topic Re: Change IP MGT Firewall conect to Panorama in General Topics

Change IP MGT Firewall conect to Panorama

Metgatz — Thu, 28 Apr 2022 20:31:56 GMT

Hello, good afternoon everyone, thank you very much for your time, help and support.

I have the following scenario:

1.- Panorama managing 6 firewalls
2.- Panorama version 9.1.6
3.- Firewall HA 9.1.6 (5250 - This will be used for configuration migration )
4.-Other HA 7.1.15 ( 5060 )
5.- Firewall HA 9.1.13-h3 (5250)
6.- All the previously named devices are being reported and managed (template and device group) in Panorama

Which is what it intends to do, the 5060 firewalls will be taken offline and a HA 5250 will be used instead.

The HA 5250 (with its corresponding Template and personalized Device group) is connected to Panorama with its respective MGT IP and also the HA 5060 units with their respective MGT IP (also with their corresponding Template and personalized Device group).

So what is going to be done, what is intended is to clone the profiles (device group and templates) from the 5060 and use it to migrate the configuration to the HA 5250. After this, it is necessary to use the same MGT IPs that have or had the 5060 in the 5250.

It is there with the details already delivered, after the change of IP and obviously the PA-5060 firewalls, they will be disconnected and eliminated from Panorama, the question is if it will be necessary to remove and re-add the 5250 firewalls after the IP change or will the Panorama recognize the IP change and only focus on the Serial Number-SN and the IP change will be transparent?

Thank you very much in advance for the support, I remain tense, best regards

Re: Change IP MGT Firewall conect to Panorama

PavelK — Thu, 28 Apr 2022 21:10:10 GMT

Thank you for the post @Metgatz

based on my experience only serial number matters. The IP address change will be transparent. Good luck with your migration!

Kind Regards

Pavel

Re: Change IP MGT Firewall conect to Panorama

aleksandar.astardzhiev — Sat, 30 Apr 2022 20:27:57 GMT

Hey @Metgatz ,

As @PavelK correctly pointed out - Panorama is using device serial number to identify managed device, the IP address is irrelevant.

It worth mentioning the following:

- Communication between Panorama and managed device is always initiated by the firewall.

- So Panorama will accept any source IP address to connect to it (which can be restricted by allowed address list under panorama managed interface config). Note that it will accept and establish the TCP connection, after that FW will try to "authenticate" providing its serial number, at this point Panorama will decide if it will continue to communicate with the FW or close the session - based on the S/N number that you have added to the Panorama.

- For that reason if firewall changes its IP address (either admin manually change statically assigned IP, or just FW uses DHCP for mgmt), Panorama will still be able to authenticate the firewall and associate it with device-group and template stack. As bonus it will update the information under Managed Devices -> Summary showing the current management ip of the firewall

So it may take few minutes (I would say less than 2mins), for Panorama to list the firewalls as connected after you change the IP addresses.

Re: Change IP MGT Firewall conect to Panorama

Ricky_Mayenburg — Mon, 20 Jan 2025 23:33:05 GMT

If panorama doesn't pick up the device after the MGMT ip change, it's worth checking the monitor logs to see if the firewall is able to communicate with Panorama with application SSL on port 3978.

I have to add a rule to allow the traffic on this port and then Panorama saw the firewall right away. because I was only allowing SSL on the default port.

Re: Change IP MGT Firewall conect to Panorama

PavelK — Tue, 21 Jan 2025 02:49:55 GMT

Hello @Ricky_Mayenburg

thanks for sharing!

The behavior with SSL on port 3978 you described is documented in this KB: Why is traffic on port 3978 Identified as SSL application instead of Panorama application?.

Kind Regards

Pavel