wait for the
        Running Config
         to display
        Synchronized
        .
      3. Make sure that the
        Local
         peer is
        active
        .
      4. Access the
        Dashboard
         on the passive Panorama appliance and select
        Widgets
        System
        High Availability
         to display the HA widget.
      5. Verify that the
        Running Config
         displays
        Synchronized
        .
      6. Make sure that the
        Local
         peer is
        passive
        .
    3. (
      Panorama 10.1 or later
      ) Install the device certificate on both Panorama appliances.
    4. (
      Panorama 10.1 or later
      ) Onboard the primary Panorama to your
      Strata Logging Service
       instance.
    5. On the primary Panorama appliance, Access the CLI and enter the following operational command:
      tail follow yes mp-log plugin_cloud_services.log
    6. Check that HA is enabled.
      1. Find the following text in the log output, where
        X
         is the serial number of the primary Panorama appliance and
        Y
         is the serial number of the secondary Panorama appliance:
        2017-11-06 15:14:07.790 -0800 INFO: [hainfo] Sending update to CSP for HA peer serial information to https://updates.paloaltonetworks.com/licensesvc/licenseservice.asmx/PanoramaHAInfo (https://updates.paloaltonetworks.com/licensesvc/licenseservice.asmx/PanoramaHAInfo)

2017-11-06 15:14:07.791 -0800 INFO: [hainfo] Data string is primarypanoramasn=<varname>X</varname> &secondarypanoramasn=<varname>Y</varname>

2017-11-06 15:14:17.595 -0800 INFO: [hainfo] HTTP_CODE 200, RESPONSE: <?xml version="1.0" encoding="utf-8"?> <PanoramaHA xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance (http://www.w3.org/2001/XMLSchema-instance)" xmlns:xsd="http://www.w3.org/2001/XMLSchema (http://www.w3.org/2001/XMLSchema)" xmlns="http://www.paloaltonetworks.com/ (http://www.paloaltonetworks.com/)"> <success>true</success>
</PanoramaHA>

2017-11-06 15:14:17.596 -0800 INFO: [hainfo] Cached HA Peer's serial number <varname>Y</varname>
      2. Log in to the Customer Support Portal (CSP) and select
        Assets
        Cloud Services
         to verify that both Panorama peers are tied to your
        Strata Logging Service
         license.
      3. Check the fields for the primary and secondary Panorama appliance.
        The Auth Code, Model Name, License Description, and Expiration Date fields should be the same for the primary and secondary Panorama appliance, because Palo Alto Networks has associated the
        Strata Logging Service
         license automatically to the secondary Panorama appliance.
    7. Commit your changes on the primary and secondary Panorama appliance.
      1. Commit
        Commit and Push
         your changes.
      2. Click
        OK
         and
        Push
        .
    8. Verify that the primary and secondary Panorama appliances are still in a synchronized state.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.