Understanding Panorama System Mode Transitions

shv — Mon, 02 Jun 2025 10:10:56 GMT

This document outlines the various system modes available for Palo Alto Networks and provides guidance on transitioning between them. offers flexibility with its different modes: Panorama, Management-Only, and Logger.

Reasons for changing system modes might include optimizing resource allocation by separating log collection and management, transitioning to dedicated logging with Logger mode, or simplifying operations to management-only. Each mode serves a specific purpose and knowing the prerequisites and considerations for each transition is essential to avoid data loss and ensure smooth operations.

1. Changing from Panorama Mode to Management-Only Mode

This section details the process and considerations for moving a Panorama appliance from its default Panorama mode (managing devices and processing their logs) to Management-Only mode (solely for device management).

Summary of Mode Change: Panorama > Management-Only

No loss of configuration.
Firewall Logs are lost (as management-only mode disables the Log Collector processes).

There is no officially supported method to retain these logs; attempting to manipulate disks is not supported.

Prerequisites

Log Collector Group Assignment: All managed firewalls must be assigned to a Log Collector Group. Refer to Palo Alto Networks Knowledge Base article https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008Ub7CAE.

If there are no Log Collector Groups and no Dedicated Log Collectors available, create a “dummy” Log Collector Group and a Dedicated Log Collector and assign managed devices to this temporary Group.
Please note that adding a disconnected Dedicated Log Collector to a Log Collector Group must be done via CLI as it is not possible via GUI.

set log-collector-group {DUMMY_LCG_NAME} logfwd-setting collectors {DUMMY_DLC_SERIAL_NUMBER}
Example: set log-collector-group EMPTY_LCG logfwd-setting collectors 1234

If there are any disconnected managed devices not assigned to a Log Collector Group, these need to be removed, or assigned to an LCG via CLI as it is not possible to assign a disconnected device to an LCG via GUI.

set log-collector-group {DUMMY_LCG_NAME} logfwd-setting devices {DEVICE_SERIAL_NUMBER}
Example: set log-collector-group BLANK_LCG logfwd-setting devices 4567

Isolation of Local Log Collectors (LLCs): Ensure that any Local Log Collectors (running on the Panorama itself) are not part of any Log Collector Groups. This might require removing the Local Log Collectors from existing Log Collector Groups.

Key Considerations

Loss of Local Logs: Switching to Management-Only mode will stop local log collection on Panorama. Ensure you have dedicated Log Collectors in place to handle logging for your managed devices.
HA Pair Transition: When dealing with an HA pair, it's recommended to start with the secondary (passive) Panorama. Be aware of potential temporary failovers due to operational mode mismatches.
Potential Communication Issues: After the mode change, you might encounter temporary communication issues with existing Dedicated Log Collectors (e.g., "ring version mismatch"), which may require a "commit force" on Panorama to resolve.

2. Changing from Management-Only Mode to Panorama Mode

This section outlines the considerations for enabling local log collection capabilities on a Panorama that is currently in Management-Only mode.

Summary of Mode Change: Management-Only > Panorama

No loss of configuration.
There are no logs to lose (as management-only mode doesn't collect logs).

Prerequisites

In the case of Virtual Panorama appliances, at least one logging disk of 2TB needs to be attached to the VM before the switch.

Key Considerations

Enabling Local Logging: This change will allow the Panorama to act as a Local Log Collector. You will need to configure Log Collector Groups to include the local log collector if you wish for the Panorama to store logs.
Resource Usage: Enabling panorama mode will utilize system resources for log collection in addition to device management. Ensure your Panorama appliance has sufficient resources.

3. Changing from Panorama Mode to Logger Mode

This section describes the transition of a Panorama instance to function solely as a dedicated Log Collector.

Summary of Mode Change: Panorama > Logger

Configuration lost (Logger mode doesn't utilize Device Group/Template configurations).
Logs lost.

There is no officially supported method to retain these logs; attempting to manipulate disks is not supported.

Prerequisites

Ensure you have backed up your Panorama configuration if you might need to revert or reference it later, as the configuration relevant to management will be lost.

Key Considerations

Loss of Management Configuration: Switching to Logger mode will erase the management configuration (Device Groups, Templates, etc.). This action is irreversible without restoring from a backup.
Loss of Local Logs: Any logs currently stored locally on the Panorama will likely be lost during this transition.
Dedicated Logging Role: After this change, the system will only function as a log collector and will not manage firewalls. You will need a separate Panorama instance for management.

4. Summary Table

Current Mode	New Mode	Pre-requisites	Impact
Panorama	Management-Only	- All managed devices must be assigned to an LCG - Local Log Collector must not be a member of any LCG	- Loss of logs - No configuration impact
Management-Only	Panorama	- 2nd disk of 2TB must be attached (applies to VM appliance only)	- No impact
Panorama	Logger	- Device Management license must be applied	- Loss of logs - Loss of Template and DG configuration
Logger	Panorama	- 2nd disk of 2TB must be attached (applies to VM appliance only)	- Loss of logs - No configuration impact
Logger	Management-Only	- Must switch to Panorama mode first	- See above
Management-Only	Logger	- Must switch to Panorama mode first	- See above

article Understanding Panorama System Mode Transitions in General Articles

Understanding Panorama System Mode Transitions

1. Changing from Panorama Mode to Management-Only Mode

Summary of Mode Change: Panorama > Management-Only

Prerequisites

Key Considerations

2. Changing from Management-Only Mode to Panorama Mode

Summary of Mode Change: Management-Only > Panorama

Prerequisites

Key Considerations

3. Changing from Panorama Mode to Logger Mode

Summary of Mode Change: Panorama > Logger

Prerequisites

Key Considerations

4. Summary Table