About PavelK

Thank you for reply @Metgatz   what you described is expected behavior. You will only see Configuration and System logs when you select: "All" top of the hierarchy of Device Group:   By selecting a Device Group that is lower in the hierarchy, you will not see the Configuration and System log tabs.   Kind Regards Pavel ... View more

Hello @Sujanya   there is a Day 1 configuration that can be generated from CSP. Here is the KB: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PM2lCAG ? Is it what you were looking for?   Kind Regards Pavel ... View more

Thanks for the post @darrenchew   since the latency between log collectors inside the same log collector group should be under 10 ms (Reference: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmUnCAK) and taking into consideration that all log collectors will be geographically separated over WAN, this leaves the only option to place each log collector into own log collector group. While documentation states that a collector group can have up to 16 log collectors, it does not say how many log collector groups are supported and total number log collectors that can be registered. I spent some time to search this information, but unfortunately I could not find it anywhere and have not found a reliable way to verify it.   The scenario you described to have a log collector paired with each Firewall in branch site is non-standard design. To be honest, I think it is better to get a help from Palo Alto Professional Service to go over this design. I doubt that anybody in this community can give you any commitment on this setup. If your customer has enough budget to purchase 400+ log collectors, adding Professional Service should not make much difference 🙂   I am wondering, is there any reason why customer does not want to use Cortex Data Lake: https://docs.paloaltonetworks.com/cortex/cortex-data-lake/cortex-data-lake-getting-started/get-started-with-cortex-data-lake/start-sending-logs-to-cortex-data-lake/start-sending-logs-to-cortex-data-lake-panorama-managed  or why not centralize all log collectors in single or multiple Data Centers?   Kind Regards Pavel ... View more

Hello @darrenchew   this is workable. The default settings in Panorama for Max Days is blank which means log never expires. When Panorama reaches the storage quota for a log type, it automatically deletes older logs of that type to create space even if you don’t set the expiration period. If you have enough Log Collectors to store logs and properly allocated quota per log type, you will be able to achieve desired retention period.   Kind Regards Pavel ... View more

Hello @Habte-01   the interfaces you are not able to see in drop down list, are they configured as a Type Layer 3 and are they assigned to Virtual Router?   Kind Regards Pavel ... View more

Thank you for reply @Sujanya   the link you shared is for a scenario when you already have an existing Firewall with a full configuration and you want to import Firewall configuration into Device Group/Template Stack and then push it back to Firewall from Panorama.   Since your Firewall has blank configuration, there is no pre-existing configuration to be imported into Panorama. You can instead refer to this link to add the Firewall to Panorama: https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/add-a-firewall-as-a-managed-device. Before you add the Firewall to Panorama, you can create desired configuration in Device Group and Template/Template Stack and add those during initial Firewall onboarding or you can add those later under: Panorama > Device Groups / Templates.   Kind Regards Pavel  ... View more

Hello @Sujanya   I can only speak for my own experience. Although, it is possible to completely manage a Firewall HA pair from Panorama including HA config in a single template stack by leveraging variables: https://knowledgebase.paloaltonetworks.com/kcsArticleDetail?id=kA10g000000PNG0 https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POI2CAO   I personally found it easier and less error prone to setup a basic config like management interface and built HA first, then add the Firewall pair to Panorama and push the rest of the configuration. I have not found any document/design guide that would state would the best practice would be in this scenario, however since HA setting is mostly one time setup that we do not modify frequently, I decided to keep HA as an exception and manage it locally on Firewall instead of pushing it by Panorama. As of now we have 150+ Firewalls and I have not felt that this strategy needs to change. If you add a Firewall pair to Panorama and later decide to let Panorama to manager HA, then you can always push HA configuration from Panorama Template and override it locally without using Force Template Values.   Kind Regards Pavel ... View more

Hello @rpwags   thank you for the post.   Would it be possible to get more details? M-300, M-500 and M-700 are Panorama hardware appliances and not VM, therefore there is no possibility to upgrade unless you purchase new hardware.   Also, would it be possible to get more details on how many ipsec tunnels you configured by hitting a limitation?   Kind Regards Pavel ... View more

Hello @SvenM   I am getting the same error. You do not do anything wrong on your side. Even though there is no reported issue with service: https://status.paloaltonetworks.com/ it looks like there is an issue with this side on Palo Alto side. I would try it again later.   Kind Regards Pavel ... View more

Thank you for reply @mr_almeida   It is mentioned in this release note: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-release-notes/pan-os-10-0-release-information/changes-to-default-behavior (Scroll down to Collector Groups).   Regarding n/2+1, 2 log collectors in a single log collector group will work fine, however keep in mind that in worst case scenario if one log collector goes down, then the remaining one will not be operational until the one that went down comes back online. Unless you experience an outage on one log collector, you will not hit this limitation.   Kind Regards Pavel ... View more

Thank you for the post @mr_almeida   you mentioned that latency is a few tens of milliseconds between each of the Panorama appliance. This could actually be an issue if both Panorama local log collectors are in the same log collector group. The latency between each of the log collector in the same log collector group should not exceed 10 milliseconds. Please have a look at this KB for more details: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmUnCAK   Second issue I am seeing, if your Panorama is running PAN-OS 10.0 and higher, there is a change in behavior compared to PAN-OS 9.1: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-release-notes/pan-os-10-0-release-information/changes-to-default-behavior   In nutshell, if you have 2 log collectors in a single collector group and one log collector is down, the other log collector will stop working as well. The workaround is either separate each log collector into own collector group or have 3 log collectors inside the same log collector group.   Given these 2 conditions, I personally feel that options No.1: Single log collector per collector group is better option in your case.   Kind Regards Pavel ... View more