- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-31-2021 01:16 PM - edited 09-01-2021 08:10 AM
Hello,
We are trying to set up a new deployment in AWS consisting of two firewalls managed by a Panorama server.
For starters, we deployed one firewall and one Panorama instance. They are in the same VPC, different subnets. Security groups currently allow all TCP to/from the Panorama server and the firewall.
Both Panorama and the firewall have been licensed successfully and have a device certificate retrieved after generating an OTP.
They are both on version 10.0.7.
The both have the predefined certificates specified under the secure communication settings
So....after specifying the Panorama IP on the firewall, and attempting to add the firewall to Panorama, we see it still has a status of disconnected.
Looking in the system logs on the firewall shows a bunch of entries that basically follow the pattern "connected to Panorama Server", followed immediately by "Disconnected from Panorama Server"
On the Panorama server, the pattern is "'Client authentication successful PAN-OS ver: 10.0.7 Panorama ver:10.0.7 Client IP: x.x.x.x Server IP: y.y.y.y Client CN: xxxxxxxxx", followed by "added bootstrapped device xxxxxxx to candidate configuration", followed by "xxxxxx connected", followed by "Device xxxxx disconnected from the server" all in rapid succession. That last event has "tls-session-disconnected" which makes me think maybe this is cert based (?)
Does anyone know what may cause this behavior? We are brand new to palo, so thinking it may very well be a layer 8 thing, just stumped as to what.
Thanks for the help!
UPDATE: Looks like maybe this is a bug with 10.0.7///downgraded to 10.0.6 and it's connected now.
UPDATE 2: This looks to maybe be a code bug...I downgraded both panorama and the FW to 10.0.6. and everything started to work.