Community Blog

Upgrade Panorama logs to PAN-OS 8.0 (FAQ)

by ‎05-01-2017 02:42 PM - edited ‎05-12-2017 10:13 PM (32,196 Views)

In this week's Discussion of the Week, I will actually cover 2 discussions about upgrading Panorama to 8.0 and the log-collectors that need to be upgraded at the same time. One started by user "Gun-Slinger" and the other started by user "RSporbert".

 

Here are the 2 discussions along with links to the discussions:

 

Log-collector on 8.0 and panorama/FW's on 7.1 - Compatibility?
https://live.paloaltonetworks.com/t5/General-Topics/Log-collector-on-8-0-and-panorama-FW-s-on-7-1-Co...

2017-05-01_log-collector 8.png

 

Upgrading 7.1 to 8.0: New Log Storage
https://live.paloaltonetworks.com/t5/General-Topics/Upgrading-7-1-to-8-0-New-Log-Storage/m-p/154369#...

2017-05-01_log-collector 8-2.png

 

Now, the common thread in these discussions has to deal with what does and what does not need to be upgraded to get the new Log features in PAN-os 8.0 to work properly, what is compatable, and what commands need to be run.

 

I will try to cover each question, consider it a mini-FAQ.

 

Question 1:

We are upgrading to 8.0 and have noticed the cavet about new log storage in 8.0. We do not have log collectors setup, but are collecting logs in Panorama (threat and traffic only) and wonder if the existing log migration applies to these as well?

 

Answer 1:

Even though you do not have a seperate log collector in Panorama, you will have a built in log collector by default, otherwise Panorama would not be able to access the logs from the Palo Alto Networks devices sending the logs to Panorama.

 

Because PAN-OS 8.0 uses a new format, the logs will need to be converted to the new format to work properly and run reports.

 

For the full instructions on how to upgrade to PAN-OS 8.0, please see this page:

Upgrade Firewalls Using Panorama

 

Question 2:

We have a panorama(VM) with 2x M-100 log collectors, to upgrade to 8.0, here is my plan,

 

1. Upgrade both Panorama and log collectors to 8.0, confirm they are working, e.g. new logs are showing fine.

2. Start the old log migration with the following command.

    PA>request logdb migrate lc serial-number<serial_number> start

 

My question is on the 2nd step, where do I run this command from, is it from Panorama or LC? If it's panorama, I guess the serial_number is one of the log collectors?

 

Answer 2:

The command is correct:

> request logdb migrate lc serial-number<serial_number> start

 

So, the serial # is the actual Log Collector serial # and this command would be run on Panorama CLI..   As Panorama talks with 1 or more Log Collectors, so the Serial # would be needed. 

If this is a Panorama without external Log Collectors, then you would still use this command on the "stand alone" Panorama because there is a Built In Log collector to Panorama. You would just use the same Serial number for Panorama.

 

Question 3

Anyone tested this or know if it is documented on the compatability or not with 8.0 on the log-collectors but everything else on 7.1.

I know the rule of thumb that your manager (panorama) is to be your highest code version, however with the log-collector I could see this not applying.

 

Question 4:

The only issue we found was when we did this with the 7.0 and 7.1 code, the logs from our 7050's were not working correctly.

I did test the option of having a M500 log-collector on 8.0.2 and panorama on 7.1.9, but panorama could not connect.

 

Answer 3 and 4:

The rule of thumb is that Panorama and its Log Collector(s) need to always be the highest version of PAN-OS.  Since Panorama is backward compatable, you can have both the Log Collector and Panorama at PAN-OS 8.0 and firewalls at 7.1.x and 7.0.x.

 

As long as both the Log Collector and Panorama are the same version, then it will work properly.

 

Question 5:

Will logs still actively show up in Panorama while the process is going on?  We have all of our devices on 7.1.5 and Panorama is on 7.1.9.  We have all of our devices logging to Panorama.  I want to update Panorama to 8.0.1 but I'm not sure if there's anything I can do before hand to help with the log migration.

 

Answer 5:

New logs should still flow to Panorama during the upgrade process, but don't be worried if you see increased CPU and memory usage during the upgrade process.

 

That's all for now.. but if you have other questions, please feel free to start your own thread or comment below.

 

Oh, and before I forget, please see the following link for more information and instructions on upgrading to 8.0 , Panorama, Firewalls and High Availability pairs here:

Upgrade the Firewall to PAN-OS 8.0

 

Thanks for reading, and as always, stay secure!

Joe Delio

Comments
by dfeddersen
on ‎05-18-2017 01:20 PM

We currently have a Panorama virtual machine with 2TB of storage runnint 7.1.x.  I know there are changes to the log database in 8.0.x.  We also have some newer PA firewalls that only run 8.0.x, so we would like to upgrade Panorama.  How long can we run in "legacy" mode with Panorama 8.0.x?  I don't have 2+TB of additional storage at the moment to create a new disk to complete the log conversion.

 

Are there any limitations on running Panorama 8.0.x in "legacy" mode?  Can we run in that mode for a few weeks?  Can we still view the logs and run any needed reports?  Will logs still be stored in the legacy storage?

by OneAmongMany
‎05-22-2017 04:24 AM - edited ‎05-22-2017 04:25 AM

Thanks for putting this up as we have seen a number of questions from customers regarding this. 

 

One further question:

 

the migrate logdb command is, as noted, highly CPU and memory intensive and can be paused; while new logs should be visible while the old database is migrated, if the migrate is paused, would that affect new/old logs in any way?

 

I currently have a customer with a paused logdb migrate unable to view any logs old or new; both log collecotor and Panorama are on 8.0.2 and the Panorama has been changed from legacy mode. 

 

Thanks 

 

Alex

by
on ‎05-22-2017 04:21 PM

@OneAmongMany, Thanks for asking. 

I am not sure what should happen if you pause the migration. This sounds like this is something that support should help you with. I would recommend to open a support case with the Technical Assistance Center on this.

by OneAmongMany
on ‎05-23-2017 01:25 AM

@jdelio

 

Yeah - we alreayd had a case open. Just to share what I learned there (confimred by Panorama SME):

 

"Answering your question: "during the migration process the disk is locked and the logs are not processed" - this applies even when the migration is paused? So the logs will be remaining on the firewall?
The answer is "Yes" "

 

This makes total sense based on what we've seen, save for one thing; in the answer for 5 above:

 

"New logs should still flow to Panorama during the upgrade process,"  - so the disk is essentially locked from being read, but does stil lprocess new logs  (which would also suggest that old logs would get purged once too old/disk space required)? 

 

As it stands the documentation states that the process is CPU and memory intensive and so the 'time to completion' will be affected by incoming new log volume. 

 

(at least thiat is my undertanding from what I've read, been told and seen in live enviornments)

by Fabien
on ‎06-19-2017 01:13 AM

Hello,

 

After migrating to Panorama mode I tried to start copy of my log which was stored in an NFS directory but it seems that no log were import as it says 'traffic' is done. 0 records migrated and the same thing for all log category.

 

Anyone already tried to import NFS log after setup Panorama mode ?

 

Thanks

by Bocsa
on ‎09-19-2017 02:42 AM

Hi folks,

Assuming you successfully upgrade Panorama to 8.0 and successfully migrate the logs to the new format. If your firewalls are still running 7.1 and forwarding logs to Panorama, does Panorama automatically change subsequent logs from the 7.1 firewalls to the new format when ingesting the logs or do you have to change anything on the firewalls or Panorama????

 

Feedback appreciated

by sarumughan
on ‎01-12-2018 08:48 AM

Does the migration can take this long?

--------------------------------------

Panorama0(primary-active)> request logdb migrate lc status

Slot: all
Migration State: In Progress
Percent Complete: 0.00
Estimated Time Remaining: 512155 hour(s) 9 min(s)   <<<<<<<<<<<<<=========

by BPry
on ‎01-12-2018 08:52 AM

@sarumughan,

I wouldn't really use the Time Remaining statistic to say how much time this will really take, esspecially since you appear to have just started the process. FYI, if it does take this long you'll have a nice 58.5 year wait :) 

by alexmandravillis
on ‎02-05-2018 01:21 PM

Hello, is it possible to get a sample of a log file from the old format and compare it with the same log file, converted to the new format? I can't find any information on what the 'new format' changes in logs, other that its more efficient. Thank you.

by jvarghese
on ‎07-16-2018 10:29 AM

Hello,

 

Do you need to do any file conversion on M-500 or M-100, when upgrading from version 8.0.8 to version 8.0.10?

by BPry
on ‎07-16-2018 10:54 AM

@jvarghese,

No there is no conversion between the two. 

Ask Questions Get Answers Join the Live Community
Labels