This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

FW in Palo IP changed

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

FW in Palo IP changed

RobertShawver
L4 Transporter

‎07-01-2021 06:16 AM

Hello -

I have an HA pair of palo's that were added to Panorama. The management IP for each of those palo's has changed and are now showing in a disconnected state. How can I correct this?

 
Thanks in advance.

0 Likes Likes
5 REPLIES 5

vsys_remo
Cyber Elite
Cyber Elite

‎07-03-2021 12:08 PM

Hi @RobertShawver 

From the new management IPs of the firewalls, is it possible to reach the panorama? Is the new network configuration correctly configured and these firewalls are able to communicate to the default gateway and other networks? Is an ACL on panorama configured that restrics access to only specific IPs or is a firewall in front of the panorama that prevents the communication from the new IPs?

The communication is always coming from the firewall to panorama so you need to make sure that this way of communication is possible.

Astardzhiev
Cyber Elite
Cyber Elite

‎07-04-2021 12:39 AM

Hi @RobertShawver ,

Two points to remember when troubleshooting panorama connectivity:

- Aways the FW is the initiator of the connection. Which means FW is always the source of the traffic and panorama is just waiting for someone to call it

- Panorama is tracking firewalls by serial numbers, not by management IP. Which means panorama will accept any connection request as long as the FW serial number is added to panorama.

 

So by default Panorama will accept/establish TCP connection with any source IP, but can reject the connection if the provided FW S/N is not in the list of managed devices. You can control this by configuring "Permitted IPs" under the panorama management interface. That way Panorama will respond only IP from the allow list.

 

If everying is setup properly if FW is connected to Panorama, but its mgmt ip is change. The new IP will be detect and changed automatically. So it looks more like the new mgmt ip is not reaching the Panorama:

- Try to ping panorama from fw using mgmt interface

- Check if you have configured permitted ip panorama interface

- Last resort make a packet capture on panorama and FW interface and confirm that you have bi-directional traffic

RobertShawver
L4 Transporter
In response to Astardzhiev

‎07-12-2021 09:49 AM

Great info to have!  I read your post and figured it out.  I set the object for the Firewalls within Pano to IP (so pano saw the old IP and not the new).  I changed it to FQDN and whiz-bang, it connected.

0 Likes Likes

a-techie
L1 Bithead
In response to RobertShawver

‎07-12-2021 10:54 AM

@RobertShawver Can you please tell me where did you use that object? Would be great if you share a screenshot(after masking any sensitive details)

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks