Migrate Log Collectors after Failure/RMA of Non-HA Panorama

If a system failure occurs on a Panorama management server that is not deployed in a high availability (HA) configuration, use this procedure to restore the configuration on the replacement Panorama and restore access to the logs on the Dedicated Log Collectors that it manages. The allowed migration scenarios vary by Panorama management server model:
Old/Failed Panorama
New/Replacement Panorama
Panorama virtual appliance
  • Panorama virtual appliance
  • M-100 appliance
  • M-200 appliance
  • M-500 appliance
  • M-600 appliance
M-100 appliance
  • Panorama virtual appliance
  • M-100 appliance
  • M-200 appliance
  • M-500 appliance
  • M-600 appliance
M-500 appliance
  • Panorama virtual appliance
  • M-100 appliance
  • M-200 appliance
  • M-500 appliance
  • M-600 appliance
Panorama maintains a ring file that maps the segments and partitions that Dedicated Log Collectors use to store logs. An M-Series appliance in Panorama mode stores the ring file on its internal SSD; a Panorama virtual appliance stores the ring file on its internal disk. When a system failure occurs, a non-HA Panorama cannot automatically recover the ring file. Therefore, when you replace Panorama, you must restore the ring file to access the logs on the Dedicated Log Collectors.
This procedure requires that you backed up and exported your Panorama configuration before the system failure occurred.
Palo Alto Networks recommends deploying Panorama in an HA configuration. The active Panorama peer automatically synchronizes the ring file to the passive peer in an HA configuration, thereby maintaining access to logs on the Dedicated Log Collectors even if you must replace one of the peers.
  1. Perform initial setup of the new Panorama appliance.
    1. Set Up the M-Series Appliance or Set Up the Panorama Virtual Appliance based on your needs. If you are setting up a new M-Series appliance, refer to the M-Series Appliance Hardware Reference Guides for instructions on how to rack mount the new M-Series appliance.
    2. Perform Initial Configuration of the M-Series Appliance or Perform Initial Configuration of the Panorama Virtual Appliance.
      If the old M-Series appliance used interfaces other than the MGT interface for Panorama services (such as log collection), you must define those interfaces during initial configuration of the new M-Series appliance (PanoramaSetupInterfaces). The Panorama virtual appliance does not support interfaces other than MGT.
    3. Register Panorama.
    4. Transfer licenses as follows only if the new Panorama appliance is the same model as the old appliance. Otherwise, you must purchase new licenses.
      1. Select the Assets tab and click the Spares link.
      2. Click the Serial Number of the new M-Series appliance.
      3. Click Transfer Licenses.
      4. Select the old appliance and click Submit.
    5. Activate a Panorama Support License.
    6. Activate a firewall management license.
    7. Install Content and Software Updates for Panorama.
      The M-500 appliance requires Panorama 7.0 or a later release. M-200 and M-600 appliances require Panorama 8.1. For important details about software versions, see Panorama, Log Collector, Firewall, and WildFire Version Compatibility.
  2. Restore the configuration from the old Panorama to the replacement Panorama.
    1. Log in to the new Panorama and select PanoramaSetupOperations.
    2. Click Import named Panorama configuration snapshot, Browse to the backup configuration file, and click OK.
    3. Click Load named Panorama configuration snapshot, select the Name of the file you just imported, and click OK.
    4. Select CommitCommit to Panorama and Commit your changes.
    5. Select PanoramaManaged Collectors and verify that the Connected column displays a check mark for the Dedicated Log Collector.
      If the Dedicated Log Collector doesn’t appear, you must reconfigure it and its Collector Group as described in the next step. Otherwise, skip the following step to Fetch the ring file to restore access to the logs stored on the Dedicated Log Collector.
  3. Reconfigure the Dedicated Log Collector and Collector Group if they are missing on Panorama.
    1. Access the CLI of the Dedicated Log Collector and enter the following commands to display the name of its Collector Group.
      1. Enter the command:
        > request fetch ring from log-collector <serial_number>
        The following error will display:
        Server error: Failed to fetch ring info from <serial_number>
      2. Enter the command:
        > less mp-log ms.log
        The following error will display:
        Dec04 11:07:08 Error: pan_cms_convert_resp_ring_to_file(pan_ops_cms.c:3719): Current configuration does not contain group CA-Collector-Group
        In this example, the error message indicates that the missing Collector Group has the name CA-Collector-Group.
    2. Configure the Collector Group and assign the Dedicated Log Collector to it.
      > configure  
      # set log-collector-group <collector-group-name>  
      # set log-collector-group <collector-group-name> logfwd-setting
      collector <serial-number>
    3. Commit the changes to Panorama but not to the Collector Group.
      # commit  
      # exit
  4. Fetch the ring file to restore access to the logs stored on the Dedicated Log Collector.
    1. Access the CLI of the new Panorama.
    2. Fetch the ring file:
      > request fetch ring from log-collector <serial-number>
      For example:
      > request fetch ring from log-collector 009201000343
      If you don’t know the serial number of the Dedicated Log Collector, log in to its CLI and enter the show system info operational command.
    3. Commit your changes to the Collector Group.
      > commit-all log-collector-config log-collector-group <collector-group-name>

Related Documentation