: Configure a Managed Collector
Focus
Focus

Configure a Managed Collector

Table of Contents
End-of-Life (EoL)

Configure a Managed Collector

Add a Log Collector to the Panorama™ management server to forward logs from your managed firewalls for centralized monitoring.
To enable the Panorama management server to manage a Log Collector, you must add it as a managed collector. Log Collectors support communication using a public or private IPv4 or IPv6 address only, including when you configure custom certificates for mutual authentication.
You can add two types of managed collectors:
  • Dedicated Log Collector—To set up a new M-600, M-500, M-200, M-100 appliance, or Panorama virtual appliance as a Log Collector or switch an existing M-Series appliance or Panorama virtual appliance from Panorama mode to Log Collector mode, see Set Up the M-Series Appliance as a Log Collector. Keep in mind that switching from Panorama Mode to Log Collector Mode removes the local Log Collector that is predefined on the M-Series appliance in Panorama mode.
  • Local Log Collector—A Log Collector can run locally on the M-600, M-500, M-200, M-100 appliance, or Panorama virtual appliance in Panorama mode. On the M-Series appliances, the Log Collector is predefined; on the virtual appliance, you must add the Log Collector. When the Panorama management server has a high availability (HA) configuration, each HA peer can have a local Log Collector. However, relative to the primary Panorama, the Log Collector on the secondary Panorama is remote, not local. Therefore, to use the Log Collector on the secondary Panorama, you must manually add it to the primary Panorama (for details, see Deploy Panorama M-Series Appliances with Local Log Collectors or Deploy Panorama Virtual Appliances with Local Log Collectors). If you delete a local Log Collector, you can later add it back. The following steps describe how to add a local Log Collector.
If the Panorama virtual appliance is in Legacy mode, you must switch to Panorama mode to create a Log Collector. For details, see Set Up the Panorama Virtual Appliance with Local Log Collector.
As a best practice, retain a local Log Collector and Collector Group on the Panorama management server, regardless of whether it manages Dedicated Log Collectors.
(Panorama evaluation only) If you are evaluating a Panorama virtual appliance with a local Log Collector, Configure Log Forwarding from Panorama to External Destinations to preserve logs generated during your evaluation period.
Logs stored on the local Log Collector cannot be preserved when you Convert Your Evaluation Panorama to a Production Panorama with Local Log Collector.
  1. Record the serial number of the Log Collector.
    You will need this when you add the Log Collector as a managed collector.
    1. Access the Panorama web interface.
    2. Select Dashboard and record the Serial # in the General Information section.
  2. Add the Log Collector as a managed collector.
    1. Select PanoramaManaged Collectors and Add a new Log Collector.
    2. In the General settings, enter the serial number (Collector S/N) you recorded for the Log Collector.
    3. Click OK to save your changes.
    4. Select CommitCommit to Panorama.
  3. (Optional) Configure the Log Collector admin authentication.
    1. Select PanoramaManaged Collectors and edit the Log Collector by clicking its name.
    2. Configure the Log Collector admin password:
      1. Select the password Mode.
      2. If you selected Password mode, enter a plaintext Password and Confirm Password. If you selected Password Hash mode, enter a hashed password string of up to 63 characters.
    3. Configure the admin login security requirements:
      If you set the Failed Attempts to a value other than 0 but leave the Lockout Time at 0, then the admin user is indefinitely locked out until another administrator manually unlocks the locked out admin. If no other administrator has been created, you must reconfigure the Failed Attempts and Lockout Time settings on Panorama and push the configuration change to the Log Collector. To ensure that an admin is never locked out, use the default 0 value for both Failed Attempts and Lockout Time.
      1. Enter the number of login Failed Attempts value. The range is between the default value 0 to the maximum of 10 where the value 0 specifies unlimited login attempts.
      2. Enter the Lockout Time value between the default value 0 to the maximum of 60 minutes.
    4. Click OK to save your changes.
  4. Enable the logging disks.
    1. Select PanoramaManaged Collectors and edit the Log Collector by clicking its name.
      The Log Collector name has the same value as the hostname of the Panorama management server.
    2. Select Disks and Add each disk pair.
    3. Click OK to save your changes.
    4. Select CommitCommit to Panorama.
  5. (Optional) If your deployment is using custom certificates for authentication between Panorama and managed devices, deploy the custom client device certificate. For more information, see Set Up Authentication Using Custom Certificates.
    1. Select PanoramaCertificate ManagementCertificate Profile and choose the certificate profile from the drop-down or click New Certificate Profile to create one.
    2. Select PanoramaManaged Collectors and Add a new Log Collector or select an existing one. Select Communication.
    3. Select the type of device certificate the Type drop-down.
      • If you are using a local device certificate, select the Certificate and Certificate Profile from the respective drop-downs.
      • If you are using SCEP as the device certificate, select the SCEP Profile and Certificate Profile from the respective drop-downs.
    4. Click OK.
  6. (Optional) Configure Secure Server Communication on a Log Collector. For more information, see Set Up Authentication Using Custom Certificates.
    1. Select PanoramaManaged Collectors and click Add. Select Communication.
    2. Verify that the Custom Certificate Only check box is not selected. This allows you to continue managing all devices while migrating to custom certificates.
      When the Custom Certificate Only check box is selected, the Log Collector does not authenticate and cannot receive logs from devices using predefined certificates.
    3. Select the SSL/TLS service profile from the SSL/TLS Service Profile drop-down. This SSL/TLS service profile applies to all SSL connections between the Log Collector and devices sending it logs.
    4. Select the certificate profile from the Certificate Profile drop-down.
    5. Select Authorize Client Based on Serial Number to have the server check clients against the serial numbers of managed devices. The client certificate must have the special keyword $UDID set as the CN to authorize based on serial numbers.
    6. In Disconnect Wait Time (min), enter the number of minutes Panorama should before breaking and reestablishing the connection with its managed devices. This field is blank by default and the range is 0 to 44,640 minutes.
      The disconnect wait time does not begin counting down until you commit the new configuration.
    7. (Optional) Configure an authorization list.
      1. Click Add under Authorization List.
      2. Select the Subject or Subject Alt Name as the Identifier type.
      3. Enter an identifier of the selected type.
      4. Click OK.
      5. Select Check Authorization List to enforce the authorization list.
    8. Click OK.
    9. Select CommitCommit to Panorama.
  7. Verify your changes.
    1. Verify that the PanoramaManaged Collectors page lists the Log Collector you added. The Connected column displays a check mark to indicate that the Log Collector is connected to Panorama. You might have to wait a few minutes before the page displays the updated connection status.
      Until you Configure a Collector Group and push configuration changes to the Collector Group, the Configuration Status column displays Out of Sync, the Run Time Status column displays disconnected, and the CLI command show interface all displays the interfaces as down.
    2. Click Statistics in the last column to verify that the logging disks are enabled.
  8. Next steps...
    Before a Log Collector can receive firewall logs, you must:
    1. Configure Log Forwarding to Panorama.
    2. Configure a Collector Group—On the M-Series appliances, a default Collector Group is predefined and already contains the local Log Collector as a member. On the Panorama virtual appliance, you must add the Collector Group and add the local Log Collector as a member. On both models, assign firewalls to the local Log Collector for log forwarding.
      You must add the Log Collector to a Collector Group before it can start ingesting firewall logs.