Changing the panorama service route without causing a revert

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Changing the panorama service route without causing a revert

L0 Member

I am running into a problem  and looking for any ideas or experience that may provide a solution.

 

I have a firewall that is managed by Panorama and the service route for panorama is set to ‘default’. I want to change this route to communicate to panorama over an IPSec tunnel. This change causes a revert and I guess this is probably expected behavior because the connection is interrupted. How can I accomplish this change without a revert.

 

I have tried doing it from the firewall side and the panorama side. I’ve tried using specific policies that target panorama. I’ve tried every combination of configuration order that I can think of and still coming up short. Does anybody have any resource they could point me to?

 

 

2 accepted solutions

Accepted Solutions

Cyber Elite
Cyber Elite

@calvinmcelroy,

Does your firewall have communication to panorama over the IPSec tunnel? There's a wait incorporated before the revert that would account for the routing change before it reverts the configuration, which makes it possible your change is actually breaking the communication back to panorama long-term. 

View solution in original post

@BPry 

 

After checking panorama was not communicating over the vpn tunnel even with the service route changed and a any/any rule in place. I created a second rule that specifically targets the panorama servers and the interface for the vpn.  Fixed my issue.

 

thanks for the help 

 

 

View solution in original post

2 REPLIES 2

Cyber Elite
Cyber Elite

@calvinmcelroy,

Does your firewall have communication to panorama over the IPSec tunnel? There's a wait incorporated before the revert that would account for the routing change before it reverts the configuration, which makes it possible your change is actually breaking the communication back to panorama long-term. 

@BPry 

 

After checking panorama was not communicating over the vpn tunnel even with the service route changed and a any/any rule in place. I created a second rule that specifically targets the panorama servers and the interface for the vpn.  Fixed my issue.

 

thanks for the help 

 

 

  • 2 accepted solutions
  • 2343 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!