How to add logging disk to PA 5450 Firewall
24680
Created On 09/15/21 08:46 AM - Last Modified 01/09/24 04:09 AM
Objective
- The logs on PA 5400 series (PA 5450) firewall will be by default written to System Drive.
- For longer log retention requirements an extra hard drive will have to be installed on the Firewall.
- The aim of this document is to provide the steps need to complete the addition of Local Logging Disk so that it can be used by the Firewall for Logging.
- The logging disk will not be visible on the GUI after adding the disk on CLI.
- All the below steps will have to be completed and firewall has to be rebooted for the Firewall to use the Logging Disk and only then the disk information will be visible on the GUI.
- If local logs are not visible under the Monitor Tab, then make sure High Speed Log Forwarding mode is Disabled.
- When logging disk is not added, all the logs (system, config, traffic etc) are written to the system disk under /opt/panlogs partition. Once the logging disk is added, only the system logs and config logs are stored in the /opt/panlogs partition. All other logs will be in the newly added logging disk.
Environment
- PA 5450 Firewall.
- Supported PAN-OS.
- Adding a Logging disk.
Procedure
- Insert the logging Disk on the PA Firewall.
- Add Disk using the CLI.
admin@PA_5400_111> request system disk add nvme0n1
Executing this command will delete all data on the drive being added. Do you want to continue? (y or n)
This may take few minutes. Run 'show system disk details' to see the status
- Check status periodically
admin@PA_5400_111> show system disk details
Name : nvme0n1
State : Present
Size : 3815447 MB
Status : Busy
Reason : Add in progress <<<<<
Reason will display "Admin Enabled" when the disk is successfully attached.
admin@PA_5400_111> show system disk details
Name : nvme0n1
State : Present
Size : 3815447 MB
Status : Available
Reason : Admin enabled <<<<<
The system state will have the below values.
show system state | match sys.raid.s7.logical-disks
sys.raid.s7.logical-disks: { 'LD1': { 'mount': /opt/panlogs/ld1, 'reason': Admin enabled, 'size': 3382032, 'state': Present, 'status': Available, },
Note : The Firewall will still not show the logging disk on the GUI yet. The next steps have to be completed before it can be seen in the GUI.
- Migrate from system drive to Logging drive
> request logdb-migrate logging-drive start
Executing this command will enable the logging drive, logs will get migrated. This will restart the system. Are you sure you want to continue? (y or n)
Enabling logging drive. This may take few minutes. Check 'request logdb-migrate logging-drive status' to see the status.
What does the command (request logdb-migrate logging-drive start) do:
a. The logs are now migrated from system drive to logging disk.
b. Removes setting/management/quota-settings/disk-quota from running-config.xml and templates
c. Updates configuration schema to switch from disk-quota (single-disk) to chassis-quota (multi-disk)
b. Removes setting/management/quota-settings/disk-quota from running-config.xml and templates
c. Updates configuration schema to switch from disk-quota (single-disk) to chassis-quota (multi-disk)
- The firewall automatically reboots after enabling the new logging drive.