Collector Group Configuration
Table of Contents
10.0 (EoL)
Expand all | Collapse all
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Decryption > Forwarding Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
End-of-Life (EoL)
Collector Group Configuration
To configure a Collector Group,
click Add and complete the following fields.
Collector Group Settings | Configured In | Description |
---|---|---|
Name | PanoramaCollector GroupsGeneral | Enter a name to identify this Collector
Group (up to 31 characters). The name is case-sensitive and must be
unique. Use only letters, numbers, spaces, hyphens, and underscores. |
Log Storage | Indicates the total storage quota for firewall
logs that the Collector Group receives and the available space. Click
the storage quota link to set the storage Quota(%) and
expiration period (Max Days) for the following
log types:
To
use the default settings, click Restore Defaults. | |
Min Retention Period (days) | Enter the minimum log retention period in
days (1–2,000) that Panorama maintains across all Log Collectors
in the Collector Group. If the current date minus the date of the
oldest log is less than the defined minimum retention period, Panorama generates
a System log as an alert violation. | |
Collector Group Members | Add the Log Collectors
that will be part of this Collector Group (up to 16). You can add
any of the Log Collectors that are available in the PanoramaManaged Collectors page.
All the Log Collectors for any particular Collector Group must be
the same model: for example, all M-500 appliances or all Panorama
virtual appliances. After you add Log Collectors to
an existing Collector Group, Panorama redistributes its existing logs
across all the Log Collectors, which can take hours for each terabyte
of logs. During the redistribution process, the maximum logging
rate is reduced. In the PanoramaCollector Groups page, the
Log Redistribution State column indicates the completion status
of the process as a percentage. | |
Enable log redundancy across collectors | If you select this option, each log in the
Collector Group will have two copies and each copy will reside on
a different Log Collector. This redundancy ensures that, if any
one Log Collector becomes unavailable, no logs are lost: you can
see all the logs forwarded to the Collector Group and run reports
for all the log data. Log redundancy is available only if the Collector
Group has multiple Log Collectors and each Log Collector has the
same number of disks. Log redundancy applies only to newly ingested
logs after the setting is enabled and not to existing logs. In
the PanoramaCollector
Groups page, the Log Redistribution State
column indicates the completion status of the process as a percentage.
All the Log Collectors for any particular Collector Group must be
the same model: for example, all M-500 appliances or all Panorama
virtual appliances. Because enabling redundancy creates
more logs, this configuration requires more storage capacity. Enabling
redundancy doubles the log processing traffic in a Collector Group,
which reduces its maximum logging rate by half, as each Log Collector
must distribute a copy of each log it receives. (When a Collector
Group runs out of space, it deletes older logs.) | |
Forward to all collectors
in the preference list | (PA-5200 Series and PA-7000 Series firewalls
only) Select to send logs to every Log Collector in the preference
list. Panorama uses round-robin load balancing to select which Log
Collector receives the logs at any given moment. This is disabled
by default: firewalls send logs only to the first Log Collector
in the list unless that Log Collector becomes unavailable (see Devices
/ Collectors). | |
Enable Secure Inter LC Communication | Enables the use of custom certificates for mutual SSL authentication between Log Collectors in a Collector Group. | |
Location | PanoramaCollector GroupsMonitoring | Specify the location of the Collector Group. |
Contact | Specify an email contact (for example, the
email address of the SNMP administrator who will monitor the Log
Collectors). | |
Version | Specify the SNMP version for communication
with the Panorama management server: V2c or V3. SNMP
enables you to collect information about Log Collectors, including
connection status, disk drive statistics, software version, average
CPU usage, average logs/second, and storage duration per log type.
SNMP information is available on a per Collector Group basis. | |
SNMP Community String (V2c only) | Enter the SNMP Community String,
which identifies a community of SNMP managers and monitored devices
(Log Collectors, in this case), and serves as a password to authenticate
the community members to each other. Don’t
use the default community string public; it is well known and therefore
not secure. | |
Views (V3 only) | Add a group of SNMP
views and, in Views, enter a name for the
group. Each view is a paired object identifier (OID) and bitwise
mask: the OID specifies a managed information base (MIB) and the
mask (in hexadecimal format) specifies which SNMP objects are accessible
within (include matching) or outside (exclude matching) that MIB. For
each view in the group, Add the following settings:
| |
Users (V3 only) | Add the following
settings for each SNMP user:
| |
Devices / Collectors | PanoramaCollector GroupsDevice Log Forwarding | The log forwarding preference list controls
which firewalls forward logs to which Log Collectors. For each entry
that you Add to the list, Modify the Devices
list to assign one or more firewalls and Add one
or more Log Collectors in the Collectors list. By default,
the firewalls you assign in a list entry will send logs only to
the primary (first) Log Collector as long as it is available. If
the primary Log Collector fails, the firewalls send logs to the
secondary Log Collector. If the secondary fails, the firewalls send logs
to the tertiary Log Collector, and so on. To change the order, select
a Log Collector and click Move Up or Move
Down. You can override the default log forwarding behavior
for PA-5200 Series and PA-7000 Series firewalls by selecting Forward
to all collectors in the preference list in the General tab. |
System | PanoramaCollector GroupsCollector Log Forwarding | For each type of firewall
log that you want to forward from this Collector Group to external
services, Add one or more match list profiles.
The profiles specify which logs to forward and the destination servers. For
each profile, complete the following:
|
Configuration | ||
HIP Match | ||
Traffic | ||
Threat | ||
URL | ||
Data | ||
WildFire | ||
Correlation | ||
GTP | ||
SCTP | ||
Authentication | ||
User-ID | ||
Tunnel | ||
IP-Tag | ||
Decryption | ||
GlobalProtect | ||
Ingestion Profile | PanoramaCollector GroupsLog Ingestion | Add one or more log
ingestion profiles that allow Panorama to receive logs from the
Traps ESM server. To configure a new log ingestion profile, see Panorama
> Log Ingestion Profile. |