Firewall not connecting to Panorama

AdamHP · ‎02-28-2022

Hello I have new deployed Panorama and new PA-440 Firewall.

I setup Panorama with all basic settings like IP address/netmask, default GW, DNS, it has license assigned.

Next I generated AuthKey for the firewalls with validity for 10 days and without SN specified.

PA-440 is in remote location and has a basic WAN setup and IPSec VPN to my datacenter where panorama is.

It has a vlan interface setup in my internal zone and set as source for every service.

I am able to ping Panorama from the PA-440 so network over VPN is working.

When I setup Panorama IP with Auth Key on the firewall and add Firewall on panorama by the Serial Number I still see PA-440 in panorama as Disconnected.

I checked the DataCenter firewall where IPSec is terminated and I can''t see in logs any blocked traffic in between these two.

Port 3978 for Panorama is enabled in security rules and I can see some ssl traffic is passing in Datacenter over this port.

Is there something else I forgott to setup or something else I need to check in order to be able to manage this Firewall by Panorama?

Mudhireddy · ‎02-28-2022

Hi,

Can you these given ports as per your connectivity between FWs and Panorama. And same time can you check the logs

in >monitor>loigs>system level

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/firewall-administration/reference-port-nu...

example"

On Firewall:

show panorama status

On Panorama:

show devices all

verify both commands.

Panorama APP-ID: When the managed firewall communicates with Panorama, by default this traffic is sent over the MGT interface. Because traffic leaving the MGT interface of the firewall is not subject to a Security policy check, no additional Security policy rule configuration is necessary.

However, in some deployments, the administrator might choose to send management traffic through one of the data-plane interfaces of the firewall. In this case, remember to create a Security policy rule to allow the Panorama application. Otherwise, the firewall denies communications with Panorama.

and try to see reachability:

Use ping from the firewall or Panorama command line ping count <integer> source <IP-address> host <IP-address

and try pcap on mgmt using tcpdump

•Run tcpdump from the command line of Panorama or the firewall to capture the traffic. When you have enough data, press Ctrl+C to stop the capture.

Example: tcpdump filter “host 10.1.10.10

Best Regards,
Suresh

AdamHP · ‎03-01-2022

Hi,

I am using dataplane port instead of Management as the connection to panorama is anyway over the IPSec VPN connection.

The coresponding Firewall rules are applied on both Firewalls and they are passing the traffic on this ports. Also ping works fine.

From Firewall: show panorama-status

Panorama Server 1 : 192.168.1.20
    Connected     : no
    HA state      : disconnected

From Panorama: show devices all

Serial                   Hostname        IPv4            IPv6                             Connected
--------------------------------------------------------------------------
00000000XXXX                                                                                     no
Wildfire Real-time Stream Disabled  VPN Disable Mode: no
  Operational Mode: normal
  Certificate Status:
  Certificate subject Name:
  Certificate expiry at:
  Connected at:
  Custom certificate Used:
  Last masterkey push status: Unknown
  Last masterkey push timestamp:  none
  Express mode: no
 Device cert present :
 Device cert expiry date : N/A

I run also a PCAP and I can see on panorama and also on Firewall traffic from the oposite side.

I also check all this from this checklist:

1. IP connectivity is there

2. Port 3978 and also others required for panorama are open

3. DeviceCert on Panorama installed

4. Serial number of device is correct

5. Management profile set up on this interface used for communication

6. Panorama is on version 10.2, Firewall 10.1.4

7. MTU on tunnel interface lowered

8.Time synchronized using NTP

What else I can check?

PavelK · ‎03-02-2022

Thank you for supplying additional information @AdamHP

Could you check from Panorama's CLI whether TCP connection is established by: show netstat numeric yes | match 3978 ?

Could you check status of Panorama's certificate from browser: https://<panorama ip>:3978 ?

Could you also check log on Panorama side from CLI: tail lines 500 mp-log configd.log ? Search events corresponding with Firewall's Serial Number.

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

AdamHP · ‎03-02-2022

Hello Pavel,

1. netstat is showing no match, so no TCP connection on this port is established.

2. When I access panorama IP on port 3978 I will get window to select which certificate I want use to authenticate myself

After I click on OK, I see that panorama is using self-signed cert issued to localhost

3. In log only entry like this was found with the serial of the FW

2022-03-02 15:22:45.032 +0100 String is <devices>
  <entry name="000000000001"/>
  <entry name="000000000000"/>
</devices>
2022-03-02 15:22:45.032 +0100 After str: <devices>
  <entry name="000000000001"/>
  <entry name="000000000000"/>
</devices>

Firewall not connecting to Panorama

Firewall not connecting to Panorama

Show your appreciation!