We have Panorama M100 and 2 M500 for logs.
Under PAnorama GUI -- log collectors i have configured which PA will send logs to which log collector.
Firewall does not have this info.
Need to know how does Firewall know which log collector it needs to send logs to?
is ths info comes from Panorama to firewall? if yes then how and when?
Solved! Go to Solution.
First things first.
Is your M100 device in Panorama mode?
If so, you need to make sure that the default Local Collector is in a different Collector Group to that of the two M500's. Collector Groups must contain devices all of the same SKU. This means if you want to introduce log redundancy for logs already residing on your M100 local collector you might be out of luck. AFAIK there is no method to transfer logs between different Collector Groups (would love to be proven wrong here!).
But assuming your M500's are in a distinct collector group and you have configured your devices in preferences lists/'s. This should be shared with the devices as soon as it makes its association to Panorama (Setup > Panorama Servers) and the device is part of the Managed Devices list. It is not part of any Template or Device Config.
If your devices are members of the default collector group and you relocate them to another, I believe the information is pushed from Panorama when you commit to Panorama. I dont think this action requires a device push.
You can confirm log collector preferences on a managed firewall by running the below command on the firewall itself.
show log-collector status
Obviously for the logs to be collected you will need to configure log forwarding profiles and logging settings using the usual Panorama setting.
1>Yes M100 is Running inPanorama mode
2>Yes we have configured Preference list for each PA for sending logs to M500 in Panorama.
3>Under Collector group i have below
M500 -----------------2 M500 here.
4>So my question remains how Panorama send info to PA to send the logs to certian M500?
I think i kind of answered that in my post.
The information is shared when a commit to Panorama is performed. In terms of the means on transport, I assume its via the Panorama communication channel over TCP 3978.
Does that mean when we commit on panorama and push config on fw first time regarding log collector config it then sends
this info to PA.
after that if no changes are made on lo collector then no config is send.
is there any cli or debug command to confirm this?
It should take effect after a Panorama & Managed Collector commit. A push to the firewalls is not neccessary (I believe).
I'm not fully clear on what you're trying to confirm exactly. The command in my OP when run on the firewall will show the LC preference its has gotten from Panorama after the aforementioned commit.
You mean to say when on PA you run sh logging status
or show logging pref list
it shows there that this info has come from panorama?
Its shows the log collector preference defined IN Panorama yes. AFAIK there is no way to locally override this setting. It's impossible to have a setting here without Panorama. So there isnt a question of this configuration coming from anywhere else other than the Panorama server configured on the firewall.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!