Hello -
Full disclosure, I don't know much about Pano's as log servers.
We have two panos in an active/passive set up. PanoA and PanoB. My company wants to bring in two more Pano's strictly as log servers. So PanoA and PanoALog, PanoB and PanoBLog.
What is the best way to go about this?
Thanks in advance for your time.
The tricky part with log collectors is that you need to commit several times before they're properly added, but you can 1. Create the new collectors 2. Commit to panorama 3. Set up the collectors through CLI, point them to panorama 4. Commit on collectors 5. Push to devices from panorama to "attach" the collectors 6. Add them in collector group 7. Remove old devices from collector group 7. Commit to panorama 8. Push to devices This should convey to all firewalls and the new collectors where logs need to go from now on
Are they set up in legacy mode? If so, you have some choices to make, if not that will make life easier. If they're in panorama mode, you should already have configured log collectors and you can basically add the two new ones as extra collectors in the same group If your panos are still in legacy mode you'll want to transform.them to panorama mode and then build a log collectors group of 4. The hybrid solution is to set up a log collectors group containing only the new ones and then add the current ones later on