: Logging Failover on an M-Series Appliance or Panorama Virtual Appliance in Panorama Mode
Focus
Focus

Logging Failover on an M-Series Appliance or Panorama Virtual Appliance in Panorama Mode

Table of Contents

Logging Failover on an M-Series Appliance or Panorama Virtual Appliance in Panorama Mode

If you forward firewall logs to the local Log Collectors on an HA pair of M-700 appliances, M-600 appliances, M-500 appliances, M-300 appliances, M-200 appliances, or Panorama virtual appliances in Panorama mode, you specify which firewalls send logs to which Log Collectors when you Configure a Collector Group. You can configure a separate Collector Group for the Log Collector of each Panorama peer or configure a single Collector Group to contain the Log Collectors of both peers. In a Collector Group that contains both local Log Collectors, the log forwarding preference list determines which Log Collector receives logs from firewalls. For all managed firewalls, you have the option to send logs to all the Log Collectors in the Collector Group, in which case Panorama uses round-robin load balancing to select which Log Collector receives the logs at any given moment.
You can enable log redundancy so that each log will have a copy and each copy will reside on a different Log Collector. This redundancy ensures that, if any one Log Collector becomes unavailable, no logs are lost: you can see all the logs forwarded to the Collector Group and run reports for all the log information. Log redundancy is available only if each Log Collector in the Collector Group has the same number of disks.
To utilize log redundancy and ensure logging failover, you must add at least three Log Collectors to a Collector Group to meet the Log Collector n/2+1 quorum requirement introduced in PAN-OS 10.0.
All the Log Collectors for any particular Collector Group must be the same model: all M-200 appliances, all M-300 appliances, all M-500 appliances, all M-600 appliances, all M-700 appliances, or all Panorama virtual appliances in Panorama mode.
Because enabling redundancy creates more logs, this configuration requires more storage capacity. Enabling redundancy doubles the log processing traffic in a Collector Group, which reduces its maximum logging rate by half, as each Log Collector must distribute a copy of each log it receives. (When a Collector Group runs out of space, it deletes older logs.)