Log Collector not connected to Panorama after changing its IP address.

Often times, Network administrators find that they may need to re-IP different devices for a variety of reasons. This could also include needing to change the IP address of the various Palo Alto Networks devices that they have deployed. For the most part, this is a straight forward process but there is one exception - Log Collectors.

When changing the IP address of a Firewall or Panorama, it's as simple as logging into the WebUI/CLI of the device, changing the IP address, and committing. After making the necessary changes on the rest of the devices to ensure everything is aware of the new IP address, everything should be good to go. However, in a Log Collector there is a file that can only be modified by commits pushed from Panorama. This is the 'ring' configuration file.

The 'ring' configuration file is a xml file stored on the root partition of the Log Collector. A part of this ring file tells the device what IP address it should be using when attempting to build a connection to the Panorama. When the management IP address of the Log collector matches what is in the ring file, there are no issues. If you change the IP address of the Log Collector through the CLI, this change only affects the interface itself. The management server will still be attempting to connect to the Panorama using the old IP address. Since the old IP address is no longer bound to an interface, the connection attempt would fail and the device would disconnect from the Panorama. Since this ring file is only pushed from Panorama during a commit, this leaves us in a broken state.

To rectify this issue, change the IP address of the Log Collector back to the old IP address to ensure that the management server can bind the IP to an interface. Once the Collector connects to the Panorama again, go to the 'Managed Collectors' section of the configuration and change the IP address under the Interfaces Tab. Commit to the Panorama, then push the configuration to the affected Collectors. This will update the ring file accordingly. Once complete, you can then change the IP address of the Log Collector interface through the CLI.

Should the old IP address of the Log Collector no longer be available, reach out to support. They have the tools needed to resolve the issue without resorting to a factory reset of the device.