Are there any issues with running 2 Panorama servers in an HA configuration across a WAN? Recommendations for configuring hold timers and various interval settings?
When you say Panorama HA across a WAN, what exactly are yo talking about? Panorama1 and Panorama2 are at opposit ends of a WAN link? Or Pan1 and Pan2 are located at one site and the firewalls are located at a diffeent site?
Logging over the WAN depends entirely on your traffic through the firewall and how much data you log.
We are also concerned about the operation of HA between Panorama servers in multiple locations, as well as logging from PA firewalls across the WAN.
FYI - our WAN is very fast, high-speed links with not much traffic, i.e. 10Gbps, and the sites are not that far apart (say < 30ms nominal).
We want to know about:
HA syncing and failover - what is automated, and what needs to be done manually? On Panorama? On PA firewalls in Active/Standby?
What gets synced between Panorama instances? Just configs? How about logs? Is there any way to de-dup logs sent to two Panoramas? Are there any special techniques/commands/tools to support merging/syncing/de-duping logs, e.g. via a third Panorama?
What are the options regarding exporting (e.g. ranges of dates), and clearing (also ranges of dates) logs?
What are the performance/scalability limits on logs? Is there a way to partition the DB for historical views, that avoids some of these issues? What DB is used, is there a published schema for it, are there third party tools available for managing the DB for logs?
bdickson at verisign dot com
Since you have a lot of questions I think it would be good to setup a call with me (Panorama PM) and your SE.
I will reach out to you unicast to set this up.
Brian asks some good questions regarding the inner workings of Panorama. Is there any available documentation that covers at least some portion of what he's asking? Or are we supposed to go thru our SE to get any of this detail?
There is some documentation on setup procedures in the admin guide and I would also suggest talking with your SE to get some added details. At that point if there are still open item we can have a conf call if needed.
I was wondering on this issue, if Panorama is able to sync databases from two geo-located instances for HA?
If so what documentation is the referenced?
There is no sync of the log databases between HA peers. Devices send logs to both Panorama HA instances by default when utilizing VMware virtual disk storage so the sync is not needed. The devices will buffer logs if connectivity is lost, to either Panorama, and then spooled to the disconnected Panorama upon reconnection.
I reuse this thread since this is a semi high availability question regarding Panorama.
Is it possible to setup Panoroma this way?
1) One Panorama at each site (datacenter).
Well of course this on its own will work but this is just to explain what Im thinking of :-)
2) Devices at siteX will log to Panorama at siteX.
This is also pretty straight through since you setup the ip of the Panorama in each device.
3) Each Panorama will then send a copy of the logs to a syslogserver (along with adminlogs).
Is this possible today? Or must each device send the syslogs to the syslogserver?
4) Configurations are synched between all Panoramas so it doesnt matter which Panorama the administrator logins to in order to change a security rule or such.
This is the main question. The idea is that logs are handled locally at each site (datacenter) where configurations are redundant at all Panoramas. Like a clustering feature of Panaroma. The point here is also to keep the logs locally (no need to synchronise logs between Panoramas/Sites in this case) but as backup the archive feature will be used.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!