End-of-Life (EoL)
Migrate Log Collectors after Failure/RMA of Non-HA Panorama
If a system failure occurs on a Panorama management
server that is not deployed in a high availability (HA) configuration,
use this procedure to restore the configuration on the replacement
Panorama and restore access to the logs on the Dedicated Log Collectors
that it manages. The allowed migration scenarios vary by Panorama
management server model:
Old/Failed Panorama | New/Replacement Panorama |
---|---|
Panorama virtual appliance |
|
M-100 appliance |
|
M-500 appliance | M-500 appliance |
Panorama maintains a ring file that maps the
segments and partitions that Dedicated Log Collectors use to store
logs. An M-Series appliance in Panorama mode stores the ring file
on its internal SSD; a Panorama virtual appliance stores the ring
file on its internal disk. When a system failure occurs, a non-HA
Panorama cannot automatically recover the ring file. Therefore,
when you replace Panorama, you must restore the ring file to access
the logs on the Dedicated Log Collectors.
This
procedure requires that you backed up and exported your Panorama configuration before
the system failure occurred.
Palo Alto Networks recommends
deploying Panorama in an HA configuration. The active Panorama peer
automatically synchronizes the ring file to the passive peer in
an HA configuration, thereby maintaining access to logs on the Dedicated
Log Collectors even if you must replace one of the peers.
- Perform initial setup of the new Panorama appliance.
- Rack mount the M-Series appliance if that is the new appliance. Refer to the M-100 or M-500 Appliance Hardware Reference Guide for instructions.
- If the old M-Series appliance used interfaces other than the MGT interface for Panorama services (such as log collection), you must define those interfaces during initial configuration of the new M-Series appliance (). The Panorama virtual appliance does not support interfaces other than MGT.PanoramaSetupInterfaces
- Transfer licenses as follows only if the new Panorama appliance is the same model as the old appliance. Otherwise, you must purchase new licenses.
- Log in to the Palo Alto Networks Customer Support web site.
- Select theAssetstab and click theSpareslink.
- Click the Serial Number of the new M-Series appliance.
- ClickTransfer Licenses.
- Selectthe old appliance and clickSubmit.
- The M-500 appliance requires Panorama 7.0 or a later release. For important details about software versions, see Panorama, Log Collector, Firewall, and WildFire Version Compatibility.
- Restore the configuration from the old Panorama to the replacement Panorama.
- Log in to the new Panorama and select.PanoramaSetupOperations
- ClickImport named Panorama configuration snapshot,Browseto the backup configuration file, and clickOK.
- ClickLoad named Panorama configuration snapshot, select theNameof the file you just imported, and clickOK.
- SelectandCommitCommit to PanoramaCommityour changes.
- Selectand verify that the Connected column displays a check mark for the Dedicated Log Collector.PanoramaManaged CollectorsIf the Dedicated Log Collector doesn’t appear, you must reconfigure it and its Collector Group as described in step Reconfigure the Dedicated Log Collector and Collector Group if they are missing on Panorama.. Otherwise, skip to Step Fetch the ring file to restore access to the logs stored on the Dedicated Log Collector..
- Reconfigure the Dedicated Log Collector and Collector Group if they are missing on Panorama.
- Access the CLI of the Dedicated Log Collector and enter the following commands to display the name of its Collector Group.
- Enter the command:>request fetch ring from log-collector<serial_number>The following error will display:Server error: Failed to fetch ring info from<serial_number>
- Enter the command:>less mp-log ms.logThe following error will display:Dec04 11:07:08 Error: pan_cms_convert_resp_ring_to_file(pan_ops_cms.c:3719): Current configuration does not contain group CA-Collector-GroupIn this example, the error message indicates that the missing Collector Group has the name CA-Collector-Group.
- Configure the Collector Group and assign the Dedicated Log Collector to it.>configure#set log-collector-group#<collector-group-name>set log-collector-group<collector-group-name>logfwd-setting collector<serial-number>
- Commit the changes to Panorama but not to the Collector Group.#commit#exit
- Fetch the ring file to restore access to the logs stored on the Dedicated Log Collector.
- Access the CLI of the new Panorama.
- Fetch the ring file:>request fetch ring from log-collector<serial-number>For example:>request fetch ring from log-collector 009201000343If you don’t know the serial number of the Dedicated Log Collector, log in to its CLI and enter theshow system infooperational command.
- Commit your changes to the Collector Group.>commit-all log-collector-config log-collector-group<collector-group-name>
Recommended For You
Recommended Videos
Recommended videos not found.