topic Panorama (eth1/1) to firewall (Loop0 or vlan interface) configuration push in Panorama Discussions

Panorama (eth1/1) to firewall (Loop0 or vlan interface) configuration push

sanjaypatel08 — Tue, 28 Sep 2021 06:42:47 GMT

Panorama (eth1/1) to firewall (Loop0 or vlan interface) configuration push

Hey guys

Not sure if it's a valid solution but I need your advise.

Panorama - M500

FW - PA3220

Scenario 1: Panorama (MGT Interface) <---------- (MGT Subnet) ----------> (MGT Interface) Firewall

can push the config from Panorama to FW
everything works, no issues.

Scenario 2: Panorama (Eth1/1 ) <---------- (Routed network) ----------> (Loop0) Firewall

cannot push the config from Panorama to FW,
even though they can ping to each other.
can't see the firewall in Managed Device either.

Panorama eth 1/1 -settings

Ping,
SSH,
Device Deployment,
Device Management and Device Log Collection,
Device Deployment

Could someone advise what's missing in my config or this is not possible?

Followed this post, looks like similar config worked for someone but not sure whether MGT interface was used or something else.

Solved: LIVEcommunity - Re: Panorama device management via loopback - LIVEcommunity - 341279

Re: Panorama (eth1/1) to firewall (Loop0 or vlan interface) configuration push

PavelK — Tue, 28 Sep 2021 22:13:35 GMT

Thank you for posting question @sanjaypatel08

I have a few Firewalls that are managed by Panorama and not using management interface. This scenario is possible, you will only have to adjust Service Route Configuration to use Loopback interface instead of management interface. I can confirm that in Panorama the Firewall's IP address will be still displayed with management interface IP address even though it is not connected at all.

On Panorama side, I do not think you can completely eliminate Management interface. Based on documentation it states that: "When assigning Panorama services to various interfaces, keep in mind that only the MGT interface allows administrative access to Panorama for configuration and monitoring tasks."

https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/set-up-panorama/set-up-the-m-series-appliance/m-series-appliance-interfaces.html

For all other functions such as:

Device Management and Device Log Collection
Collector Group Communication
Device Deployment

You can use different interface than management. This should be functional in your case with Eth 1/1.

Could you make sure that you completed this step: Changes made to interfaces other than management (MGT) require a Collector Group commit to be effective. Below is a sample:

Since you mentioned that you can't see Firewall in Panorama under Device Management, this is fundamental issue and without seeing Firewall connected in Device Management, you will not be able to perform further tasks with pushing of configuration. Could you verify that on Firewall side you are pointing to the correct Panorama's IP address, Service Routes are in place and S/N registered in Panorama is corresponding?

Kind Regards

Pavel

Re: Panorama (eth1/1) to firewall (Loop0 or vlan interface) configuration push

sanjaypatel08 — Tue, 05 Oct 2021 21:38:13 GMT

Thanks @PavelK for your help, I followed the steps and it did work for me.

I had to make two changes:

1. The service route update from firewall

2. After seeing the traffic from firewall to Panorama eth1/1 interface, firewall was dropping it so I had to create another rule allow that flow.

And it worked well, with no issues 🙂

Thank you again!

Sanjay