https://live.paloaltonetworks.com/t5/general-topics/how-to-onboard-passive-pa440-firewall-to-panorama-using/m-p/1227146#M124075 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/653493405">@Ramesh</a>&nbsp;wrote:<BR /> <P>I need assistance integrating Palo Alto firewalls in an Active/Passive HA setup with Panorama. Below is an overview of the setup:</P> <P>&nbsp;</P> <P>At customer sites, we have Palo Alto firewalls configured in Active/Passive HA mode, and they are currently managed locally. We are now planning to integrate them with Panorama, which is hosted in the AWS cloud. An IPSec tunnel has been established between AWS and the customer sites for this purpose.</P> <P>&nbsp;</P> <P>Since the management subnet at the sites does not have a route to reach Panorama in AWS, I have configured a dedicated dataplane interface solely for Panorama communication. I have also modified the service route to use this dataplane interface instead of the default management interface.</P> <P>&nbsp;</P> <P>However, because this dataplane interface is not active on the passive firewall, the passive firewall is unable to communicate with Panorama and appears as “disconnected” in Panorama.</P> <P>&nbsp;</P> <P>To onboard the firewalls into Panorama, we need to import the existing firewall configuration into Panorama and then push the configuration back to the devices. Since the passive firewall is in a disconnected state, we are unable to perform this operation.</P> <P>&nbsp;</P> <P>Is there a recommended workaround to address this situation?</P> <P>Firewall model: PA 440</P> <P>Software version: 11.1.4</P> <P><LI-WRAPPER></LI-WRAPPER></P> <HR /></BLOCKQUOTE> <P>In the HA setup, there's an option that allows the interfaces to be in an "UP" / online state.&nbsp; I'm not sure but that might be enough to bring the dataplane port up for the service route to work.</P> Tue, 22 Apr 2025 18:02:14 GMT Brandon_Wertz 2025-04-22T18:02:14Z https://live.paloaltonetworks.com/t5/general-topics/how-to-onboard-passive-pa440-firewall-to-panorama-using/m-p/1226925#M124050 <P>I need assistance integrating Palo Alto firewalls in an Active/Passive HA setup with Panorama. Below is an overview of the setup:</P> <P>&nbsp;</P> <P>At customer sites, we have Palo Alto firewalls configured in Active/Passive HA mode, and they are currently managed locally. We are now planning to integrate them with Panorama, which is hosted in the AWS cloud. An IPSec tunnel has been established between AWS and the customer sites for this purpose.</P> <P>&nbsp;</P> <P>Since the management subnet at the sites does not have a route to reach Panorama in AWS, I have configured a dedicated dataplane interface solely for Panorama communication. I have also modified the service route to use this dataplane interface instead of the default management interface.</P> <P>&nbsp;</P> <P>However, because this dataplane interface is not active on the passive firewall, the passive firewall is unable to communicate with Panorama and appears as “disconnected” in Panorama.</P> <P>&nbsp;</P> <P>To onboard the firewalls into Panorama, we need to import the existing firewall configuration into Panorama and then push the configuration back to the devices. Since the passive firewall is in a disconnected state, we are unable to perform this operation.</P> <P>&nbsp;</P> <P>Is there a recommended workaround to address this situation?</P> <P>Firewall model: PA 440</P> <P>Software version: 11.1.4</P> <P><LI-WRAPPER></LI-WRAPPER></P> Mon, 21 Apr 2025 03:58:14 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-onboard-passive-pa440-firewall-to-panorama-using/m-p/1226925#M124050 Ramesh 2025-04-21T03:58:14Z https://live.paloaltonetworks.com/t5/general-topics/how-to-onboard-passive-pa440-firewall-to-panorama-using/m-p/1227137#M124071 <P>Hello,</P> <P>Did you also change the 'service route' to the new interface?</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="OtakarKlier_0-1745338898641.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/67226i384D7B0FF1567CF2/image-size/medium?v=v2&amp;px=400" role="button" title="OtakarKlier_0-1745338898641.png" alt="OtakarKlier_0-1745338898641.png" /></span></P> <P>Also is the interface setup to be a Management interface?</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="OtakarKlier_1-1745339025108.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/67227iCD77B22448115D0D/image-size/medium?v=v2&amp;px=400" role="button" title="OtakarKlier_1-1745339025108.png" alt="OtakarKlier_1-1745339025108.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>If you did and its still not working ,I suggest utilizing the management interface and adding the route to the VPN.&nbsp;</P> <P>&nbsp;</P> <P>Regards,</P> Tue, 22 Apr 2025 16:24:01 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-onboard-passive-pa440-firewall-to-panorama-using/m-p/1227137#M124071 OtakarKlier 2025-04-22T16:24:01Z https://live.paloaltonetworks.com/t5/general-topics/how-to-onboard-passive-pa440-firewall-to-panorama-using/m-p/1227146#M124075 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/653493405">@Ramesh</a>&nbsp;wrote:<BR /> <P>I need assistance integrating Palo Alto firewalls in an Active/Passive HA setup with Panorama. Below is an overview of the setup:</P> <P>&nbsp;</P> <P>At customer sites, we have Palo Alto firewalls configured in Active/Passive HA mode, and they are currently managed locally. We are now planning to integrate them with Panorama, which is hosted in the AWS cloud. An IPSec tunnel has been established between AWS and the customer sites for this purpose.</P> <P>&nbsp;</P> <P>Since the management subnet at the sites does not have a route to reach Panorama in AWS, I have configured a dedicated dataplane interface solely for Panorama communication. I have also modified the service route to use this dataplane interface instead of the default management interface.</P> <P>&nbsp;</P> <P>However, because this dataplane interface is not active on the passive firewall, the passive firewall is unable to communicate with Panorama and appears as “disconnected” in Panorama.</P> <P>&nbsp;</P> <P>To onboard the firewalls into Panorama, we need to import the existing firewall configuration into Panorama and then push the configuration back to the devices. Since the passive firewall is in a disconnected state, we are unable to perform this operation.</P> <P>&nbsp;</P> <P>Is there a recommended workaround to address this situation?</P> <P>Firewall model: PA 440</P> <P>Software version: 11.1.4</P> <P><LI-WRAPPER></LI-WRAPPER></P> <HR /></BLOCKQUOTE> <P>In the HA setup, there's an option that allows the interfaces to be in an "UP" / online state.&nbsp; I'm not sure but that might be enough to bring the dataplane port up for the service route to work.</P> Tue, 22 Apr 2025 18:02:14 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-onboard-passive-pa440-firewall-to-panorama-using/m-p/1227146#M124075 Brandon_Wertz 2025-04-22T18:02:14Z https://live.paloaltonetworks.com/t5/general-topics/how-to-onboard-passive-pa440-firewall-to-panorama-using/m-p/1227147#M124076 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27580">@OtakarKlier</a>&nbsp;-- OPs issue is the secondary/passive FW isn't being seen by PAN in AWS.&nbsp; The passive firewall using a service route on the DP.&nbsp; The issue is since he's using an inline data port and the DP is down in a passive state the service route won't work.&nbsp; (I think this is his issue)</P> Tue, 22 Apr 2025 18:05:08 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-onboard-passive-pa440-firewall-to-panorama-using/m-p/1227147#M124076 Brandon_Wertz 2025-04-22T18:05:08Z