topic Re: FW in Palo IP changed in General Topics

FW in Palo IP changed

RobertShawver — Thu, 01 Jul 2021 13:16:59 GMT

Hello -

I have an HA pair of palo's that were added to Panorama. The management IP for each of those palo's has changed and are now showing in a disconnected state. How can I correct this?

Thanks in advance.

Re: FW in Palo IP changed

Remo — Sat, 03 Jul 2021 19:08:11 GMT

Hi @RobertShawver

From the new management IPs of the firewalls, is it possible to reach the panorama? Is the new network configuration correctly configured and these firewalls are able to communicate to the default gateway and other networks? Is an ACL on panorama configured that restrics access to only specific IPs or is a firewall in front of the panorama that prevents the communication from the new IPs?

The communication is always coming from the firewall to panorama so you need to make sure that this way of communication is possible.

Re: FW in Palo IP changed

aleksandar.astardzhiev — Sun, 04 Jul 2021 07:39:35 GMT

Hi @RobertShawver ,

Two points to remember when troubleshooting panorama connectivity:

- Aways the FW is the initiator of the connection. Which means FW is always the source of the traffic and panorama is just waiting for someone to call it

- Panorama is tracking firewalls by serial numbers, not by management IP. Which means panorama will accept any connection request as long as the FW serial number is added to panorama.

So by default Panorama will accept/establish TCP connection with any source IP, but can reject the connection if the provided FW S/N is not in the list of managed devices. You can control this by configuring "Permitted IPs" under the panorama management interface. That way Panorama will respond only IP from the allow list.

If everying is setup properly if FW is connected to Panorama, but its mgmt ip is change. The new IP will be detect and changed automatically. So it looks more like the new mgmt ip is not reaching the Panorama:

- Try to ping panorama from fw using mgmt interface

- Check if you have configured permitted ip panorama interface

- Last resort make a packet capture on panorama and FW interface and confirm that you have bi-directional traffic

Re: FW in Palo IP changed

RobertShawver — Mon, 12 Jul 2021 16:49:47 GMT

Great info to have! I read your post and figured it out. I set the object for the Firewalls within Pano to IP (so pano saw the old IP and not the new). I changed it to FQDN and whiz-bang, it connected.

Re: FW in Palo IP changed

a-techie — Mon, 12 Jul 2021 17:54:55 GMT

@RobertShawver Can you please tell me where did you use that object? Would be great if you share a screenshot(after masking any sensitive details)

Re: FW in Palo IP changed

RobertShawver — Mon, 12 Jul 2021 18:25:48 GMT

Pretty simple really, we have Addresses and Address Groups under the Objects tab in Panorama. You create the Address object and then add it to a Address Groups object. We then apply that Address Group to the Rules needed for them to talk.

What I, stupidly, did was when I created the Address for the managed firewall I used Type IP Netmask

What I should have done and did correct was use Type FQDN

This way if the IP changes, I don't have to do anything. 🙂