To enable the Panorama management server (Panorama virtual appliance or M-Series appliance in Panorama mode) to manage a Log Collector, you must add it as a managed collector. The M-Series appliance in Panorama mode has a predefined (default) local Log Collector. However, switching from Panorama Mode to Log Collector Mode would remove the local Log Collector and would require you to re-configure the appliance as a Dedicated Log Collector (M-Series appliance in Log Collector mode). When the Panorama management server has a high availability (HA) configuration, each HA peer can have a local Log Collector. Dedicated Log Collectors don’t support HA.
As a best practice, install the same Applications update on Panorama as on managed Collectors and firewalls. For details, see Panorama, Log Collector, and Firewall Version Compatibility. Palo Alto Networks recommends retaining a local Log Collector and local Collector Group on the M-Series appliance in Panorama mode, regardless of whether it manages Dedicated Log Collectors.
Configure a Managed Collector
Perform initial setup of the M-Series appliance in Log Collector mode if you haven’t already. Only Dedicated Log Collectors require this step. Rack mount the M-Series appliance. Refer to the M-100 or M-500 Hardware Reference Guide for instructions. Perform Initial Configuration of the M-Series Appliance. When configuring interfaces, configure only the Management (MGT) interface. When you switch to Log Collector mode later in this procedure, the mode change removes any Eth1 and Eth2 interface configurations. If the Log Collector will use Eth1 and Eth2, add them when configuring the Log Collector later in this procedure. Register Panorama and Install Licenses. Install Content and Software Updates for Panorama. Configure each array. This task is required to make the RAID disks available for logging. Optionally, you can add disks to Increase Storage on the M-Series Appliance.
Switch from Panorama mode to Log Collector mode. Switching to Log Collector mode reboots the appliance, deletes any existing log data, and deletes all configurations except management access settings. Switching the mode does not delete licenses, software updates, or content updates. Access the CLI of the M-Series appliance. Enter the following command to switch to Log Collector mode: > request system system-mode Logger Enter Y to confirm the mode change. The M-Series appliance reboots. If the reboot process terminates your terminal emulation software session, reconnect to the M-Series appliance to display the Panorama login prompt. If you see a CMS Login prompt, press Enter without typing a username or password. Log back in to the CLI. Enter the following command to verify that the switch to Log Collector mode succeeded: > show system info | match system-mode If the mode change succeeded, the output displays: system-mode: logger
Enable connectivity among the M-Series appliances. These steps vary by Log Collector type. For HA deployments, <IPaddress1> and <IPaddress2> are for the management interface of the primary and secondary Panorama management server respectively. For non-HA deployments, specify only <IPaddress1> . Dedicated Log Collectors—Run the following commands at the CLI of each Log Collector: > Configure # set deviceconfig system panorama-server <IPaddress1> panorama-server-2 <IPaddress2> # commit Local Log Collectors—These steps are required only for an HA deployment: Log into the CLI of the primary Panorama and enter: > Configure # set deviceconfig system panorama-server <IPaddress2> # commit Log into the CLI of the secondary Panorama and enter: > Configure # set deviceconfig system panorama-server <IPaddress1> # commit
Record the serial number of the Log Collector. You will need this when you add the Log Collector as a managed collector. The steps to display the serial number vary by Log Collector type: Local—Access the Panorama web interface and record the value on the Dashboard tab, General Information section, Serial # field. In an HA deployment, record the Serial # of each Panorama peer on which you will configure a Log Collector. Dedicated—Access the Log Collector CLI, run the show system info command, and record the serial number.
Configure the general settings of the Log Collector. Use the web interface of the primary Panorama management server to perform these steps: Select Panorama > Managed Collectors and Add a new Log Collector or edit the predefined local Log Collector (named default). Although the secondary Panorama HA peer has a predefined local Log Collector, you must manually add it on the primary Panorama. In the General tab, Collector S/N field, enter the serial number you recorded for the Log Collector.
Configure network access for the Log Collector. Perform this step only for a Dedicated Log Collector or a local Log Collector on the secondary Panorama HA peer. Although you defined similar parameters during initial configuration of the Panorama management server, you must re-define the parameters for the Log Collector. In the Panorama Server IP field, enter the IP address or FQDN of the solitary (non-HA) or primary (HA) Panorama. For an HA deployment, enter the IP address or FQDN of the secondary Panorama peer in the Panorama Server IP 2 field. These fields are required. Configure the IP addresses of the Primary DNS Server and Secondary DNS Server. ( Optional ) Set the Timezone that Panorama will use to record log entries.
Configure administrative access to the Log Collector CLI. Only Dedicated Log Collectors require this step. The default CLI administrator is admin. You cannot modify this username nor add CLI administrators. Select the Authentication tab, select the password Mode, and enter the Password (the default is admin ). Enter the number of Failed Attempts to log in that Panorama allows before locking out the administrator. Enter the Lockout Time in minutes. These settings can help protect the Log Collector from a brute force attack.
Configure the Log Collector interfaces. Perform this step only for a Dedicated Log Collector or a local Log Collector on the secondary Panorama HA peer. The Eth1 or Eth2 interfaces are available only if you defined them during initial configuration of the Panorama management server. Configure each interface that the Log Collector will use. Only the Management interface is required. For each interface, select the corresponding tab and configure one or both of the following field sets based on the IP protocols of your network. IPv4— IP Address, Netmask, and Default Gateway IPv6— IPv6 Address/Prefix Length and Default IPv6 Gateway ( Optional ) In the Management tab, select the SNMP service if you will use SNMP to monitor the Log Collector. Using SNMP requires additional steps besides configuring the Log Collector. For details, see Monitor Panorama and Log Collector Statistics Using SNMP. Click OK and Commit, set the Commit Type to Panorama, and click Commit again. This step is required before you can enable logging disks or assign the Eth1 and Eth2 interfaces to logging functions. ( Optional ) Edit the Log Collector and select the interfaces ( mgmt, eth1, or eth2) that it will use for Device Log Collection and Collector Group Communication (default is mgmt).
Enable the logging disks. Select Disks and Add each disk pair. Click OK and Commit, for the Commit Type select Panorama, and click Commit again.
Verify your changes. Verify that the Panorama > Managed Collectors page lists the Log Collector you added. The Connected column displays a check mark to indicate that the Log Collector is connected to Panorama. You might have to wait a few minutes before the page displays the updated connection status. Until you Configure a Collector Group and perform a Collector Group commit, the Configuration Status column displays Out of Sync, the Run Time Status column displays disconnected, and the CLI command show interface all displays the interfaces as down . Click Statistics in the last column to verify that the logging disks are enabled.
Next steps... Before a Log Collector can receive firewall logs, you must: Configure Log Forwarding to Panorama. Configure a Collector Group. The predefined local Log Collector is preassigned to a predefined Collector Group.

Related Documentation