04-20-2025 08:58 PM
I need assistance integrating Palo Alto firewalls in an Active/Passive HA setup with Panorama. Below is an overview of the setup:
At customer sites, we have Palo Alto firewalls configured in Active/Passive HA mode, and they are currently managed locally. We are now planning to integrate them with Panorama, which is hosted in the AWS cloud. An IPSec tunnel has been established between AWS and the customer sites for this purpose.
Since the management subnet at the sites does not have a route to reach Panorama in AWS, I have configured a dedicated dataplane interface solely for Panorama communication. I have also modified the service route to use this dataplane interface instead of the default management interface.
However, because this dataplane interface is not active on the passive firewall, the passive firewall is unable to communicate with Panorama and appears as “disconnected” in Panorama.
To onboard the firewalls into Panorama, we need to import the existing firewall configuration into Panorama and then push the configuration back to the devices. Since the passive firewall is in a disconnected state, we are unable to perform this operation.
Is there a recommended workaround to address this situation?
Firewall model: PA 440
Software version: 11.1.4
04-22-2025 09:24 AM
Hello,
Did you also change the 'service route' to the new interface?
Also is the interface setup to be a Management interface?
If you did and its still not working ,I suggest utilizing the management interface and adding the route to the VPN.
Regards,
04-22-2025 11:02 AM
@Ramesh wrote:
I need assistance integrating Palo Alto firewalls in an Active/Passive HA setup with Panorama. Below is an overview of the setup:
At customer sites, we have Palo Alto firewalls configured in Active/Passive HA mode, and they are currently managed locally. We are now planning to integrate them with Panorama, which is hosted in the AWS cloud. An IPSec tunnel has been established between AWS and the customer sites for this purpose.
Since the management subnet at the sites does not have a route to reach Panorama in AWS, I have configured a dedicated dataplane interface solely for Panorama communication. I have also modified the service route to use this dataplane interface instead of the default management interface.
However, because this dataplane interface is not active on the passive firewall, the passive firewall is unable to communicate with Panorama and appears as “disconnected” in Panorama.
To onboard the firewalls into Panorama, we need to import the existing firewall configuration into Panorama and then push the configuration back to the devices. Since the passive firewall is in a disconnected state, we are unable to perform this operation.
Is there a recommended workaround to address this situation?
Firewall model: PA 440
Software version: 11.1.4
In the HA setup, there's an option that allows the interfaces to be in an "UP" / online state. I'm not sure but that might be enough to bring the dataplane port up for the service route to work.
04-22-2025 11:05 AM
@OtakarKlier -- OPs issue is the secondary/passive FW isn't being seen by PAN in AWS. The passive firewall using a service route on the DP. The issue is since he's using an inline data port and the DP is down in a passive state the service route won't work. (I think this is his issue)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
