The Panorama IP has been changed on the firewall, but the firewall still has a session to the original IP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

The Panorama IP has been changed on the firewall, but the firewall still has a session to the original IP

L1 Bithead

Panorama is used for management and log collection. The IP address of Panorama has not changed. There is a firewall outside Panorama, which maps the 3978 port of the firewall's exit IP to Panorama. The managed firewall was originally configured with the private network IP of panorama. Now it is changed to the mapped public network IP. After the change, the original private network IP is still reachable. The management traffic of the firewall will pass through its own data layer. It can be seen from the firewall session that there is still a session to the original private IP address. Is this normal? Is there an official statement?

Regards
Wilbur
4 REPLIES 4

L4 Transporter

Hi 

 

There are a couple of things here to check, one would be the configurations that include the original IP of the Panorama, such as log collector groups and so on, as the traffic for the Panorama communication is running through the data plane of the firewall I would look at the session browser to see if these are just old sessions that are still active, if they are you could try clearing them, you can do this from the session browser by clicking the X at the end of the session entry, you could also try restarting the management server of the firewall using the "debug software restart process management-server"

From the command line, you will lose the management connectivity to the firewall momentarily as it restarts but it should not affect data plane traffic in any way.

Hope this helps.

 

PCCSA PCNSA PCNSE PCSAE
Mode44 LTD Palo Alto Consultants

L6 Presenter

This seems like a bug that causes crashes or/and memory leaks and till it is fixed maybe you can run a script using tools like Ansible or XSOAR to periodically restart the process or the managment plane:

 

https://paloaltonetworks.github.io/pan-os-ansible/modules/panos_op_module.html

 

https://xsoar.pan.dev/docs/reference/integrations/panorama

Automating those tasks is really elegant solution, XSOAR would make it really easy to, I wonder is there a playbook already for this? I will check when I have chance.

PCCSA PCNSA PCNSE PCSAE
Mode44 LTD Palo Alto Consultants

L1 Bithead

Hello All,

 

After I configured the public IP to Panorama's management interface, this problem was solved. Thank you for your support.

 

Regards

Wilbur

Regards
Wilbur
  • 2364 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!