Firewall Showing as Disconnected on the Panorama

## One of the main reasons will be a security policy denying the port/Application needed for Firewall to Panorama communication.

Or

## Any of the intermediate devices are blocking the desired port required for Firewall to Panorama communication.

• In most cases, an SSL tunnel is created between the firewall's management interface and Panorama.
• The firewall uses destination TCP port 3978 for firewall-to-Panorama communication.
• If the security policy carrying this traffic does not have TCP port  3978 / Application Panorama allowed, the device will not show as connected on the Panorama and this traffic will get denied by a clean-up policy.
• Filter the traffic logs with the source IP address of the management interface and the destination IP address of the Panorama. If a ServiceRoute is used for Panorama sessions, use the appropriate dataplane interface's IP address.
• If you see the action denied by the security policy, modify the existing security policy responsible for this traffic with the application or port mentioned above, then the firewall will show as connected on the Panorama.

The traffic logs will then be allowed after modifying your security policy.

Note --  In case if you are using a Public Ip address for management Interface on both the Firewall and Panorama, sessions will be managed by the Management plane ( In case --- If the packets are not traversing through any of the data ports )

take TCP dump on the management interface on destination port 3978 for troubleshooting to check that the packets are reaching to the Paloatlo ( There may be a case where the intermediate devices are blocking the desired port )