This document outlines the various system modes available for Palo Alto Networks Panorama and provides guidance on transitioning between them. Panorama offers flexibility with its different modes: Panorama, Management-Only, and Logger.
Reasons for changing system modes might include optimizing resource allocation by separating log collection and management, transitioning to dedicated logging with Logger mode, or simplifying operations to management-only. Each mode serves a specific purpose and knowing the prerequisites and considerations for each transition is essential to avoid data loss and ensure smooth operations.
1. Changing from Panorama Mode to Management-Only Mode
This section details the process and considerations for moving a Panorama appliance from its default Panorama mode (managing devices and processing their logs) to Management-Only mode (solely for device management).
Summary of Mode Change: Panorama > Management-Only
- No loss of configuration.
- Firewall Logs are lost (as management-only mode disables the Log Collector processes).
- There is no officially supported method to retain these logs; attempting to manipulate disks is not supported.
Prerequisites
- Log Collector Group Assignment: All managed firewalls must be assigned to a Log Collector Group. Refer to Palo Alto Networks Knowledge Base article https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008Ub7CAE.
- If there are no Log Collector Groups and no Dedicated Log Collectors available, create a “dummy” Log Collector Group and a Dedicated Log Collector and assign managed devices to this temporary Group.
- Please note that adding a disconnected Dedicated Log Collector to a Log Collector Group must be done via CLI as it is not possible via GUI.
- set log-collector-group {DUMMY_LCG_NAME} logfwd-setting collectors {DUMMY_DLC_SERIAL_NUMBER}
- Example: set log-collector-group EMPTY_LCG logfwd-setting collectors 1234
- If there are any disconnected managed devices not assigned to a Log Collector Group, these need to be removed, or assigned to an LCG via CLI as it is not possible to assign a disconnected device to an LCG via GUI.
- set log-collector-group {DUMMY_LCG_NAME} logfwd-setting devices {DEVICE_SERIAL_NUMBER}
- Example: set log-collector-group BLANK_LCG logfwd-setting devices 4567
- Isolation of Local Log Collectors (LLCs): Ensure that any Local Log Collectors (running on the Panorama itself) are not part of any Log Collector Groups. This might require removing the Local Log Collectors from existing Log Collector Groups.
Key Considerations
- Loss of Local Logs: Switching to Management-Only mode will stop local log collection on Panorama. Ensure you have dedicated Log Collectors in place to handle logging for your managed devices.
- HA Pair Transition: When dealing with an HA pair, it's recommended to start with the secondary (passive) Panorama. Be aware of potential temporary failovers due to operational mode mismatches.
- Potential Communication Issues: After the mode change, you might encounter temporary communication issues with existing Dedicated Log Collectors (e.g., "ring version mismatch"), which may require a "commit force" on Panorama to resolve.
2. Changing from Management-Only Mode to Panorama Mode
This section outlines the considerations for enabling local log collection capabilities on a Panorama that is currently in Management-Only mode.
Summary of Mode Change: Management-Only > Panorama
- No loss of configuration.
- There are no logs to lose (as management-only mode doesn't collect logs).
Prerequisites
- In the case of Virtual Panorama appliances, at least one logging disk of 2TB needs to be attached to the VM before the switch.
Key Considerations
- Enabling Local Logging: This change will allow the Panorama to act as a Local Log Collector. You will need to configure Log Collector Groups to include the local log collector if you wish for the Panorama to store logs.
- Resource Usage: Enabling panorama mode will utilize system resources for log collection in addition to device management. Ensure your Panorama appliance has sufficient resources.
3. Changing from Panorama Mode to Logger Mode
This section describes the transition of a Panorama instance to function solely as a dedicated Log Collector.
Summary of Mode Change: Panorama > Logger
- Configuration lost (Logger mode doesn't utilize Device Group/Template configurations).
- Logs lost.
- There is no officially supported method to retain these logs; attempting to manipulate disks is not supported.
Prerequisites
- Ensure you have backed up your Panorama configuration if you might need to revert or reference it later, as the configuration relevant to management will be lost.
Key Considerations
- Loss of Management Configuration: Switching to Logger mode will erase the management configuration (Device Groups, Templates, etc.). This action is irreversible without restoring from a backup.
- Loss of Local Logs: Any logs currently stored locally on the Panorama will likely be lost during this transition.
- Dedicated Logging Role: After this change, the system will only function as a log collector and will not manage firewalls. You will need a separate Panorama instance for management.
4. Summary Table
|
Current Mode
|
New Mode
|
Pre-requisites
|
Impact
|
|
Panorama
|
Management-Only
|
- All managed devices must be assigned to an LCG
- Local Log Collector must not be a member of any LCG
|
- Loss of logs
- No configuration impact
|
|
Management-Only
|
Panorama
|
- 2nd disk of 2TB must be attached (applies to VM appliance only)
|
- No impact
|
|
Panorama
|
Logger
|
- Device Management license must be applied
|
- Loss of logs
- Loss of Template and DG configuration
|
|
Logger
|
Panorama
|
- 2nd disk of 2TB must be attached (applies to VM appliance only)
|
- Loss of logs
- No configuration impact
|
|
Logger
|
Management-Only
|
- Must switch to Panorama mode first
|
- See above
|
|
Management-Only
|
Logger
|
- Must switch to Panorama mode first
|
- See above
|
