Logging Failover on a Panorama Virtual Appliance in Legacy
The Panorama virtual appliance in Legacy mode provides
the following log failover options:
Log Storage Type
By default, the managed firewalls send logs
as independent streams to each Panorama HA peer. By default, if
a peer becomes unavailable, the managed firewalls buffer the logs
and when the peer reconnects it resumes sending logs from where
it had left off (subject to disk storage capacity and duration of
The maximum log storage capacity depends
on the virtual platform (VMware ESXi or vCloud Air); see Panorama Models for details.
You can choose whether to forward logs
only to the active peer (see Modify Log Forwarding and Buffering Defaults). However, Panorama does not support log aggregation across the
HA pair. Therefore, if you log to a virtual disk, for monitoring
and reporting you must query the Panorama peer that collects the
logs from the managed firewalls.
Network File System (NFS)
You can mount NFS storage only to a Panorama
virtual appliance that runs on a VMware ESXi server. Only the active-primary
Panorama mounts to the NFS-based log partition and can receive logs.
On failover, the primary device goes into a passive-primary state.
In this scenario, until preemption occurs, the active-secondary
Panorama manages the firewalls, but it does not receive the logs
and it cannot write to the NFS. To allow the active-secondary peer
to log to the NFS, you must manually switch it to primary so that
it can mount to the NFS partition. For instructions, see Switch Priority after Panorama Failover to Resume NFS Logging.