From the new management IPs of the firewalls, is it possible to reach the panorama? Is the new network configuration correctly configured and these firewalls are able to communicate to the default gateway and other networks? Is an ACL on panorama configured that restrics access to only specific IPs or is a firewall in front of the panorama that prevents the communication from the new IPs?
The communication is always coming from the firewall to panorama so you need to make sure that this way of communication is possible.
Hi @RobertShawver ,
Two points to remember when troubleshooting panorama connectivity:
- Aways the FW is the initiator of the connection. Which means FW is always the source of the traffic and panorama is just waiting for someone to call it
- Panorama is tracking firewalls by serial numbers, not by management IP. Which means panorama will accept any connection request as long as the FW serial number is added to panorama.
So by default Panorama will accept/establish TCP connection with any source IP, but can reject the connection if the provided FW S/N is not in the list of managed devices. You can control this by configuring "Permitted IPs" under the panorama management interface. That way Panorama will respond only IP from the allow list.
If everying is setup properly if FW is connected to Panorama, but its mgmt ip is change. The new IP will be detect and changed automatically. So it looks more like the new mgmt ip is not reaching the Panorama:
- Try to ping panorama from fw using mgmt interface
- Check if you have configured permitted ip panorama interface
- Last resort make a packet capture on panorama and FW interface and confirm that you have bi-directional traffic
Pretty simple really, we have Addresses and Address Groups under the Objects tab in Panorama. You create the Address object and then add it to a Address Groups object. We then apply that Address Group to the Rules needed for them to talk.
What I, stupidly, did was when I created the Address for the managed firewall I used Type IP Netmask
What I should have done and did correct was use Type FQDN
This way if the IP changes, I don't have to do anything. 🙂
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!