- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-30-2017 04:50 AM
Ok so I guess my logs dont even collect for 24 hours due to my log storage being about 7GB. Silly people who set this up I swear. So I am trying to figure out how much I do need.
I have a PA-500, PA-820, PA-3050 (x2, they are HA pair) and a PA-3020.
https://live.paloaltonetworks.com/t5/Management-Articles/Panorama-Sizing-and-Design-Guide/ta-p/72181
Now this article shows how many logs per second, but how do I determine what my log collection per day is? I assume its based on what logs I am collection and what sev level correct?
10-30-2017 12:42 PM
yes it does. Having an logging enviroment with alot of quick sesions, will fill that up a lot quicker than an enviroemtn with not many sesions that move alot of data.
for my enviroment 500gb is a bit over a month of data. 120gb was around a week, but we log every rule, and have multiple DMZ zones.
If you are running in legacy mode, you can only have 1 dedicated log disk, and if you need to change it, you loose all logs and start over. if you are running in "panorama" mode you have more flexabiltiy to add or remove disks.
I believe in a normal install, loging is part of the install disk, so you can easly add a dedicated disk easly without losing logs in any mode.
10-30-2017 12:45 PM
legacy mode vs Panorama mode? I am not sure what the differences are or how I tell?
10-30-2017 12:49 PM
Most likely you are in legacy mode,.. Panorama has some steep CPU requirements. (24 I beleive)
to check the mode you are in, from a SSH sesion run the following command.
> show system info
at the bottom you should see this line,
platform-family: pc
system-mode: legacy
operational-mode: normal
num-cpus: 4
ram-in-gb: 4
11-01-2017 05:11 AM
Yes, says legacy. With that what is the difference though? Do I get less features with legacy mode?
11-01-2017 05:14 AM
Here is a link with the diffrences.
mostly its just the volume of logs, and the size of disk supported. (8TB vs 24TB)
Do you have a single install disk on your VM, or two?
11-01-2017 05:16 AM
Is there anyway to figure this out through CLI? I do not have any visibility into vCenter being the Network guy...::insert eye roll emoji here::
11-01-2017 05:23 AM
In the CLI you can run the command
show system disk-space
the disks will start with sda, then the second will be sdb. if you have an sdb than you do have an dedicated log disk.
you can also do a
show system disk-partition
to see the partion sizes.
11-01-2017 05:28 AM
Looks like one disk currently.
Filesystem Size Used Avail Use% Mounted on
/dev/sda2 4.0G 2.4G 1.5G 62% /
/dev/sda5 24G 6.4G 17G 29% /opt/pancfg
/dev/sda6 4.0G 2.4G 1.4G 64% /opt/panrepo
tmpfs 2.0G 110M 1.9G 6% /dev/shm
cgroup_root 2.0G 0 2.0G 0% /cgroup
/dev/sda8 12G 5.0G 6.4G 44% /opt/panlogs
11-01-2017 06:22 AM
Looks like it will be easy. you just need to add a disk, and your logs will be automaticly moved over.
11-01-2017 06:23 AM
I just need to figure out how much space I need. Any tips trying to "guesstimate" that?
11-01-2017 06:26 AM - edited 11-01-2017 06:28 AM
I can give you a guess,.. the document you linked has the best info.
But how much bandwidth do you puch thought the device? do you log everything? how about how many Zones do you have?
I personaly wouldnt want less then 100gb.. storage is cheap these days and most server VM enviroments should be able to support that without batting an eye. Just a guess without knowing the enviroment, and the amount of gear you listed. I would want at least 500gb, 750 to 1tb would be a dream, but thats a fight you got to have with your server guys!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!