topic Re: Panorama High availability in General Topics

Panorama High availability

ImplementationEngineering — Thu, 28 Apr 2011 18:37:14 GMT

Are there any issues with running 2 Panorama servers in an HA configuration across a WAN? Recommendations for configuring hold timers and various interval settings?

Judy

Re: Panorama High availability

skrall — Fri, 06 May 2011 17:04:44 GMT

When you say Panorama HA across a WAN, what exactly are yo talking about? Panorama1 and Panorama2 are at opposit ends of a WAN link? Or Pan1 and Pan2 are located at one site and the firewalls are located at a diffeent site?

Logging over the WAN depends entirely on your traffic through the firewall and how much data you log.

Steve Krall

Re: Panorama High availability

brdickson — Tue, 19 Jul 2011 20:35:08 GMT

We are also concerned about the operation of HA between Panorama servers in multiple locations, as well as logging from PA firewalls across the WAN.

FYI - our WAN is very fast, high-speed links with not much traffic, i.e. 10Gbps, and the sites are not that far apart (say < 30ms nominal).

We want to know about:

HA syncing between Panorama 1 and Panorama 2
HA failover from Panorama 1 to Panorama 2
specific configuration "knobs" that impact false-positive and false-negative regarding HA (HA failovers that are not necessary, or actual failures that do not trigger HA, respectively).
rules-of-thumb regarding latency, bandwidth-delay product, how HA is done (TCP/UDP, which ports, what IP options, TCP/UDP options, etc.)

HA syncing and failover - what is automated, and what needs to be done manually? On Panorama? On PA firewalls in Active/Standby?

What gets synced between Panorama instances? Just configs? How about logs? Is there any way to de-dup logs sent to two Panoramas? Are there any special techniques/commands/tools to support merging/syncing/de-duping logs, e.g. via a third Panorama?

What are the options regarding exporting (e.g. ranges of dates), and clearing (also ranges of dates) logs?

What are the performance/scalability limits on logs? Is there a way to partition the DB for historical views, that avoids some of these issues? What DB is used, is there a published schema for it, are there third party tools available for managing the DB for logs?

Thanks,

Brian Dickson

bdickson at verisign dot com

Re: Panorama High availability

mrajdev — Tue, 19 Jul 2011 22:22:28 GMT

Hi Brian/Judy,

It would be best if you work with your systems engineer from PA to discuss your scenario and answer your questions.

Thanks

Re: Panorama High availability

mschuricht — Fri, 22 Jul 2011 15:48:34 GMT

Brian,

Since you have a lot of questions I think it would be good to setup a call with me (Panorama PM) and your SE.

I will reach out to you unicast to set this up.

Thanks,

Mike Schuricht

Re: Panorama High availability

chrisp — Wed, 10 Aug 2011 20:51:40 GMT

Brian asks some good questions regarding the inner workings of Panorama. Is there any available documentation that covers at least some portion of what he's asking? Or are we supposed to go thru our SE to get any of this detail?

Re: Panorama High availability

mschuricht — Wed, 10 Aug 2011 23:02:29 GMT

There is some documentation on setup procedures in the admin guide and I would also suggest talking with your SE to get some added details. At that point if there are still open item we can have a conf call if needed.

Re: Panorama High availability

erantanen — Wed, 29 Feb 2012 00:48:39 GMT

I was wondering on this issue, if Panorama is able to sync databases from two geo-located instances for HA?

If so what documentation is the referenced?

Re: Panorama High availability

mschuricht — Wed, 29 Feb 2012 03:12:44 GMT

There is no sync of the log databases between HA peers. Devices send logs to both Panorama HA instances by default when utilizing VMware virtual disk storage so the sync is not needed. The devices will buffer logs if connectivity is lost, to either Panorama, and then spooled to the disconnected Panorama upon reconnection.

Re: Panorama High availability

mikand — Wed, 29 Feb 2012 07:48:23 GMT

I reuse this thread since this is a semi high availability question regarding Panorama.

Is it possible to setup Panoroma this way?

1) One Panorama at each site (datacenter).

Well of course this on its own will work but this is just to explain what Im thinking of 🙂

2) Devices at siteX will log to Panorama at siteX.

This is also pretty straight through since you setup the ip of the Panorama in each device.

3) Each Panorama will then send a copy of the logs to a syslogserver (along with adminlogs).

Is this possible today? Or must each device send the syslogs to the syslogserver?

4) Configurations are synched between all Panoramas so it doesnt matter which Panorama the administrator logins to in order to change a security rule or such.

This is the main question. The idea is that logs are handled locally at each site (datacenter) where configurations are redundant at all Panoramas. Like a clustering feature of Panaroma. The point here is also to keep the logs locally (no need to synchronise logs between Panoramas/Sites in this case) but as backup the archive feature will be used.

Re: Panorama High availability

nawaza — Wed, 11 Oct 2017 13:31:01 GMT

This is reply to a old post, but for the benefit of the community ...

As per admin guide you can ping between both Panorama servers using mgmt IPs (across the wan in this case), and if the response times are sub 500ms then you're good to go!

Ajaz Nawaz