M-100 Panorama Mode Collectors in HA

Reply
Highlighted
Not applicable

M-100 Panorama Mode Collectors in HA

Probably an obvious question but the documentation doesn't seem to reference this directly...

If I have 2 x M-100s in HA, by default they are in a state where the primary is listed within the "Managed Collectors".  From what I understand the logs are not sync'd between the primary and secondary - only the configuration aspect of Panorama.  With that in mind my assumption is that the secondary can act as it's own collector while operating in secondary mode.  Is this a true statement?

If that's the operational mode given this setup I'm going to also assume that, from either M-100 we should be able to leverage reporting which will correlate across both logging stores between the pair?

Thanks!

L4 Transporter

Re: M-100 Panorama Mode Collectors in HA

Correct, the secondary can act as an independent collector and logs can be forwarded directly to the M-100 from 5.0 FWs via the Collector Group > Log Forwarding configuration.

Correct, either M-100 (primary or secondary) can be used to run reports or view logs which will be correlated across both Panorama HA pairs.

To make this work you will need to configure the primary and secondary M-100 as Managed Collectors on the active box so that the config has both M-100s referenced. This will sync to both devices on Panorama commit and then you can add the secondary collector to a new independent log collector group, do a Panorama commit, and then a Collector Group commit. This should result in the configuration you desire.

Note: You will also need to configure the Log Forwarding tab inside the Collector Groups to setup which FWs you want forwarding to the primary vs. secondary M-100.

Not applicable

Re: M-100 Panorama Mode Collectors in HA

Thanks!

Is there any reason why both of those particular managed collectors need to be in separate log collector groups?  Per the documentation it states that it's not recommended to have the M-100s in groups exceeding 4TB, however since the logs can't automatically be sent to either of the two in the group dynamically I'm not sure why it would matter.  Is there a specific technical reason that this is the case or is it just a recommendation not to confuse the fact that if one of those M-100 collectors would go down that the firewalls sending logs to that particular unit wouldn't automatically switch over?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!