Managed Devices Unable to Establish Connections to Panorama after Configuring Permitted IP Addresses
Created On 09/26/18 13:48 PM - Last Modified 07/07/22 04:28 AM
- Firewalls unable to connect to Panorama after Configuring "Permitted IP Addresses" (GUI: Panorama > Setup > Interfaces....)
- Existing Firewalls display as "not connected" (GUI: Panorama > Managed Devices)
- Any Panorama with Managed Firewalls.
- Supported PAN-OS.
- Permitted IP Addresses setting
- The Management Interface on Panorama was configured with Permitted IP Addresses.
- The "permitted IP Address" list did not include the IP addresses of the firewall’s interface from where it is configured to connect to Panorama.
GUI: Panorama > Setup > Interfaces > Management > Management Interface Settings > Permitted IP Addresses
- Go to GUI: Panorama > Setup > Interfaces > Management > Management Interface Settings.
- Under "Permitted IP Settings", add all the management IP of Firewalls.
- Alternatively one can add the network range of managed Firewalls as well.
- Commit the configuration.
- When the "Permitted IP Addresses" on Panorama is not configured (blank), then any managed firewall can connect to Panorama.
- If any IP is configured in the settings, then only the configured IP addresses can connect to Panorama.
- The behavior of "permitted IP address" settings on the Firewall is same as that of Panorama
- In case of HA(High Availability) configuration, both the active and passive Firewall's management IP must be added to Panorama.
If the issue is not resolved after correcting the configuration, one can do a Packet capture using tcpdump command on Panorama CLI.
> tcpdump filter "port 3978" >>>> wait for some time and use ctrl+c to stop
> view-pcap mgmt-pcap mgmt.pcap
The display show SYN packets received from devices on port 3978, but no SYN-ACK is sent from Panorama.
Is there a Separate Connection for Forwarding Logs to Panorama?
Troubleshooting Panorama Connectivity