In this week's Discussion of the Week, I will actually cover 2 discussions about upgrading Panorama to 8.0 and the log-collectors that need to be upgraded at the same time. One started by user "Gun-Slinger" and the other started by user "RSporbert".
Here are the 2 discussions along with links to the discussions:
Now, the common thread in these discussions has to deal with what does and what does not need to be upgraded to get the new Log features in PAN-os 8.0 to work properly, what is compatable, and what commands need to be run.
I will try to cover each question, consider it a mini-FAQ.
We are upgrading to 8.0 and have noticed the cavet about new log storage in 8.0. We do not have log collectors setup, but are collecting logs in Panorama (threat and traffic only) and wonder if the existing log migration applies to these as well?
Even though you do not have a seperate log collector in Panorama, you will have a built in log collector by default, otherwise Panorama would not be able to access the logs from the Palo Alto Networks devices sending the logs to Panorama.
Because PAN-OS 8.0 uses a new format, the logs will need to be converted to the new format to work properly and run reports.
For the full instructions on how to upgrade to PAN-OS 8.0, please see this page:
So, the serial # is the actual Log Collector serial # and this command would be run on Panorama CLI.. As Panorama talks with 1 or more Log Collectors, so the Serial # would be needed.
If this is a Panorama without external Log Collectors, then you would still use this command on the "stand alone" Panorama because there is a Built In Log collector to Panorama. You would just use the same Serial number for Panorama.
Anyone tested this or know if it is documented on the compatability or not with 8.0 on the log-collectors but everything else on 7.1.
I know the rule of thumb that your manager (panorama) is to be your highest code version, however with the log-collector I could see this not applying.
The only issue we found was when we did this with the 7.0 and 7.1 code, the logs from our 7050's were not working correctly.
I did test the option of having a M500 log-collector on 8.0.2 and panorama on 7.1.9, but panorama could not connect.
Answer 3 and 4:
The rule of thumb is that Panorama and its Log Collector(s) need to always be the highest version of PAN-OS. Since Panorama is backward compatable, you can have both the Log Collector and Panorama at PAN-OS 8.0 and firewalls at 7.1.x and 7.0.x.
As long as both the Log Collector and Panorama are the same version, then it will work properly.
Will logs still actively show up in Panorama while the process is going on? We have all of our devices on 7.1.5 and Panorama is on 7.1.9. We have all of our devices logging to Panorama. I want to update Panorama to 8.0.1 but I'm not sure if there's anything I can do before hand to help with the log migration.
New logs should still flow to Panorama during the upgrade process, but don't be worried if you see increased CPU and memory usage during the upgrade process.
That's all for now.. but if you have other questions, please feel free to start your own thread or comment below.
Oh, and before I forget, please see the following link for more information and instructions on upgrading to 8.0 , Panorama, Firewalls and High Availability pairs here: