We are trying to set up a new deployment in AWS consisting of two firewalls managed by a Panorama server.
For starters, we deployed one firewall and one Panorama instance. They are in the same VPC, different subnets. Security groups currently allow all TCP to/from the Panorama server and the firewall.
Both Panorama and the firewall have been licensed successfully and have a device certificate retrieved after generating an OTP.
They are both on version 10.0.7.
The both have the predefined certificates specified under the secure communication settings
So....after specifying the Panorama IP on the firewall, and attempting to add the firewall to Panorama, we see it still has a status of disconnected.
Looking in the system logs on the firewall shows a bunch of entries that basically follow the pattern "connected to Panorama Server", followed immediately by "Disconnected from Panorama Server"
On the Panorama server, the pattern is "'Client authentication successful PAN-OS ver: 10.0.7 Panorama ver:10.0.7 Client IP: x.x.x.x Server IP: y.y.y.y Client CN: xxxxxxxxx", followed by "added bootstrapped device xxxxxxx to candidate configuration", followed by "xxxxxx connected", followed by "Device xxxxx disconnected from the server" all in rapid succession. That last event has "tls-session-disconnected" which makes me think maybe this is cert based (?)
Does anyone know what may cause this behavior? We are brand new to palo, so thinking it may very well be a layer 8 thing, just stumped as to what.
Thanks for the help!
UPDATE: Looks like maybe this is a bug with 10.0.7///downgraded to 10.0.6 and it's connected now.
UPDATE 2: This looks to maybe be a code bug...I downgraded both panorama and the FW to 10.0.6. and everything started to work.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!