Managed Firewalls contacting Panorama using it's Public IP even though the Private IP is configured on the Firewalls
35331
Created On 12/05/19 16:33 PM - Last Modified 02/04/25 04:46 AM
Symptom
After configuring a Public IP address on Panorama, some services of the managed firewalls will fail.
Environment
- Panorama 8.1 and higher.
- Public and Private Management IP address configured on Panorama.
- Private IP address is configured on the firewalls.
Cause
- After configuring a Public IP address for Panorama ( GUI: Panorama > Setup > Interfaces > Management > Public IP Address), the configured IP will be pushed to all managed firewalls.
- Even though the Panorama Private IP is configured on the firewalls under (GUI: Device > Setup > Management > Panorama Settings) the firewalls will start to initiate connections to Panorama using it's Public IP address for services such as log forwarding, (if a local log collector is configured) and retrieving dynamic content updates.
- The Public IP address of the Panorama will be always preferable for the services the firewalls initiate because the whole idea of a Public IP is that it should be always reachable from everywhere.
- The firewalls will keep the management connection with Panorama on the Private IP, but other initiated services will start to use the Public IP
Resolution
To solve this issue, Firewalls should be able to reach the Panorama Public IP address.