10.1 Panorama Registration Auth Key issues

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

10.1 Panorama Registration Auth Key issues

L1 Bithead

I am posting this question, and answer, for the benefit of the community.

 

The Registration Auth Keys are a ONE TIME authorization key that allows a FW/WF/Logger device to talk to Panorama.  However, it appears that the order of configurations matters...and if the initial communication fails (for whatever reason) you must restart the pairing process again.

 

Panorama and the Loggers were able to PING one another and SSH between the two was working.

 

1.  We created the Registration Auth Key on Pano - only defining the "key type" Logger, we did not fill in any serial numbers.

2.  We then converted 4 pano boxes into dedicated loggers

3.  We added the Registration Auth Key to each of the loggers

4  Then in Pano, we created 4 "Collector" profiles - filling in ONLY the serial number of each collector

 

....but none of the loggers would pair with Panorama.

 

Turns out the client had some firewall policies in place that was preventing the initial handshake.  The policies were allowing PING but the Logger IPs had not been added to the policy that permitted Panorama port 3978.  After discovering and correcting those policies the loggers still wouldn't pair with Panorama.  In addtion, after fixing those policies those same FWs were now seeing small bit traffic from the Logger to the Panorama on port 3978.  So it looked like communication was happening but Pano still wasn't registering the devices.

 

5.  We then removed the Auth keys from the loggers and then re-added the SAME key on all the loggers

6.  After that, all 4 loggers were than able to pair with the Panorama.

 

Thus the take away is that after the logger tries to send the Registration Auth key it does not attempt again. The FW policy blocked that singular attempt, thus Panorama was never receiving that initial Auth key for the first time pairing.  This implies that, literally, the one time key is used only once - if communication is not established, it doesn't try again until the key is removed and added again.

Maybe others can chime in on this to confirm the above observed theory.

 

 

1 accepted solution

Accepted Solutions

L1 Bithead

Regarding the "ORDER" of configuration.  Our take was this:

 

1. Ensure port 3978 is open between the device and Panorama

2. Create the Registration Auth Key on Panorama

3. Create the Dedicated Logger profiles on Panorama FIRST - you only need to use the device serial number.  Don't fill out anything else (yet).

4. Add the Auth Key to the device

 

If you reverse 3 & 4, you run the risk of the above theory - that as soon as you add the Auth Key to the device, but the Logger profile does not yet exist, the device will try to pair ONCE and not try again.  And being that you haven't created the Pano Logger profile yet, Pano won't pair with the random device it is not configured to talk to yet.

View solution in original post

1 REPLY 1

L1 Bithead

Regarding the "ORDER" of configuration.  Our take was this:

 

1. Ensure port 3978 is open between the device and Panorama

2. Create the Registration Auth Key on Panorama

3. Create the Dedicated Logger profiles on Panorama FIRST - you only need to use the device serial number.  Don't fill out anything else (yet).

4. Add the Auth Key to the device

 

If you reverse 3 & 4, you run the risk of the above theory - that as soon as you add the Auth Key to the device, but the Logger profile does not yet exist, the device will try to pair ONCE and not try again.  And being that you haven't created the Pano Logger profile yet, Pano won't pair with the random device it is not configured to talk to yet.

  • 1 accepted solution
  • 4178 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!