Panorama HA - NFS vs internal storage

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Panorama HA - NFS vs internal storage

L4 Transporter

I have not been able to find very much information about Panorama HA. Only a short chapter in the admin guide. Does it exist any more documentation about this?

Is there any best practice when it comes to configuring log storage for a Panorama HA setup?

As I understand it, if you have internal storage on your Panorama HA peer's, there is no log sync between them. Logs are sent to both server from the firewalls. Is this correct?

The admin guide  says that when configuring the same external log facility for servers, only the primary will receive the logs from the firewalls. Is this the preferred way of doing it, since you maybe will save some resources and storage on your vmware server?e

1 accepted solution

Accepted Solutions

L4 Transporter

After spending some time with this in the lab, and talking to support we were able to setup Panorma HA logging to NFS share. Apparently, only the primary active device will log to the NFS, while the secondary passive will log to internal storage. This means that the firewalls are sending logs to both Panorama servers. If a fail over occurs, the secondary will become active, but will still just write to it's local storage. However, when the primary is available again, the secondary will send the logs that the primary missed.

If you need the secondary to be able to write to the NFS, it must be converted to primary, using the following steps:

1. S1 is the Active Primary and S2 is the Passive Secondary.

2. Failover occurs and S2 becomes the Active Secondary.

3. Administrator decides that S2 should be converted to a Primary.

4. Administrator powers off S1

5. Administrator configures S2 to be Primary and commits the config

6. The commit prompts that a reboot is required. Do not reboot yet!

7. The administrator issues "request high-availability convert-to-primary“ on S2. S2 dynamically mounts the NFS disk, converts the ownership of the partition to S2 and unmounts the partition.

8. Administrator reboots S2

9. S2 comes up

View solution in original post

2 REPLIES 2

Not applicable

It's not just Panorama HA.  I can't seem to find any specific documentation for the Panorama.  I purchased and understand PANOS on the firewalls, but how it works on the Panorama is not so clear.

Would be nice if there were actually manuals specific to the product we purchase.....hint hint.  How about a Panorama Admin Guide?

L4 Transporter

After spending some time with this in the lab, and talking to support we were able to setup Panorma HA logging to NFS share. Apparently, only the primary active device will log to the NFS, while the secondary passive will log to internal storage. This means that the firewalls are sending logs to both Panorama servers. If a fail over occurs, the secondary will become active, but will still just write to it's local storage. However, when the primary is available again, the secondary will send the logs that the primary missed.

If you need the secondary to be able to write to the NFS, it must be converted to primary, using the following steps:

1. S1 is the Active Primary and S2 is the Passive Secondary.

2. Failover occurs and S2 becomes the Active Secondary.

3. Administrator decides that S2 should be converted to a Primary.

4. Administrator powers off S1

5. Administrator configures S2 to be Primary and commits the config

6. The commit prompts that a reboot is required. Do not reboot yet!

7. The administrator issues "request high-availability convert-to-primary“ on S2. S2 dynamically mounts the NFS disk, converts the ownership of the partition to S2 and unmounts the partition.

8. Administrator reboots S2

9. S2 comes up

  • 1 accepted solution
  • 3226 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!