This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Please help with log collectors and collector groups in Panorama mode!

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Please help with log collectors and collector groups in Panorama mode!

mr_almeida
L2 Linker

‎08-05-2022 01:27 AM

Hello all! 

We have had a single Panorama appliance running in Panorama mode as a local log collector in its own collector group. Firewall logs are sent to Panorama, and all is working well.

 

We now have procured a second Panorama appliance for HA. Hardware, disks etc., are all the same, and I've successfully set them up in HA, synced and healthy.

 

These two Panorama appliances are in different sites - though there is plenty of bandwidth and a few tens of ms latency between them. Currently, each appliance has only a single 2TB assigned to them. We don't plan to change from this setup or utilise dedicated log collectors anytime soon, and log retention fits within requirements.

 

The bit I am confused about is log collectors and collector groups. Cannot decide whether to have both appliances as either:

  1. Single log collector per collector group
  2. Put the secondary appliance in the same collector group as the primary appliance or multiple collectors in a single collector group.

Regarding multiple collectors in a collector group, I have read you can achieve redundancy, increase log retention and exceed logging rates. I am aware you need to check the box for enable log redundancy across collectors. I am also mindful that the logging rate is half - so I am not sure how the logging rates are exceeded if this happens?!

 

Regarding a single collector for each collector group, nothing seems to be mentioned or indicates anything about this. Why would I use this over multiple collectors in a single collector group? I know if the secondary appliance is down or lost, we lose those logs. I also assume you can still set the Log Forwarding Preferences list for both collectors in separate groups?

 

Hoping someone in this space can shed some light on what they have done or chime in on what you think!

 

Thank you for your time in reading and responding!

 

Panorama 

Panorama
Thumbnail of Panorama
Palo Alto Networks
Panorama
Network Security
View on Product Page
0 Likes Likes
3 REPLIES 3

PavelK
Cyber Elite
Cyber Elite

‎08-05-2022 05:59 AM

Thank you for the post @mr_almeida

 

you mentioned that latency is a few tens of milliseconds between each of the Panorama appliance. This could actually be an issue if both Panorama local log collectors are in the same log collector group. The latency between each of the log collector in the same log collector group should not exceed 10 milliseconds. Please have a look at this KB for more details: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmUnCAK

 

Second issue I am seeing, if your Panorama is running PAN-OS 10.0 and higher, there is a change in behavior compared to PAN-OS 9.1: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-release-notes/pan-os-10-0-release-information/c...

 

PavelK_0-1659704010809.png

In nutshell, if you have 2 log collectors in a single collector group and one log collector is down, the other log collector will stop working as well. The workaround is either separate each log collector into own collector group or have 3 log collectors inside the same log collector group.

 

Given these 2 conditions, I personally feel that options No.1: Single log collector per collector group is better option in your case.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

mr_almeida
L2 Linker
In response to PavelK

‎08-08-2022 01:21 AM

Thank you for your time and response, @PavelK!

 

Could you link me to the page that showed the collector group formula for the n/2+1? I must have read several pages but never once saw it!

 

If several log collectors are required for the multiple log collectors to work in a single collector group, then the only choice I have is to go with the single collector in a collector group.

0 Likes Likes

PavelK
Cyber Elite
Cyber Elite

‎08-08-2022 05:31 AM

Thank you for reply @mr_almeida

 

It is mentioned in this release note: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-release-notes/pan-os-10-0-release-information/c... (Scroll down to Collector Groups).

 

Regarding n/2+1, 2 log collectors in a single log collector group will work fine, however keep in mind that in worst case scenario if one log collector goes down, then the remaining one will not be operational until the one that went down comes back online. Unless you experience an outage on one log collector, you will not hit this limitation.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.
0 Likes Likes
  • 3075 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks