Symptom The article provides brief troubleshooting steps that can be performed when the connectivity to Panorama is not working.
Environment
Panorama managed Palo Alto Firewalls.
PAN-OS 8.1 and above.
Resolution
Here are some brief steps that can be followed when Panorama is unable to connect to a managed Firewall.
Check IP connectivity between the devices (ping / traceroute)
Make sure tcp port 3978 is open and available from the device to Panorama (packet capture).
Make sure that a certificate has been generated or installed on Panorama.
Confirm the serial number configured in Panorama (case sensitive).
If a permitted IP list is configured for the management interface, make sure that Panorama IP is allowed in the list. By default, it will allow all IPs if a list is not specified.
Make sure Panorama is on a version greater than or equal to that of the managed devices. Panorama can manage devices running supported PAN-OS versions of the same or a lower release.
Check MTU settings on the managed device, as the value may need to be reduced. If a device on the path is fragmenting packets, communication from Managed Device to Panorama will not succeed. Check the MTU settings on intermediate router as well.
Verify that there is not a large time difference between the clock (Date/Time) on Panorama and the clock (Date/Time) on the managed device.