End-of-Life (EoL)
Setting up Panorama in an HA configuration provides redundancy for log collection. Because the managed firewalls are connected to both Panorama peers over SSL, when a state change occurs, each Panorama sends a message to the managed firewalls. The firewalls are notified of the Panorama HA state and can forward logs accordingly.
By default, when the managed firewalls cannot connect to Panorama (M-Series appliance and the Panorama virtual appliance), they buffer the logs; when the connection is restored, they resume sending logs from where it was last left off.
The logging options on the hardware-based Panorama and on the Panorama virtual appliance differ:
Logging Failover on a Panorama Virtual Appliance
On the Panorama virtual appliance, you have the following log failover options:
Log Storage Type Description
Virtual disk By default, the managed firewalls send logs as independent streams to each Panorama HA peer. By default, if a peer becomes unavailable, the managed firewalls buffer the logs and when the peer reconnects it resumes sending logs from where it had left off (subject to disk storage capacity and duration of the disconnection). Logging to a virtual disk provides redundancy in logging. However, the maximum log storage capacity is 8TB for Panorama running on VMware vCloud Air or ESXi 5.5 and later versions. The maximum capacity is 2TB for Panorama running on earlier ESXi versions. The option to forward logs only to the active peer is configurable (see Modify Log Forwarding and Buffering Defaults). However, Panorama does not support log aggregation across the HA pair. So, if you log to a virtual disk or local disk, for monitoring and reporting you must query the Panorama peer that collects the logs from the managed firewalls.
Network File System (NFS) When configured to use an NFS, only the active-primary Panorama mounts to the NFS-based log partition and can receive logs. On failover, the primary device goes into a passive-primary state. In this scenario, until preemption occurs, the active-secondary Panorama manages the firewalls, but it does not receive the logs and it cannot write to the NFS. To allow the active-secondary peer to log to the NFS, you must manually switch it to primary so that it can mount to the NFS partition. For instructions, see Switch Priority after Panorama Failover to Resume NFS Logging.
Logging Failover on an M-Series Appliance
If you are using a pair of M-Series appliances (must be in Panorama mode), the managed firewalls can send logs to only one peer in the HA pair, either the active or the passive peer. Unlike the virtual Panorama deployment, you cannot configure the firewalls to send logs to both peers, however, the RAID-enabled disks on the M-Series appliance protect against disk failure and loss of logs.
If you have a distributed log collection set up where the managed firewalls are sending logs to a Dedicated Log Collector, the Panorama peers in HA will query all the managed Log Collectors for aggregated log information.

Recommended For You