Switch Priority after Panorama Failover to Resume NFS Logging
The Panorama virtual appliance in Legacy mode running on an ESXi server can use an NFS datastore for logging. In an HA configuration, only the primary Panorama peer is mounted to the NFS-based log partition and can write to the NFS. When a failover occurs and the passive Panorama becomes active, its state becomes active-secondary. Although a secondary Panorama peer can actively manage the firewalls, it cannot receive logs or write to the NFS because it does not own the NFS partition. When the firewalls cannot forward logs to the primary Panorama peer, each firewall writes the logs to its local disk. The firewalls maintain a pointer for the last set of log entries that they forwarded to Panorama so that when the passive-primary Panorama becomes available again, they can resume forwarding logs to it.
Use the instructions in this section to manually switch priority on the active-secondary Panorama peer so that it can begin logging to the NFS partition. The typical scenarios in which you might need to trigger this change are as follows:
- Preemption is disabled. By default, preemption is enabled on Panorama and the primary peer resumes as active when it becomes available again. When preemption is disabled, you need to switch the priority on the secondary peer to primary so that it can mount the NFS partition, receive logs from the managed firewalls, and write to the NFS partition.
- The active Panorama fails and cannot recover from the failure in the short term. If you do not switch the priority, when the maximum log storage capacity on the firewall is reached, the oldest logs will be overwritten to enable it to continue logging to its local disk. This situation can lead to loss of logs.
- Log in to the currently passive-primary Panorama, select PanoramaSetupOperations and, in the Device Operations section, click Shutdown Panorama.
- Log in to the active-secondary Panorama, select PanoramaHigh Availability, edit the Election Settings, and set the Priority to Primary.
- Click OK to save your changes.
- Select CommitCommit
to Panorama and Commit your changes.Do not reboot when prompted.
- Log in to the Panorama CLI and enter the following command to change the ownership of the NFS partition to this peer: request high-availability convert-to-primary
- Select PanoramaSetupOperations and, in the Device Operations section, click Reboot Panorama.
- Power on the Panorama peer that you powered off in step 1. This peer will now be in a passive-secondary state.
Logging Failover on a Panorama Virtual Appliance in Legacy Mode
Logging Failover on a Panorama Virtual Appliance in Legacy Mode The Panorama virtual appliance in Legacy mode provides the following log failover options: Log Storage ...
Manage a Panorama HA Pair
Manage a Panorama HA Pair Set Up HA on Panorama Set Up Authentication Using Custom Certificates Between HA Peers Test Panorama HA Failover Switch Priority ...
Failover Triggers When a failure occurs on the active Panorama and the passive Panorama takes over the task of managing the firewalls, the event is ...
Priority and Failover on Panorama in HA
Priority and Failover on Panorama in HA Each Panorama peer in the HA pair is assigned a priority value. The priority value of the primary ...
Set Up HA on Panorama
Set Up HA on Panorama Review the Panorama HA Prerequisites before performing the following steps: Set up connectivity between the MGT ports on the HA ...
Modify Log Forwarding and Buffering Defaults
Modify Log Forwarding and Buffering Defaults You can define the log forwarding mode that the firewalls use to send logs to Panorama and, when configured ...
Restore the Primary Panorama to the Active State
Restore the Primary Panorama to the Active State By default, the preemptive capability on Panorama allows the primary Panorama to resume functioning as the active ...
Panorama High Availability
Panorama High Availability To provide redundancy in case of a system or network failure, you can deploy two Panorama™ management servers in a high availability ...
Configure HA Settings
Configure HA Settings To configure HA settings, select Device High Availability and then, for each group of settings, specify the corresponding information described in the ...