Panorama Confusion

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Panorama Confusion

L7 Applicator

I have a PA-3020 V8.1.7 and Panoram V8.18 VM (ESX)

 

I simply require Panorama to both manage the 3020 and collect it's logs.

 

I have tried to follow endless instructions on how to achieve this but now seem to be struggling with different Panorama modes and log collectors...

 

I have added the additional 2T disc as required and although I can manage the firewall via templates I cannot collect any logs from it.

3020 cli   show log-collector preference list ...        Log collector preference list does not exist.

any further advice please...

 

Many thanks in advance.....

 

 

 

15 REPLIES 15

Cyber Elite
Cyber Elite

Hmmm, make sure  you have setup a log forwarding profile on the FWs to PUSH the logs to the Panorama.

 

I did not see that you had done this yet.

 

 

Help the community: Like helpful comments and mark solutions

Cyber Elite
Cyber Elite

run this command on the FW

 

show logging status 

 

on the PAnorama run this command 

 

show logging-status device serial no?

 

try restarting the log receiver on fw

 

debug software restart process log-receiver

MP

Help the community: Like helpful comments and mark solutions.

Thanks for your replys

 

@SCantwell_IM  yes, good point but i do have a log forward profile configured. not sure if it's working but it's there...

 

@MP18  as below.  I think my issue is with Panorama. do you run a similar setup.  if so.. do you have a local log collector configured on Panorama VM.   the instructions say that after I have added another 2TB and restart panorama it will auto add a local log collector but this is not happening.

 

I will post this instruction when i find it again.

showlogfw.pngshowlogpanorama.png

this is what should happen..

 

Return to the Panorama CLI and run the following command.

> request system system-mode panorama
Enter y when prompted to continue. After rebooting, Panorama automatically creates a local Log Collector (named Panorama) and creates a Collector Group (named default) to contain it. Panorama also configures the virtual logging disk you added and divides it into separate 2TB disks. Wait for the process to finish and for Panorama to reboot (around five minutes) before continuing.
 
 
 
but the log collector is not created, i can add manually but still no logging.

also...

this is the output from Panorama disk details.

i would have thought that the 2TB logging disk should be seperate.

 

admin@Panorama> show system disk details

 

 Name   : sdb

State  : Present

Size   : 2097152 MB

Status : Available

Reason : Admin enabled

 

 

admin@Panorama>

cancel previous on what should happen, i am now doing a new install via this documentation.

 

https://docs.paloaltonetworks.com/panorama/8-1/panorama-admin/set-up-panorama/set-up-the-panorama-vi...

 

but could someone confirm if i still need to use a local log collector.

ok getting better...  so will need to re visit this on Monday.   thanks all for your help.

 

ashow2.png

Yes you will need local log collector --default ----if you do not have any external log collector like M500

 

MP

Help the community: Like helpful comments and mark solutions.

L4 Transporter

@Mick_Ball I don't know if there is a way for us to have a side conversation on here or not, but I'm trying to set up new loggers and am having a little trouble.  Hoping you can maybe help.

@RobertShawver 

 

I haven't seen MickBall in a while.

 

What is going on?  How can we assist?

 

Are you setting up virtual log collectors within Panorama?

Did you already confirm you have a 2nd HDD with 2TB?

If so.. great.

 

Next steps

 

Panorama ==> Virtual Log Collector

Add in the same serial number of your Panorama (or serial number of your physical log collectors)

COMMIT!

 

Go to Log Collector Group, and ADD in the new virtual/physical log collector.

Confirm you see Drive A the list.

COMMIT!

 

Go back into your Log Collector Group

Add your devices to log fwd to the new log collector

COMMIT

 

Then goto COMMIT Push to Devices....  (Edit Devices) and choose Log Collectors, and the COMMIT again!

 

Help the community: Like helpful comments and mark solutions

@SCantwell_IM Hey - Thanks for the reply.

 

So basically I am trying to archive figure one of this document by the end of my project: https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/panorama-overview/centralized-logging-...

 

We have two panos in an active/passive set up. PanoA and PanoB. My company wants to bring in two more Pano's strictly as log servers. So PanoA and PanoALog, PanoB and PanoBLog.  PanoA and PanoB would become strictly management.

 

I have done everything that you described already and now have two Collector Groups - Default and Remote.

 

Default has PanoA and PanoB.  Remote has PanoALog and PanoBLog.

 

All sounds good so far, but here is where I'm starting to either question myself or I'm having an issue.

 

I am slowly removing the Managed Devices from Default to Remote, however within my Syslog server it still looks like those devices are getting to the Syslog server via the original PanoA and PanoB.  In other words, none of the new loggers, PanoALog and PanoBLog appear to be talking to the syslog server.

 

I've added them to all the Security Rules that PanoA and PanoB were in.  Additionally, the Log Redistribution State has been at 0% for five days now on the Remote Collector Group - Default says none.

 

Eventually I'd like to be able to use the monitor tab of PanoA and PanoB, but have all logging done on PanoALog and PanoBLog and have them forwarding to my syslog server.

 

And I guess I don't really understand the difference between Device Log Forwarding and Collector Log Forwarding.

 

Thanks in advance for any help.

 

Hi Robert

 

This pic here (snipped) is doing DEVICE log forwarding. From my perspective, it is inefficient, because all logs should first go to Panorama (Log Collectors) and then the Log Collector can forward to external services.

 

SteveCantwell_0-1603802603101.png

 

This picture below (as you mentioned) is what you wanted to achieve.. (fwd logs TO the Panorama, and let the PANORAMA forward t external services.

 

SteveCantwell_1-1603802763625.png

 

Without looking at your setup... I am curious if you have removed, from the Default log collector group, all configurations regarding the log forwarding of notifications.    Also, you need to make sure  (via Device Group) or via locally configured, that your FWs do not have a Syslog profile configured to push to the Syslog servers.  This is what I think is happening.

 

See, a lot of ppl duplicate their logs... Copy 1 goes to Panorama, and Copy 2 goes to Syslog (from the FW's perspective...) this is that inefficency I mentioned.   So, go to your devices and see if there is a locally configured log forwarding profile and confirm if there is a syslog configured within the profile.  If so.. then this is just a small part of your issue.  Fixing it so that logs DO go to your Remote log collector is what I think your issue is.  Now the challenge.

 

The logs that are forwarded from device to Default, have acknowledgement packets sent between them.  So, for example... if a FW sent 100 logs to the Default Log Collector group, then the Default would show (and ack) that 1000 were received.  It is just a theory, but what could happen, is that the device and the Remote are out of sync.  You just set up Remote... but from the FWs perspective.. it may be going "hey, I already sent 100 logs in, and the kid on the block (Remote) did not or has not ack'd them...)

 

Again, just a theory, but there are KB articles about Panorama not getting logs from FWs. 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmVlCAK

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXACA0

 

Above are but a few I could find quickly.

 

This may not be a bad suggestion to open a TAC case via the web.

 

Good luck!

 

 

Help the community: Like helpful comments and mark solutions

@SCantwell_IM 

Thanks for the quick reply.  I think you might be on to something.

 

On the Panorama Management I have the two CG, Default and Remote.  Both have Device Log Forwarding and Collector Log Forwarding set up.  Are you saying that I should only have the Collector Log Forwarding set up?

 

Both the Default and Remote CG have (on the Collector Log Forwarding tab) the same syslog info on each of the tabs (system, configuration, HIP Match and so on).

 

So will I have just one Collector Group at the end of all this or two?

 

I'm not exactly sure what you mean by "I am curious if you have removed, from the Default log collector group, all configurations regarding the log forwarding of notifications".

 

On the Panorama Mgt under Objects > Log Forwarding I do have an entry for Log_Forward which has the check box for Panorama/Logging Service checked.

 

On the local FW's under Device > Server Profiles > Syslog there is no entry.  Under Device > Log Settings there is a template setting for each of the System, Configuration, User-ID and so on set up and they to have the forward method as Panorama checked.

 

I did talk to Palo support, but he wasn't much help to be honest.

 

  • 8008 Views
  • 15 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!