How to Configure M-100 in Panorama Mode with a Local Log Collector

• Tested Platform and PAN-OS:
  • Panorama: M-100
  • PAN-OS 8.0.19
• Supported platforms:
  • M-100 / M-500 / Panorama virtual appliance running PAN-OS 8.0
  • M-100 / M-200 / M-500 / M-600 / Panorama virtual appliance in PAN-OS 8.1 running PAN-OS 9.0

This setup assumes that the Panorama M-100 has gone through its initial configuration, is in "Panorama Mode" and is already managing at least one firewall. If this is not the case, please refer to the following documents to get this done before moving forward: 

• Initial Configuration of the M-Series Appliance
• Migrate a Firewall to Panorama Management

M-100 Configuration.

Note: Please refer to the following documents for additional information on all topics mentioned in this document: Configure a Managed Collector,
General Log Collector Settings, Log Collector RAID Disk Settings, Increase Storage on the M-Series Appliance, Communication Settings, Configure a Collector Group.

Configuration Steps:

1. GUI: Panorama> Managed Collectors>
   Click the "Add" button at the lower left, to open the "Collector" dialog box:
   
   

2. General Tab:

   • Collector S/N:
     Enter the Serial Number of the device which will act as a log collector. For the Local log collector, this is the Serial Number of M-100 itself.
     As soon as the Serial Number is entered, the device recognizes it as its own, and all the other fields will disappear which are needed only when configuring Dedicated Log Collector.
     
     

   • Inbound Certificate for Secure Syslog:
     This is only needed for secured log ingest from Traps™ ESM server. In this example, we have set it to None.
      

   • Commit the changes to Panorama. If a commit is not done then configured disk pairs will not be seen in Disks tab. After committing to Panorama, the Panorama> Managed Collectors> should look similar to this:
     
     
     Note:  Out of sync and disconnected status can be ignored as the configuration is not yet complete.

3. Disk Tab:

   •  Click on the collector's name to open the "Collector" dialog box again, and click on the "Disk" tab, which should be empty (GUI: Panorama> Managed Collectors> (name)> Disks):

     

   • Click the "Add" button and select the disk pair, in this example, it is "A".
     
     

   • Communication Tab:
     This "Communication" tab is used to configure custom certificate-based authentication between Log Collectors and Panorama, firewalls, and other Log Collectors. Please refer to the linked documentation at the top of this article if secure communication is required/desired.

   • Click "OK" to continue and commit to Panorama a second time.

   • Prior to moving forward with the firewall configuration, confirm if the Log Collector displayed in the "Managed Collectors" page at GUI: Panorama> Managed Collectors>.

   • Within a few seconds of a successful commit, the  Connected column displays a checkmark.

   • Click Statistics (last column) to verify that the logging disks are enabled. You should see something similar to this:
     
     
     The above displays our configured disk pair of A. The disk pair you see depends on the configured disk pair in the setup.

4. Configure the Firewall to send logs to Log collector:
   Since the firewall is already managed by Panorama, configure the device group and template configuration on Panorama to send the logs of the firewall to Panorama. Follow the steps 3 through 5 of the Configure Log Forwarding to Panorama document, and return here for the final step on this configuration.

5. Configure a "Collector Group":

   • GUI: Panorama> Collector Groups>  Add and open the Collector Group dialog box:
     
     

   • General Tab:
     Name: Enter a name for the collector group.

   • Collector Group Members:
     Click on Add under  Collectors. The newly configured local log collector should auto-populate:
     
     

   • Enable log redundancy across collectors:
     Enable if there are more then one log collector in the group and if you want for the logs to be copied to all collectors for redundancy (this will use more storage space).

   • Forward to all collectors in the preference list.
     This option is for PA-5200 and PA-7000 Series firewalls only.

   • Monitoring Tab: Enter the details about the log collector such as its location, SNMP details and also an email for the person in charge of monitoring the log collector. In our example, these are not configured.

   • Device Log Forwarding:
     Click the "Add" button to display the "Log Forwarding Preference" dialog box:
     
     
      

   • Under the "Devices" column, click the "Modify" button, select the firewall which will forward logs to the local log collector in this Collector Group.

   • Under the "Collectors" column, click the "Add" button to select the Local Log Collector we just configured. The final "Log Forwarding Preference" dialog box should look similar to this:
     
     
      

   • Collector Log Forwarding Tab:
     Required if you will want to forward received logs from the Panorama out to an external service such as a Syslog server.

   • Log Ingestion Tab:
     Required if you have configured a "Log Ingestion Profile".

6. Commit  the changes to Panorama

7. Push the configuration to the firewall.
   
   Local Log forwarding configuration is now complete. 
    

• To check your configuration:

  • Make sure the firewall/s is connected and Templates and Device Group is in sync at GUI: Panorama > Managed Devices > Summary :
    
    

  • Make sure that the Log Collector is connected and in sync at GUI: Panorama > Managed Collectors>:
    

  • Make sure Panorama is receiving logs from the firewall at GUI: Monitor > Traffic. Note that it may take a few minutes after the last commit, for the logs to be displayed in Panorama: