Configure Panorama to Use Multiple Interfaces

In a large-scale network, you can improve security and reduce congestion by implementing network segmentation, which involves segregating the subnetworks based on resource usage, user roles, and security requirements. Panorama supports network segmentation by enabling you to use multiple M-Series Appliance Interfaces for managing devices (firewalls, Log Collectors, and WildFire appliances and appliance clusters) and collecting logs; you can assign separate interfaces to the devices on separate subnetworks.
Using multiple interfaces to collect logs also provides the benefit of load balancing, which is particularly useful in environments where the firewalls forward logs at high rates to the Log Collectors. If you enable the
forward to all Log Collectors
setting in the Collector Group log forwarding preference list, logs are sent on all configured interfaces configured. Otherwise, logs are forwarded over a single interface, and if that interface goes down, log forwarding continues over the next configured interface. For example, you configure Eth1/1, Eth1/2, and Eth1/3 for log forwarding. In the event the Eth1/1 interface goes down, log forwarding continues over Eth1/2.
Because administrators access and manage Panorama over the MGT interface, securing that interface is especially important. One method for improving the security of the MGT interface is to offload Panorama services to other interfaces. In addition to device management and log collection, you can also offload Collector Group communication and deployment of software and content updates to firewalls, Log Collectors, and WildFire appliances and appliance clusters. By offloading these services, you can reserve the MGT interface for administrative traffic and assign it to a secure subnetwork that is segregated from the subnetworks where your firewalls, Log Collectors, and WildFire appliances and appliance clusters reside.

Recommended For You