How to migrate logs from M-100 to another M-100 in mixed mode by moving the logging disks.
Objective
The objective of this article is to provide step-by-step instructions on how to migrate the logs from a Panorama M-100 to another Panorama M-100 in Mixed/Hybrid mode, by moving the logging disks. The scenarios that need this procedure are
- M-100 or M-500 hardware issues with login access working fine.
- M-100 to M-500 Upgrade.
Environment
- Tested Platform and PAN OS:
- M-100 to M-100
- PAN-OS 8.1.10
- Supported Platforms and PAN OS:
- M-100 to M-100
- M-500 to M-500
- M-100 to M-500 (upgrade)
- PAN-OS 8.0, 8.1 and 9.0
- Naming
- Throughout this document, name Old-M-100 refers to the failed M-100 and New-M-100 as the newly RMAd M-100 to which the logs are to be migrated.
- Throughout this document, name Old-M-100 refers to the failed M-100 and New-M-100 as the newly RMAd M-100 to which the logs are to be migrated.
Procedure
- Perform initial configuration of the replacement Panorama, and have both failed Old-M-100 and New-M-100 devices reachable over the network.
- Make a backup of Old-M-100's running-config.
-
Import, Load and Commit the Old-M-100's running-config on the New-M-100.
Note: Once the config is loaded, make sure to correct the IP address, subnet and default gateway under Panorama> Setup> Interfaces> Management>, to that of the New-M-100 to avoid duplicate IP as the Old-M-100 is still on the network. -
Commit the configuration to Panorama on New-M-100.
-
Power down both Old-M-100 and New-M-100:
-
Panorama> Setup> Operations> Device Operations> Shutdown Panorama
-
Or by pressing the power button on the front of the unit for a few seconds.
-
-
Remove logging disks from Old-M-100:
In this example, we will use "Disk Pair A", which are inserted in bays A1 and A2 (bays A1+A2= Slot 1, bays B1+B2= Slot 2, etc.).-
Press the "Release Button" and then lift the handle to remove the drive A1 and then A2.
-
-
Insert the drives in New-M-100:
The drives must be kept in the same bay number from which they were removed, but the drive pair does not need to be inserted on the same slot from which it was removed. For example, the drive removed from A1 cannot be inserted in B2, but can be inserted in B1. Likewise, A2 can be inserted in B2 and so on.
In our example we will insert the drive that was removed from A1 on Old-M-100, to A1 on New-M-100 and A2 of Old-M-100 to A2 of New-M-100. -
Power on both the devices.
-
Transfer meta-data from Old-M-100 to New-M-100:
At this step, Please call into support to have an engineer assist to transfer the Meta-data. Once Metadata transfer is completed successfully continue with Step 10.
All the steps documented below take place entirely on the New-M-100, and so the Old-M-100 can now be removed from the network. -
Enable disk pair A:
From the CLI, run the following command, once for each drive:
Onyxx@New-M-100> request system raid add A1 force no-format 'no-format' will be ignored for the second drive in the RAID Disk Pair. Do you want to continue? (y or n) y Operation may take few minutes. Check 'show system raid detail' for status
Onyxx@New-M-100> request system raid add A2 force no-format 'no-format' will be ignored for the second drive in the RAID Disk Pair. Do you want to continue? (y or n) y Operation may take few minutes. Check 'show system raid detail' for status
The force argument associates the disk pair with the new appliance, and the no-format argument prevents reformatting of the drives, hence retaining the logs stored on the disks.
-
Regenerate the meta-data.
This process can take up to 6+ hours to complete depending on the amount of logs on the drives. Run the command listed below and wait for the process to be completed.
Onyxx@New-M-100> request metadata-regenerate slot 1
After pressing the Enter key on the command above, the cursor will just blink on the screen, and once the meta-data re-generation process is complete, you should a similar message as below:Bringing down vld: vld-0-0 Process 'vld-0-0' executing STOP Removing old metadata from /opt/pancfg/mgmt/vld/vld-0 Process 'vld-0-0' executing START Done generating metadata for LD:1
-
Configure a new Local Log Collector(LLC):
This can be done either from the GUI or the CLI. GUI example below. CLI commands are documented in the additional information section.
GUI: Panorama> Managed Devices> Managed Collectors>, Old LLC's SN is displayed.
Click the Add button to add new LLC, and enter the New-M-100's serial number on the "Collector S/N" field and click OK:
Do not delete the old LLC yet, and do not add any drives under the "Disks" tab at this time. Panorama will automatically add the disks after the log migration is completed.
Commit to Panorama. Once commit is completed, GUI: Panorama> Managed Devices> Managed Collectors> screen should look similar to this:
The new LLC displaying Out of sync is expected at this point as the commit to log collector is not yet done.
Run the following command to verify that the new LLC is connected to Panorama and that the status of its disk pairs is present/available:Onyxx@Lab32-48-M-100> show log-collector serial-number <New-M-100's-SN> Serial CID Hostname Connected Config Status SW Version IPv4 - IPv6 --------------------------------------------------------------------------------------------------------- 009201002619 0 Lab32-48-M-100 yes Out of Sync 8.1.10 10.46.32.48 - unknown Redistribution status: none Last commit-all: commit succeeded, current ring version 0 SearchEngine status: Unknown md5sum updated at ? Certificate Status: Certificate subject Name: Certificate expiry at: none Connected at: none Custom certificate Used: no Raid disks DiskPair A: Disabled, Status: Present/Available, Capacity: 870 GB
Note that it is expected for DiskPair A to show as Disabled at this point of the process.
From this point on only commit the changes that are required to complete this migration process. Hold off on making any other changes.
-
Start the log migration process:
Onyxx@New-M-100> request log-migration-set-start Log migration is set started. The next Panorama commit will set end implicitly.
Commit this changes to Panorama, this time by doing a commit force from the CLI:Onyxx@New-M-100> configure Onyxx@New-M-100# commit force Commit job 6289 is in progress. Use Ctrl+C to return to command prompt .65%......70%.....80%.....90%.....100% Configuration committed successfully No disks enabled on log collector 009201002619 [edit]
-
Add the newly configured LLC as a member of the old Collector Group:
Note: you should be able to see the old Collector Group name when you press "?" after the set log-collector-group part of the command.Onyxx@New-M-100# set log-collector-group <collector_group_name> logfwd-setting collectors <New-M-100's-SN>
In our example, the old Collector Group is "CG-32-115", and the complete command looks like this:
Onyxx@New-M-100# set log-collector-group CG-32-115 logfwd-setting collectors 009201002619
Commit changes, then exit out of configuration mode:
Onyxx@New-M-100# commit
Commit job 6299 is in progress. Use Ctrl+C to return to command prompt
.67%.73%.....80%.....90%.....100%
Configuration committed successfully
No disks enabled on log collector 009201002619
[edit]
Onyxx@New-M-100# exit
After committing the above changes, you should now see both the old LLC, and the new LLC uner GUI: Panorama> Managed Devices> Collector Groups>:
-
Migrate the logs from Old-M-100-to-disks association, to New-M-100-to-disks association:
Onyxx@New-M-100> request log-migration from <Old-M-100-SN> old-disk-pair <log-disk-pair> to <New-M-100-SN> new-disk-pair <log_disk_pair>
In our example, the command is as follows:
Onyxx@Lab32-48-M-100> request log-migration from 003001000726 old-disk-pair A to 009201002619 new-disk-pair A
Commit changes to Panorama:
Onyxx@New-M-100> configure
Entering configuration mode
[edit]
Onyxx@New-M-100# commit
Commit job 6309 is in progress.
Use Ctrl+C to return to command prompt
.65%.71%......80%.....90%.....100%
Configuration committed successfully
[edit]
-
Add the new LLC to Log Forwarding Preferences:
GUI: Panorama> Managed Devices> Collector Groups> <old-collector-group-name> Device Log Forwarding Tab> , click on the listed device which is sending its logs to the Old-M-100, and then click the Add button under the Collectors column. You should now see both old and the new LLCs listed:
Once the new LLC is on the list, select only the old LLC from the list, delete it and click OK.
You should now see only the new LCL on the list:
Click the General tab.
You should see both old and new LLCs listed under "Collector Group Members":
Click OK to continue.
-
Delete the old LLC from the "Collector Group Members" list using the CLI command listed below. Warnings will be displayed if this is done using GUI.
Onyxx@New-M-100# delete log-collector-group <collector-group-name> logfwd-setting collectors <Old-M-100-SN>
In our example, the complete command looks like this:Onyxx@New-M-100# delete log-collector-group CG-32-115 logfwd-setting collectors 003001000726
Commit the changes:Onyxx@Lab32-48-M-100# commit Commit job 6414 is in progress. Use Ctrl+C to return to command prompt ..69%71%.....80%.....90%.....100% Configuration committed successfully [edit]
-
Commit Log Collector changes.
At this point, if the IP addresses on the managed firewall/s and the New-M-100 are configured correctly, the firewall should show a status of Connected and Shared Policies and Templates should be in sync (Green):
The new Log Collector is still "Out of sync", To resolve this Commit the Collector Group configuration:
From the CLI, run the following command to commit the Log Collector configuration:Onyxx@Lab32-48-M-100> commit-all log-collector-config log-collector-group <collector-group-name>
In our example the command is as follows
Onyxx@Lab32-48-M-100> commit-all log-collector-config log-collector-group CG-32-115 Generated config and committed to connected collectors in group CG-32-115
The new Log Collector should now be connected and "In sync".
-
Generate new keys:
This command should only be run for the Collector Group to which the old LLC belonged, which in our example is "CG-32-115".
This step deletes the existing RSA keys and allows Panorama to create new RSA keys:Onyxx@New-M-100> request logdb update-collector-group-after-replace collector-group <collector-group-name>
In our example the command is as follows
Onyxx@New-M-100> request logdb update-collector-group-after-replace collector-group CG-32-115
Response from logger 009201002619: Logger was updated.
Confirm that "SearchEngine" status is Active for the new LLC in the Collector Group:
Onyxx@Lab32-48-M-100> show log-collector serial-number <New-LLC-SN>
Serial CID Hostname Connected Config Status SW Version IPv4 - IPv6
---------------------------------------------------------------------------------------------------------
009201002619 12 Lab32-48-M-100 yes In Sync 8.1.10 10.46.32.48 - unknown
Redistribution status: none
Last commit-all: commit succeeded, current ring version 2
SearchEngine status: Active
md5sum ad80ea68066b2f16dfcf7007d3781ebd updated at ?
Certificate Status:
Certificate subject Name:
Certificate expiry at: none
Connected at: none
Custom certificate Used: no
Raid disks
DiskPair A: Enabled, Status: Present/Available, Capacity: 870 GB
====TRUNCATED====
-
Replace the previous Log Collector's serial number with the new Log Collector's serial number.
Onyxx@New-M-100> request log-migration-update-logger from <old-LLC-SN> to <New-LLC-SN> Logger was updated.
At this point all logs should have been migrated. The process is now complete.