Hello, good afternoon everyone, thank you very much for your time, help and support.
I have the following scenario:
1.- Panorama managing 6 firewalls
2.- Panorama version 9.1.6
3.- Firewall HA 9.1.6 (5250 - This will be used for configuration migration )
4.-Other HA 7.1.15 ( 5060 )
5.- Firewall HA 9.1.13-h3 (5250)
6.- All the previously named devices are being reported and managed (template and device group) in Panorama
Which is what it intends to do, the 5060 firewalls will be taken offline and a HA 5250 will be used instead.
The HA 5250 (with its corresponding Template and personalized Device group) is connected to Panorama with its respective MGT IP and also the HA 5060 units with their respective MGT IP (also with their corresponding Template and personalized Device group).
So what is going to be done, what is intended is to clone the profiles (device group and templates) from the 5060 and use it to migrate the configuration to the HA 5250. After this, it is necessary to use the same MGT IPs that have or had the 5060 in the 5250.
It is there with the details already delivered, after the change of IP and obviously the PA-5060 firewalls, they will be disconnected and eliminated from Panorama, the question is if it will be necessary to remove and re-add the 5250 firewalls after the IP change or will the Panorama recognize the IP change and only focus on the Serial Number-SN and the IP change will be transparent?
Thank you very much in advance for the support, I remain tense, best regards
Hey @Metgatz ,
As @PavelK correctly pointed out - Panorama is using device serial number to identify managed device, the IP address is irrelevant.
It worth mentioning the following:
- Communication between Panorama and managed device is always initiated by the firewall.
- So Panorama will accept any source IP address to connect to it (which can be restricted by allowed address list under panorama managed interface config). Note that it will accept and establish the TCP connection, after that FW will try to "authenticate" providing its serial number, at this point Panorama will decide if it will continue to communicate with the FW or close the session - based on the S/N number that you have added to the Panorama.
- For that reason if firewall changes its IP address (either admin manually change statically assigned IP, or just FW uses DHCP for mgmt), Panorama will still be able to authenticate the firewall and associate it with device-group and template stack. As bonus it will update the information under Managed Devices -> Summary showing the current management ip of the firewall
So it may take few minutes (I would say less than 2mins), for Panorama to list the firewalls as connected after you change the IP addresses.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!