Configure a Managed Collector
Table of Contents
10.0 (EoL)
Expand all | Collapse all
-
- Determine Panorama Log Storage Requirements
-
- Setup Prerequisites for the Panorama Virtual Appliance
- Perform Initial Configuration of the Panorama Virtual Appliance
- Set Up The Panorama Virtual Appliance as a Log Collector
- Set Up the Panorama Virtual Appliance with Local Log Collector
- Set up a Panorama Virtual Appliance in Panorama Mode
- Set up a Panorama Virtual Appliance in Management Only Mode
-
- Preserve Existing Logs When Adding Storage on Panorama Virtual Appliance in Legacy Mode
- Add a Virtual Disk to Panorama on an ESXi Server
- Add a Virtual Disk to Panorama on vCloud Air
- Add a Virtual Disk to Panorama on Alibaba Cloud
- Add a Virtual Disk to Panorama on AWS
- Add a Virtual Disk to Panorama on Azure
- Add a Virtual Disk to Panorama on Google Cloud Platform
- Add a Virtual Disk to Panorama on Hyper-V
- Add a Virtual Disk to Panorama on KVM
- Add a Virtual Disk to Panorama on Oracle Cloud Infrastructure (OCI)
- Mount the Panorama ESXi Server to an NFS Datastore
-
- Increase CPUs and Memory for Panorama on an ESXi Server
- Increase CPUs and Memory for Panorama on vCloud Air
- Increase CPUs and Memory for Panorama on Alibaba Cloud
- Increase CPUs and Memory for Panorama on AWS
- Increase CPUs and Memory for Panorama on Azure
- Increase CPUs and Memory for Panorama on Google Cloud Platform
- Increase CPUs and Memory for Panorama on Hyper-V
- Increase CPUs and Memory for Panorama on KVM
- Increase CPUs and Memory for Panorama on Oracle Cloud Infrastructure (OCI)
- Complete the Panorama Virtual Appliance Setup
-
- Convert Your Evaluation Panorama to a Production Panorama with Local Log Collector
- Convert Your Evaluation Panorama to a Production Panorama without Local Log Collector
- Convert Your Evaluation Panorama to VM-Flex Licensing with Local Log Collector
- Convert Your Evaluation Panorama to VM-Flex Licensing without Local Log Collector
- Convert Your Production Panorama to an ELA Panorama
-
- Register Panorama
- Activate a Panorama Support License
- Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is Internet-connected
- Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is not Internet-connected
- Activate/Retrieve a Firewall Management License on the M-Series Appliance
- Install the Panorama Device Certificate
-
- Panorama, Log Collector, Firewall, and WildFire Version Compatibility
- Install Updates for Panorama in an HA Configuration
- Install Updates for Panorama with an Internet Connection
- Install Updates for Panorama When Not Internet-Connected
- Install Updates Automatically for Panorama without an Internet Connection
- Migrate Panorama Logs to the New Log Format
-
- Migrate from a Panorama Virtual Appliance to an M-Series Appliance
- Migrate a Panorama Virtual Appliance to a Different Hypervisor
- Migrate from an M-Series Appliance to a Panorama Virtual Appliance
- Migrate from an M-100 Appliance to an M-500 Appliance
- Migrate from an M-100 or M-500 Appliance to an M-200 or M-600 Appliance
-
- Configure an Admin Role Profile
- Configure an Access Domain
-
- Configure a Panorama Administrator Account
- Configure Local or External Authentication for Panorama Administrators
- Configure a Panorama Administrator with Certificate-Based Authentication for the Web Interface
- Configure an Administrator with SSH Key-Based Authentication for the CLI
- Configure RADIUS Authentication for Panorama Administrators
- Configure TACACS+ Authentication for Panorama Administrators
- Configure SAML Authentication for Panorama Administrators
-
- Add a Firewall as a Managed Device
-
- Add a Device Group
- Create a Device Group Hierarchy
- Create Objects for Use in Shared or Device Group Policy
- Revert to Inherited Object Values
- Manage Unused Shared Objects
- Manage Precedence of Inherited Objects
- Move or Clone a Policy Rule or Object to a Different Device Group
- Push a Policy Rule to a Subset of Firewalls
- Manage the Rule Hierarchy
- Manage the Master Key from Panorama
- Redistribute Data to Managed Firewalls
-
- Add Standalone WildFire Appliances to Manage with Panorama
- Remove a WildFire Appliance from Panorama Management
-
-
- Configure a Cluster and Add Nodes on Panorama
- Configure General Cluster Settings on Panorama
- Remove a Cluster from Panorama Management
- Configure Appliance-to-Appliance Encryption Using Predefined Certificates Centrally on Panorama
- Configure Appliance-to-Appliance Encryption Using Custom Certificates Centrally on Panorama
- View WildFire Cluster Status Using Panorama
- Upgrade a Cluster Centrally on Panorama with an Internet Connection
- Upgrade a Cluster Centrally on Panorama without an Internet Connection
-
-
- Manage Licenses on Firewalls Using Panorama
-
- Supported Updates
- Schedule a Content Update Using Panorama
- Upgrade Log Collectors When Panorama Is Internet-Connected
- Upgrade Log Collectors When Panorama Is Not Internet-Connected
- Upgrade Firewalls When Panorama Is Internet-Connected
- Upgrade Firewalls When Panorama Is Not Internet-Connected
- Upgrade a ZTP Firewall
- Revert Content Updates from Panorama
-
- Preview, Validate, or Commit Configuration Changes
- Enable Automated Commit Recovery
- Compare Changes in Panorama Configurations
- Manage Locks for Restricting Configuration Changes
- Add Custom Logos to Panorama
- Use the Panorama Task Manager
- Reboot or Shut Down Panorama
- Configure Panorama Password Profiles and Complexity
-
-
- Verify Panorama Port Usage
- Resolve Zero Log Storage for a Collector Group
- Replace a Failed Disk on an M-Series Appliance
- Replace the Virtual Disk on an ESXi Server
- Replace the Virtual Disk on vCloud Air
- Migrate Logs to a New M-Series Appliance in Log Collector Mode
- Migrate Logs to a New M-Series Appliance in Panorama Mode
- Migrate Logs to a New M-Series Appliance Model in Panorama Mode in High Availability
- Migrate Logs to the Same M-Series Appliance Model in Panorama Mode in High Availability
- Migrate Log Collectors after Failure/RMA of Non-HA Panorama
- Regenerate Metadata for M-Series Appliance RAID Pairs
- View Log Query Jobs
- Troubleshoot Commit Failures
- Troubleshoot Registration or Serial Number Errors
- Troubleshoot Reporting Errors
- Troubleshoot Device Management License Errors
- Troubleshoot Automatically Reverted Firewall Configurations
- Complete Content Update When Panorama HA Peer is Down
- View Task Success or Failure Status
- Downgrade from Panorama 10.0
End-of-Life (EoL)
Configure a Managed Collector
To enable the Panorama management server to
manage a Log Collector, you must add it as a managed collector.
Log Collectors support communication using a public or private IPv4
or IPv6 address only, including when you configure custom certificates
for mutual authentication.
You can add two types of managed
collectors:
- Dedicated Log Collector—To set up a new M-600, M-500, M-200 appliance, or Panorama virtual appliance as a Log Collector or switch an existing M-Series appliance or Panorama virtual appliance from Panorama mode to Log Collector mode, see Set Up the M-Series Appliance as a Log Collector. Keep in mind that switching from Panorama Mode to Log Collector Mode removes the local Log Collector that is predefined on the M-Series appliance in Panorama mode.
- Local Log Collector—A Log Collector can run locally on the M-600, M-500, M-200 appliance, or Panorama virtual appliance in Panorama mode. On the M-Series appliances, the Log Collector is predefined; on the virtual appliance, you must add the Log Collector. When the Panorama management server has a high availability (HA) configuration, each HA peer can have a local Log Collector. However, relative to the primary Panorama, the Log Collector on the secondary Panorama is remote, not local. Therefore, to use the Log Collector on the secondary Panorama, you must manually add it to the primary Panorama (for details, see Deploy Panorama M-Series Appliances with Local Log Collectors or Deploy Panorama Virtual Appliances with Local Log Collectors). If you delete a local Log Collector, you can later add it back. The following steps describe how to add a local Log Collector.
If
the Panorama virtual appliance is in Legacy mode, you must switch
to Panorama mode to create a Log Collector. For details, see Set
Up the Panorama Virtual Appliance with Local Log Collector.
As a best practice, retain a local Log
Collector and Collector Group on the Panorama management server,
regardless of whether it manages Dedicated Log Collectors.
(Panorama
evaluation only) If you are evaluating a Panorama virtual appliance with
a local Log Collector, Configure Log Forwarding from Panorama to External Destinations to preserve
logs generated during your evaluation period.
Logs stored
on the local Log Collector cannot be preserved when you Convert Your Evaluation Panorama to a Production Panorama with Local Log Collector.
- Record the serial number of the Log Collector.You will need this when you add the Log Collector as a managed collector.
- Access the Panorama web interface.
- Select Dashboard and record the Serial # in the General Information section.
- Add the Log Collector as a managed collector.
- Select PanoramaManaged Collectors and Add a new Log Collector.
- In the General settings, enter the serial number (Collector S/N) you recorded for the Log Collector.
- Click OK to save your changes.
- Select CommitCommit to Panorama.
- (Optional) Configure the Log Collector admin
authentication.Palo Alto Networks recommends adding at least one Local Administrator with Superuser privileges for Authentication if you configure an authorization list for your managed collector.If you added any Imported Panorama Admin Users, then you are required to add at least one Local Administrator with Superuser privileges.
- Select PanoramaManaged Collectors and edit the Log Collector by clicking its name.
- Configure the Log Collector admin password:
- Select the password Mode.
- If you selected Password mode, enter a plaintext Password and Confirm Password. If you selected Password Hash mode, enter a hashed password string of up to 63 characters.
- Configure the admin login security requirements:If you set the Failed Attempts to a value other than 0 but leave the Lockout Time at 0, then the admin user is indefinitely locked out until another administrator manually unlocks the locked out admin. If no other administrator has been created, you must reconfigure the Failed Attempts and Lockout Time settings on Panorama and push the configuration change to the Log Collector. To ensure that an admin is never locked out, use the default 0 value for both Failed Attempts and Lockout Time.
- Enter the number of login Failed Attempts value. The range is between the default value 0 to the maximum of 10 where the value 0 specifies unlimited login attempts.
- Enter the Lockout Time value between the default value 0 to the maximum of 60 minutes.
- Click OK to save your changes.
- Enable the logging disks.
- Select PanoramaManaged Collectors and edit
the Log Collector by clicking its name.The Log Collector name has the same value as the hostname of the Panorama management server.
- Select Disks and Add each disk pair.
- Click OK to save your changes.
- Select CommitCommit to Panorama.
- Select PanoramaManaged Collectors and edit
the Log Collector by clicking its name.
- (Optional) If your deployment is using custom
certificates for authentication between Panorama and managed devices,
deploy the custom client device certificate. For more information,
see Set
Up Authentication Using Custom Certificates.
- Select PanoramaCertificate ManagementCertificate Profile and choose the certificate profile from the drop-down or click New Certificate Profile to create one.
- Select PanoramaManaged Collectors and Add a new Log Collector or select an existing one. Select Communication.
- Select the type of device certificate the Type drop-down.
- If you are using a local device certificate, select the Certificate and Certificate Profile from the respective drop-downs.
- If you are using SCEP as the device certificate, select the SCEP Profile and Certificate Profile from the respective drop-downs.
- Click OK.
- (Optional) Configure Secure Server
Communication on a Log Collector. For more information,
see Set
Up Authentication Using Custom Certificates.
- Select PanoramaManaged Collectors and click Add. Select Communication.
- Verify that the Custom Certificate Only check
box is not selected. This allows you to continue managing all devices
while migrating to custom certificates.When the Custom Certificate Only check box is selected, the Log Collector does not authenticate and cannot receive logs from devices using predefined certificates.
- Select the SSL/TLS service profile from the SSL/TLS Service Profile drop-down. This SSL/TLS service profile applies to all SSL connections between the Log Collector and devices sending it logs.
- Select the certificate profile from the Certificate Profile drop-down.
- Select Authorize Client Based on Serial Number to have the server check clients against the serial numbers of managed devices. The client certificate must have the special keyword $UDID set as the CN to authorize based on serial numbers.
- In Disconnect Wait Time (min),
enter the number of minutes Panorama should before breaking and
reestablishing the connection with its managed devices. This field
is blank by default and the range is 0 to 44,640 minutes.The disconnect wait time does not begin counting down until you commit the new configuration.
- (Optional) Configure an authorization list.
- Click Add under Authorization List.
- Select the Subject or Subject Alt Name as the Identifier type.
- Enter an identifier of the selected type.
- Click OK.
- Select Check Authorization List to enforce the authorization list.
- Click OK.
- Select CommitCommit to Panorama.
- Verify your changes.
- Verify that the PanoramaManaged Collectors page lists
the Log Collector you added. The Connected column displays a check
mark to indicate that the Log Collector is connected to Panorama.
You might have to wait a few minutes before the page displays the
updated connection status.Until you Configure a Collector Group and push configuration changes to the Collector Group, the Configuration Status column displays Out of Sync, the Run Time Status column displays disconnected, and the CLI command show interface all displays the interfaces as down.
- Click Statistics in the last column to verify that the logging disks are enabled.
- Verify that the PanoramaManaged Collectors page lists
the Log Collector you added. The Connected column displays a check
mark to indicate that the Log Collector is connected to Panorama.
You might have to wait a few minutes before the page displays the
updated connection status.
- Next steps...Before a Log Collector can receive firewall logs, you must:
- Configure Log Forwarding to Panorama.
- Configure a Collector Group—On the M-Series appliances, a default Collector Group is predefined and already contains the local Log Collector as a member. On the Panorama virtual appliance, you must add the Collector Group and add the local Log Collector as a member. On both models, assign firewalls to the local Log Collector for log forwarding.