This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Firewall not connecting to Panorama
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- Network Security
- Panorama Discussions
- Firewall not connecting to Panorama
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Firewall not connecting to Panorama
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-28-2022 06:44 AM
Hello I have new deployed Panorama and new PA-440 Firewall.
I setup Panorama with all basic settings like IP address/netmask, default GW, DNS, it has license assigned.
Next I generated AuthKey for the firewalls with validity for 10 days and without SN specified.
PA-440 is in remote location and has a basic WAN setup and IPSec VPN to my datacenter where panorama is.
It has a vlan interface setup in my internal zone and set as source for every service.
I am able to ping Panorama from the PA-440 so network over VPN is working.
When I setup Panorama IP with Auth Key on the firewall and add Firewall on panorama by the Serial Number I still see PA-440 in panorama as Disconnected.
I checked the DataCenter firewall where IPSec is terminated and I can''t see in logs any blocked traffic in between these two.
Port 3978 for Panorama is enabled in security rules and I can see some ssl traffic is passing in Datacenter over this port.
Is there something else I forgott to setup or something else I need to check in order to be able to manage this Firewall by Panorama?
20 REPLIES 20
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-05-2022 02:36 PM
Thank you for reply and getting logs @AdamHP
The Error 5 is "SSL verification failure". Unless you configured mutual SSL authentication, only Panorama has to present a certificate: https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/set-up-panorama/set-up-authentication...
Would it be possible one more time to check the certificate on Panorama? The certificate is self signed, however could you confirm: valid to, issuer, subject,...?
Kind Regards
Pavel
Help the community: Like helpful comments and mark solutions.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-07-2022 01:43 AM
Hi Pavel,
if you mean cert on https port 3978, I am getting this.
It is issued to my panorama IP address.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-10-2022 07:52 AM
Check under Monitor -> Session Browser under each firewall it flows through, even the source firewall.
Had the same problem and it turns out Panorama traffic won't match a catch all, it must specifically be application Panorama.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-11-2022 08:31 AM
Thank you all for help, it turns out that on source firewall PA-440 I allow traffic for Panorama Application on its default port 3978, but in firewall monitor I found that the flow is recognized as ssl on port 3978 and this was blocked.
I was thinking that once there is Panorama app it will be match and didn't check this, but I was wrong. 🙂
I had simmilar issue today on another firewall in Data Center where we had rule for WinRM (microsoft-remote-management), which was working fine before but now after some updates it is recognized as web-browsing on the WinRM port 5985.
So the solution is to not trust the Palo Alto application matching and always check the flows.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-30-2022 03:09 PM
I have also PA-440 on 10.2 and Panorama on 10.2. And same issue, FW disconnecting. I think this is a bug with 10.2
--
PA-220, PA-820, Cortex XDR
PA-220, PA-820, Cortex XDR
Related Content
- firewall config changes in Next-Generation Firewall Discussions
- Sending monitoring information from firewall to Panorama in Panorama Discussions
- Global Protect client connected an able to send traffic but not replying when traffic is initiated in the Datacenter side in GlobalProtect Discussions
- Managed Firewall will not connect in Panorama Discussions
- ACC on Panorama show only risk 1 in Panorama Discussions
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks