Focus

Panorama Administrator's Guide

Set Up the Panorama Virtual Appliance with Local Log Collector

Table of Contents

Set Up the Panorama Virtual Appliance with Local Log Collector

If the Panorama virtual appliance is in Legacy mode after you upgrade from a Panorama 8.0 or earlier release to a Panorama 8.1 (or later) release, switch to Panorama mode in order to create a local Log Collector, add multiple logging disks without losing existing logs. increase log storage up to 24TB, and enable faster report generation.

Once you change from Legacy mode to Panorama mode, Legacy mode will no longer be available.

After upgrading to Panorama 8.1, the first step is to increase the system resources on the virtual appliance to the minimum required for Panorama mode. Panorama reboots when you increase resources, so perform this procedure during a maintenance window. You must install a larger system disk (81GB), increase CPUs and memory based on the log storage capacity, and add a virtual logging disk. The new logging disk must have at least as much capacity as the appliance currently uses in Legacy mode and cannot be less than 2TB. Adding a virtual disk enables you to migrate existing logs to the Log Collector and enables the Log Collector to store new logs.

If Panorama is deployed in an HA configuration, perform the following steps on the secondary peer first and then on the primary peer.

Determine which system resources you need to increase before the virtual appliance can operate in Panorama mode.

You must run the command specified in this step even if you have determined that Panorama already has adequate resources.
1. Access the Panorama CLI:
  Use terminal emulation software such as PuTTY to open an SSH session to the IP address that you specified for the Panorama MGT interface.
  Log in to the CLI when prompted.
2. Check the resources you must increase by running the following command:
  > request system system-mode panorama
  Enter y when prompted to continue. The output specifies the resources you must increase. For example:
  Panorama mode not supported on current system disk of size 52.0 GB. Please attach a disk of size 81.0 GB, then use 'request system clone-system-disk' to migrate the current system disk Please add a new virtual logging disk with more than 50.00 GB of storage capacity. Not enough CPU cores: Found 4 cores, need 8 cores
Increase the CPUs and memory, and replace the system disk with a larger disk.
1. Access the VMware ESXi vSphere Client, select Virtual Machines, right-click the Panorama virtual appliance, and select PowerPower Off.
2. Right-click the Panorama virtual appliance and Edit Settings.
3. Select Memory and enter the new Memory Size.
4. Select CPUs and specify the number of CPUs (the Number of virtual sockets multiplied by the Number of cores per socket).
5. Add a virtual disk.
  You will use this disk to replace the existing system disk.
  In the Hardware settings, Add a disk, select Hard Disk as the hardware type, and click Next.
  Create a new virtual disk and click Next.
  Set the Disk Size to exactly 81GB and select the Thick Provision Lazy Zeroed disk format.
  Select Specify a datastore or datastore structure as the location, Browse to a datastore of at least 81GB, click OK, and click Next.
  Select a SCSI Virtual Device Node (you can use the default selection) and click Next.
  
  Panorama will fail to boot if you select a format other than SCSI.
  
  Verify that the settings are correct and then click Finish and OK.
6. Right-click the Panorama virtual appliance and select PowerPower On. Wait for Panorama to reboot before continuing.
7. Return to the Panorama CLI and copy the data from the original system disk to the new system disk:
  > request system clone-system-disk target sdb
  Enter y when prompted to continue.
  The copying process takes around 20 to 25 minutes, during which Panorama reboots. When the process finishes, the output tells you to shut down Panorama.
8. Return to the vSphere Client console, right-click the Panorama virtual appliance, and select PowerPower Off.
9. Right-click the Panorama virtual appliance and Edit Settings.
10. Select the original system disk, click Remove, select Remove from virtual machine, and click OK.
11. Right-click the Panorama virtual appliance and Edit Settings.
12. Select the new system disk, set the Virtual Device Node to SCSI (0:0), and click OK.
13. Right-click the Panorama virtual appliance and select PowerPower On. Before proceeding, wait for Panorama to reboot on the new system disk (around 15 minutes).
Add a virtual logging disk.
This is the disk to which you will migrate existing logs.
1. In the VMware ESXi vSphere Client, right-click the Panorama virtual appliance and select PowerPower Off.
2. Right-click the Panorama virtual appliance and Edit Settings.
3. Repeat the steps to Add a virtual disk. Set the Disk Size to a multiple of 2TB based on the amount of log storage you need. The capacity must be at least as large as the existing virtual disk or NFS storage that Panorama currently uses for logs. The disk capacity must be a multiple of 2TB and can be up to 24TB. For example, if the existing disk has 5TB of log storage, you must add a new disk of at least 6TB.
  After you switch to Panorama mode, Panorama will automatically divide the new disk into 2TB partitions, each of which will function as a separate virtual disk.
4. Right-click the Panorama virtual appliance and select PowerPower On. Wait for Panorama to reboot before continuing.
Switch from Legacy mode to Panorama mode.
After switching the mode, the appliance reboots again and then automatically creates a local Log Collector and Collector Group. The existing logs won’t be available for querying or reporting until you migrate them later in this procedure.
1. Return to the Panorama CLI and run the following command.
  > request system system-mode panorama
  Enter y when prompted to continue. After rebooting, Panorama automatically creates a local Log Collector (named Panorama) and creates a Collector Group (named default) to contain it. Panorama also configures the virtual logging disk you added and divides it into separate 2TB disks. Wait for the process to finish and for Panorama to reboot (around five minutes) before continuing.
2. Log in to the Panorama web interface.
3. In the Dashboard, General Information settings, verify that the Mode is now panorama.
  In an HA deployment, the secondary peer is in a suspended state at this point because its mode (Panorama) does not match the mode on the primary peer (Legacy). You will un-suspend the secondary peer after switching the primary peer to Panorama mode later in this procedure.
4. Select PanoramaCollector Groupsto verify that the default collector group has been created, and that the local Log Collector is part of the default collector group.
5. Push the configuration to the managed devices.
  If there are no pending changes:
  Select CommitPush to Devices and Edit Selections.
  Select Collector Group and make sure the default collector group is selected.
  Click OK and Push.
  If you have pending changes:
  Select CommitCommit and Push and Edit Selections.
  Verify that your Device Group devices and Templates are included.
  Select Collector Group and make sure the default collector group is selected.
  Click OK and Commit and Push.
6. Select PanoramaManaged Collectors and verify that the columns display the following information for the local Log Collector:
  Collector Name—This defaults to the Panorama hostname. It should be listed under the default Collector Group.
  Connected—Check mark
  Configuration Status—In sync
  Run Time Status—connected
(HA only) Switch the primary Panorama from Legacy mode to Panorama mode.

This step triggers failover.
1. Repeat Step 1 through Step 4 on the primary Panorama.
  Wait for the primary Panorama to reboot and return to an active HA state. If preemption is not enabled, you must manually fail back: select PanoramaHigh Availability and, in the Operational Commands section, Make local Panorama functional.
2. On the primary Panorama, select Dashboard and, in the High Availability section, Sync to peer, click Yes, and wait for the Running Config to display Synchronized status.
3. On the secondary Panorama, select PanoramaHigh Availability and, in the Operational Commands section, Make local Panorama functional.
  This step is necessary to bring the secondary Panorama out of its suspended HA state.
Migrate existing logs to the new virtual logging disks.
If you deployed Panorama in an HA configuration, perform this only on the primary peer.

Palo Alto Networks recommends migrating existing logs to the new virtual logging disks during your maintenance window. The log migration requires a large number of the Panorama virtual appliance CPU cores to execute and impacts Panorama operational performance.
1. Return to the Panorama CLI.
2. Start the log migration:
  > request logdb migrate vm start
  The process duration varies by the volume of log data you are migrating. To check the status of the migration, run the following command:
  > request logdb migrate vm status
  When the migration finishes, the output displays: migrationhas been done.
3. Verify that the existing logs are available.
  Log in to the Panorama web interface.
  Select PanoramaMonitor, select a log type that you know matches some existing logs (for example, PanoramaMonitorSystem), and verify that the logs display.
Next steps...
Configure log forwarding to Panorama so that the Log Collector receives new logs from firewalls.

Set Up The Panorama Virtual Appliance as a Log Collector

Set up a Panorama Virtual Appliance in Panorama Mode