Best Practices with Log Collection Design in Panorama

shv — Wed, 07 May 2025 09:54:46 GMT

Logging is a critical component in network security, helping organizations maintain visibility, compliance, and forensics. Panorama, with its powerful log collection and analysis capabilities, supports distributed environments at scale. However, optimal performance depends on careful planning and adherence to best practices.

This article provides practical guidance across system requirements, architecture, configuration, and migration strategies to design a robust and efficient Panorama logging infrastructure.

System Requirements

CPU & Memory: A minimum of 16 vCPUs and 64GB RAM is recommended for Panorama in Log Collector or Logger mode in high logging rate environments.
Disk Type (Virtual Appliances): Choose a disk type with high IOPS to improve Logs Per Second (LPS) performance.
Multiple Disks: Use more than one disk in the Log Collector appliance to distribute IOPS load effectively.
Version Consistency: All Log Collectors in a Collector Group must run the same PAN-OS version.
Uniform Disk Configuration:
- Use the same number of disks across Log Collectors in a Collector Group.
- For virtual appliances, ensure identical system profiles (CPU, memory, disk type, number of disks) across all Log Collectors.

Architecture

Collector Group Quorum: Deploy a minimum of three Log Collectors in a group to satisfy quorum requirements and ensure Logging Resiliency.
Multiple Collector Groups: In high LPS environments, distribute logs across multiple Collector Groups for better performance.
Latency Considerations:

<10ms between Log Collectors in a group.
<500ms between firewalls and their Log Collectors.

Capacity Planning: Always add 15% overhead to both log ingestion and storage calculations.

Example: For 15,000 logs/sec, provision for 17,250 logs/sec.

Dedicated vs Local Collectors:

Prefer Dedicated Log Collectors over local ones for better performance.
Local collectors share resources with management and may have reduced performance.

Appliance Selection:

In high logging environments, M-Series appliances offer better performance than virtual appliances.
In Hybrid Cloud deployments, place Dedicated Log Collectors in the same cloud region to reduce egress charges.
For globally distributed networks, centralize management but deploy regional Dedicated Log Collectors.

Configuration

Log Forwarding Preference List:

Configure a preference list on firewalls for log forwarding.
Include at least two Log Collectors to ensure redundancy.
Enable “Forward to all collectors in the preference list” to distribute logs evenly.

Interface Separation:

Use separate interfaces for:

Log Collection
Inter-LC communication
Management traffic

Prevents log queues from interfering with keepalive packets.

Efficient Logging Configuration:

Log at session end in security policies for efficient storage.

Log-Collector Management:

Avoid removing a Log Collector from a group unless necessary.
Removing wipes all logs on that collector.
Re-adding it requires data rebalancing, which can be time-consuming.

Migration

Phased Migration Strategy:

Cross-Model Log Migration is not supported today.
Keep the old Collector Group active while redirecting firewalls to the new group.
After the log retention period ends for the old data, decommission the old group.

Conclusion