End-of-Life (EoL)

Extended Support for Multiple Panorama Interfaces

To accommodate network segmentation and security requirements in a large-scale deployment, you can now separate the Panorama management functions from the device management and log collection functions by assigning them to separate interfaces on the M-500 and M-100 appliances. To minimize bandwidth competition that can impede the performance of Panorama, you can implement load balancing for device management and log collection by using multiple interfaces for those functions. You can further reduce the traffic load on the management (MGT) interface by selecting some other interface for deploying software and content updates to firewalls and Log Collectors. Additional interfaces on the M-100 appliance (Ethernet3) and M-500 appliance (Ethernet3, Ethernet4, and Ethernet5) are available to support multiple interfaces.
Perform the following steps to configure multiple interfaces on a high availability (HA) pair of Panorama management servers and on Dedicated Log Collectors.
  1. Configure the interfaces on the active Panorama management server—Select
    Panorama
    Setup
    Interfaces
    and edit each interface.
    In an environment with high logging rates, you can assign the
    Device Management and Device Log Collection
    function to the Ethernet4 and Ethernet5 interfaces on the M-500 appliance for 10Gbps throughput. The other interfaces on the M-500 and M-100 appliances support only 1Gbps.
    eth5_interface_settings.png
  2. Configure each Log Collector to connect with a Panorama interface that has
    Device Management and Device Log Collection
    enabled—On the active Panorama, select
    Panorama
    Managed Collectors
    , edit the Log Collector, and enter the IP addresses of interfaces on the:
    • Active Panorama (
      Panorama Server IP
      )
    • Passive Panorama (
      Panorama Server IP 2
      )
    To support a segmented network, you can connect the Log Collectors in each subnetwork to separate Panorama interfaces on each HA peer.
  3. Enable connectivity between the Panorama management servers and Log Collectors—Access each Log Collector CLI and run the following commands, where
    <IPaddress1>
    is for the active Panorama and
    <IPaddress2>
    is for the passive Panorama. The IP addresses must be the same as those you configured in the previous step.
    > configure
    # set deviceconfig system panorama-server
    <IPaddress1>
    panorama-server-2
    <IPaddress2>
    # commit
  4. Configure an interface on the passive Panorama management server to deploy updates in case the active Panorama fails over—On the passive Panorama, select
    Panorama
    Setup
    Interfaces
    , edit the interface, and select
    Device Deployment
    .
  5. Configure the interfaces that the Log Collectors will use to collect logs from firewalls and communicate with other Log Collectors—On the active Panorama, select
    Panorama
    Managed Collectors
    , edit the Log Collector, assign the
    Device Log Collection
    function to one or more interfaces, and assign the
    Collector Group Communication
    function to one interface.
    In an environment with high logging rates, you can assign the
    Device Log Collection
    function to the Ethernet4 and Ethernet5 interfaces on the M-500 appliance for 10Gbps throughput.
  6. On the active Panorama, select
    Commit
    Commit and Push
    to activate your changes on Panorama and push the changes to Collector Groups.
  7. Configure each firewall to connect with a Panorama interface that has
    Device Management and Device Log Collection
    enabled—On the active Panorama, select
    Device
    Setup
    Management
    , select the
    Template
    that the firewalls are assigned to, edit the Panorama Settings, and enter the IP addresses of interfaces on the:
    • Active Panorama (first
      Panorama Servers
      field)
    • Passive Panorama (second
      Panorama Servers
      field)
    To support a segmented network, you can connect the firewalls in each subnetwork to separate Panorama interfaces on each HA peer.
  8. On the active Panorama, select
    Commit
    Commit and Push
    to activate your changes on Panorama and push the template changes to firewalls.

Recommended For You