Azure CNGFW not able to connect to On-Prem Panorama with health status as "Not Applicable" or "Unhealthy" on Azure portal.

Azure CNGFW not able to connect to On-Prem Panorama with health status as "Not Applicable" or "Unhealthy" on Azure portal.

8465
Created On 01/30/24 00:14 AM - Last Modified 01/30/24 18:51 PM


Symptom


- Cloud NGFW on Azure portal shows "Unhealthy" with health reason "Firewall cannot register to Panorama".
- There is no traffic observed from the IP of Cloud NGFW on Panorama
- Cloud NGFW does not show up in Panorama under Manage Devices

Environment


On-Prem Panorama
PAN-OS 10.2.7 and above
Cloud NGFW on Azure 
Azure Plugin version: 5.1.1

Cause


For Health Status Showing "Not Applicable" on Azure Portal:

- The Cloud NGFW instance is still in Initiating phase and may not be fully deployed

For Health Status showing "Unhealthy":
CNGFW-health-status-Unhealthy.png

- There may be an issue with routing in Azure due to which the return traffic does not reach the Panorama and leads to Asymmetric Routing
 

Resolution


For scenario showing health status "Unhealthy"
- Verified that port 3978 is open for Panorama connectivity 
- Made sure that the IP of Cloud NGFW is whitelisted 
- Since there is On-Prem Panorama Access via VPN, ensured that the VPN gateway connection is set up correctly and the hub VNet has a route pointing to Panorama’s private IP address.
- Under Networking & NAT in Azure portal under Source NAT make sure that "Use the above public ip addresses" option is checked
image (1).png
- If there is still an issue with the return traffic after checking the pcaps then Azure TAC must be involved to check the routing
- In this scenario customer had a UDR (User Defined Route) missing for the host route under default routing table in Azure. Customer created a UDR Host routes pointing at the Azure Firewall for the Cloud NGFW DNAT ip addressed and that resolved the issue of connectivity with Panorama. 
- Firewall showed up as "Healthy" and was showing up under Managed Devices

For the scenarios showing health status as "Not Applicable" on Azure Portal:
- This happens when the cloud NGFW is still not fully deployed and shows as initiating when we check with Dev
- Remediation is to go with a fresh deployment as the cloud NGFWs are still not present
 

Additional Information


DIT-36610
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008WrRCAU&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language