How to Configure an M-100 to Function as Both a Log Collector and Panorama

Printer Friendly Page

Overview

This document describes the steps to configure a Palo Alto Networks M-100 to function as both Panorama and Log Collector.

 

Steps

To configure Panorama to manage devices follow the instructions below:

  1. Navigate to Panorama > Managed Devices
  2. Click 'Add' to add devices that will be managed by the M-100
  3. Navigate to Panorama > Device Groups
  4. Click 'Add' to create a device group
  5. Add the device into the group

Note: The devices can be managed the same way as other Panorama deployments.

 

To configure the Log Collector functionality follow the instructions below:

  1. Add the M-100 as the collector
    1. Go to Panorama > Managed Collectors
    2. Enter the Serial Number (S/N) of the M-100 into the Collector S/N field
      Note: The S/N and hostname for this example are 009201000347 and panomgmt-a
      collector1.JPG
    3. Perform a local commit before adding the disk from the Disks TAB. Otherwise you won't be able to see it.
      CollectorGroup.JPG
    4. Under Panorama > Managed Collectors> Disks tab, define the RAID 1 disk pair that will be used to store logs.

      Note: Additional disk pairs can be added as needed to expand storage capacity. By default, the M-100 is shipped with the first RAID 1 pair enabled with drives installed in bays A1 and A2. To set up RAID, issue the > request system raid add command from CLI:
      > request system raid add A1
      Executing this command may delete all data on the drive being added.
      Do you want to continue? (y or n)

      > request system raid add A2
      Executing this command may delete all data on the drive being added.
      Do you want to continue? (y or n)
  2. Perform a local commit on the Panorama
  3. Configure Log Collection
    1. Navigate to Panorama > Collector Groups:
      collector2.JPG
    2. Go to the Log Forwarding tab:
      collector3.JPG
    3. Under collectors, add the M-100 hostname
      Note: This adds the M-100 into its own configuration
    4. Under Log forwarding preferences, add the device from which the log needs to be forwarded
  4. Perform a local commit on the Panorama
    panoramacommit.JPG
  5. Perform a Collector Group commit
    collectorcommit.JPG
    Note: if you skip step 5, you will see this error: "Ring version mismatch." 

The Collector should appear connected and the Configuration Status field should be "In sync":
Panorama_Good.png
Note:
If step 5 is not performed, then the Collector Configuration state will be "Out of sync" as shown below:
Panorama_Error.png

Note
: While viewing the disk space of the system, show system logdb-quota does not display the usage of RAID disks. The command displays only the statistics of logs in the SSD. If the log quota settings of RAID disks needs to be configured or checked, go to Panorama > Collector Groups > ( Name of the collector Group) > General tab and select the link next to the Log Storage.

 

See Also

M-100 Log Collector Configuration

How to Change the Operational Mode from Log Collector to Panorama on the M-100 Device

 

owner: sraghunandan

Comments

in step1) make sure that you have added the raid disks.

I have configured the M-100 as per the guide above but the output of "show system logdb-quota” seems to only show using the system disk but I don’t know if this is expected output from an M-100.  In an M-100 environment does the "show system logdb-quota" become obsolete, is there a better CLI command I should be using?

The command "show system logdb-quota"  doesn't display the usage of RAID disks.  It displays only the statistics of logs in the SSD.  So, if you like to configure/check the log quota settings of RAID disks you need to check under Panorama > Collector Groups > ( Name of the collector Group) > General Tab > click the link next to the Log Storage.

However, if you just want check the RAID disk storage/availability status, you could issue the command "show system disk-space" from the CLI.   if you have VM panorama managing an M-100 Collector, you need to issue this command on the Log Collector.

OK, let me ask a different question.  If on the FW or the Panorama VM I don't have a URL licenses, I might want to adjust the percentages of the disk allocated to the threat log.  I would do this by running show system logdb-quota and comparing the traffic log vs the threat log usage and based on a ratio I would reduce the percentage allocated to threat and re-allocate it to traffic.  What command can I run on the M-100 that will give me the same states so I can adjust the quotas in Panorama -> Collector Group -> Log Storage.

We have an M-100 with one pair of RAID disks; can we jump to 2 TB, by adding another pair of RAID disks? I am confused about this section in the Panorama datasheet:

M-100 MANAGEMENT APPLIANCE SPECIFICATIONS

I/O

• (1) 10/100/1000, (3) 10/100/1000 (for future use), (1) DB9 Console serial port

STORAGE (2 OPTIONS)

• M-100 1TB RAID: 2 x 1TB RAID Certified HDD for 1TB of RAID Storage

• M-100 4TB RAID: 8 x 1TB RAID Certified HDD for 4TB of RAID Storage

I understand from this that I either have 1TB or 4TB. Am I wrong?

Thank you

Yes. its flexible. By adding another pair of RAID disks you can jump to 2 TB.  The documentation is mentioning that you can purchase the M-100 with 1TB storage or 4 TB storage.

Thanks!