Switch Priority after Panorama Failover to Resume NFS Logging
The Panorama virtual appliance in Legacy mode
running on an ESXi server can use an NFS datastore for logging.
In an HA configuration, only the primary Panorama peer is mounted
to the NFS-based log partition and can write to the NFS. When a
failover occurs and the passive Panorama becomes active, its state
becomes active-secondary. Although a secondary Panorama peer can
actively manage the firewalls, it cannot receive logs or write to
the NFS because it does not own the NFS partition. When the firewalls
cannot forward logs to the primary Panorama peer, each firewall
writes the logs to its local disk. The firewalls maintain a pointer
for the last set of log entries that they forwarded to Panorama
so that when the passive-primary Panorama becomes available again,
they can resume forwarding logs to it.
Use the instructions
in this section to manually switch priority on the active-secondary
Panorama peer so that it can begin logging to the NFS partition.
The typical scenarios in which you might need to trigger this change
are as follows:
Preemption is disabled. By default,
preemption is enabled on Panorama and the primary peer resumes as
active when it becomes available again. When preemption is disabled, you
need to switch the priority on the secondary peer to primary so
that it can mount the NFS partition, receive logs from the managed
firewalls, and write to the NFS partition.
The active Panorama fails and cannot recover from the failure
in the short term. If you do not switch the priority, when the maximum
log storage capacity on the firewall is reached, the oldest logs
will be overwritten to enable it to continue logging to its local
disk. This situation can lead to loss of logs.
Log in to the currently passive-primary