Panorama High availability

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Panorama High availability

Are there any issues with running 2 Panorama servers in an HA configuration across a WAN?  Recommendations for configuring hold timers and various interval settings?

Judy

10 REPLIES 10

L4 Transporter

When you say Panorama HA across a WAN, what exactly are yo talking about?  Panorama1 and Panorama2 are at opposit ends of a WAN link? Or Pan1 and Pan2 are located at one site and the firewalls are located at a diffeent site?

Logging over the WAN  depends entirely on your traffic through the firewall and how much data you log.

Steve Krall

We are also concerned about the operation of HA between Panorama servers in multiple locations, as well as logging from PA firewalls across the WAN.

FYI - our WAN is very fast, high-speed links with not much traffic, i.e. 10Gbps, and the sites are not that far apart (say < 30ms nominal).

We want to know about:

  • HA syncing between Panorama 1 and Panorama 2
  • HA failover from Panorama 1 to Panorama 2
  • specific configuration "knobs" that impact false-positive and false-negative regarding HA (HA failovers that are not necessary, or actual failures that do not trigger HA, respectively).
  • rules-of-thumb regarding latency, bandwidth-delay product, how HA is done (TCP/UDP, which ports, what IP options, TCP/UDP options, etc.)

HA syncing and failover - what is automated, and what needs to be done manually? On Panorama? On PA firewalls in Active/Standby?

What gets synced between Panorama instances? Just configs? How about logs? Is there any way to de-dup logs sent to two Panoramas? Are there any special techniques/commands/tools to support merging/syncing/de-duping logs, e.g. via a third Panorama?

What are the options regarding exporting (e.g. ranges of dates), and clearing (also ranges of dates) logs?

What are the performance/scalability limits on logs? Is there a way to partition the DB for historical views, that avoids some of these issues? What DB is used, is there a published schema for it, are there third party tools available for managing the DB for logs?

Thanks,

Brian Dickson

bdickson at verisign dot com

Hi Brian/Judy,

It would be best if you work with your systems engineer from PA to discuss your scenario and answer your questions.

Thanks

Brian,

Since you have a lot of questions I think it would be good to setup a call with me (Panorama PM) and your SE.

I will reach out to you unicast to set this up.

Thanks,

Mike Schuricht

Brian asks some good questions regarding the inner workings of Panorama. Is there any available documentation that covers at least some portion of what he's asking? Or are we supposed to go thru our SE to get any of this detail?

There is some documentation on setup procedures in the admin guide and I would also suggest talking with your SE to get some added details. At that point if there are still open item we can have a conf call if needed.

I was wondering on this issue, if Panorama is able to sync databases from two geo-located instances for HA?

If so what documentation is the referenced?

There is no sync of the log databases between HA peers. Devices send logs to both Panorama HA instances by default when utilizing VMware virtual disk storage so the sync is not needed. The devices will buffer logs if connectivity is lost, to either Panorama, and then spooled to the disconnected Panorama upon reconnection.

I reuse this thread since this is a semi high availability question regarding Panorama.

Is it possible to setup Panoroma this way?

1) One Panorama at each site (datacenter).

Well of course this on its own will work but this is just to explain what Im thinking of 🙂

2) Devices at siteX will log to Panorama at siteX.

This is also pretty straight through since you setup the ip of the Panorama in each device.

3) Each Panorama will then send a copy of the logs to a syslogserver (along with adminlogs).

Is this possible today? Or must each device send the syslogs to the syslogserver?

4) Configurations are synched between all Panoramas so it doesnt matter which Panorama the administrator logins to in order to change a security rule or such.

This is the main question. The idea is that logs are handled locally at each site (datacenter) where configurations are redundant at all Panoramas. Like a clustering feature of Panaroma. The point here is also to keep the logs locally (no need to synchronise logs between Panoramas/Sites in this case) but as backup the archive feature will be used.

L2 Linker

This is reply to a old post, but for the benefit of the community ...

As per admin guide you can ping between both Panorama servers using mgmt IPs (across the wan in this case), and if the response times are sub 500ms then you're good to go!

 

Ajaz Nawaz

 

  • 7946 Views
  • 10 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!