Here are some checks that should be made when Panorama is out of sync with one of many managed firewalls, or simply cannot connect to a firewall.
Check IP connectivity between the devices.
Make sure port 3978 is open and available from the device to Panorama.
Make sure that a certificate has been generated or installed on Panorama.
Confirm the serial number configured in Panorama (case sensitive).
If a permitted IP list is configured for the management interface, make sure that Panorama IP is allowed in the list. By default, it will allow all IPs if a list is not specified.
Make sure Panorama is on a version greater than or equal to that of the managed devices. Panorama can manage devices running supported PAN-OS versions of the same or a lower release.
Check MTU settings on the managed device, as the value may need to be reduced. If a device on the path is fragmenting packets, communication from Managed Device to Panorama will not succeed.
Verify that there is not a large time difference between the clock (Date/Time) on Panorama and the clock (Date/Time) on the managed device.