01-02-2020 12:05 PM
One HUGE caveat to the new setup: Palo Alto has gone back to the 80s and reproduced all the issues with FTP in their stupid/braindead updates protocol. Namely, that they embed the IP of the Panorama server INSIDE the data payload of the IP packets, instead of using the "Panorama IP" set in the Device tab of the managed firewall. Thus, if your Panorama server is behind a NAT, and your remote firewalls are configured to connect to Panorama via the public IP, these new "pushed pulls" will fail (the private IP of the Panorama server is passed through as part of the TCP payload).
Instead of fixing their braindead protocol, they added a new configuration setting: Panorama tab --> Setup --> Interfaces sub-tab --> Management. In there, you have to manually enter the public/NAT IP for the Panorama server.
Virtually every other protocol released since the 90s has been NAT-aware due to all the issues with PASV/ACTV FTP shenanigans, but Palo Alto decided (in 2019) to released a broken protocol that can't work through NAT without special steps.
The more I use PanOS 8.1, the more I long for the days of 7.1. It seems to be two steps forward, 1 step backward with ever minor release. 😞
