Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
How to reset secure communication between firewall and Panorama - Knowledge Base - Palo Alto Networks

How to reset secure communication between firewall and Panorama

181321
Created On 08/18/22 08:15 AM - Last Modified 10/31/24 04:00 AM


Objective


To reset secure communication between firewall and Panorama.
 


Environment


  • Firewall with PAN-OS 10.1 or above 
  • Panorama on PAN-OS 10.1 or above 
  • Authentication Key for Secure Onboarding


Procedure


The procedure is documented at Recover managed connectivity to Panorama. This article provides a quick reference.

  1. Log into Firewall CLI and run the commands below.
    1. request sc3 reset (This command is hidden, you must type the whole command . Note that you are running this only on Firewall CLI).
    2. debug software restart process management-server
  2. Log into the Panorama GUI (Panorama tab > Device Registration Auth Key > Add new) or Panorama CLI and run command below.
    1. clear device-status deviceid <firewall-sn> (This command is hidden, you must type the whole command).
    2. request authkey add devtype <fw_or_lc) count <device_count> lifetime <key_lifetime> name <key_name> serial <device_SN>
    3. request authkey list * (This will display the <key_name> created).
    4. request authkey list <key_name> (copy the key value).
  3. Log back into the Firewall CLI and run command below. The auth_key is the copied key value from step 2d. 
    1. request authkey set <auth_key>
    2. Commit to the firewall.
    3. show panorama-status will now display the status as "connected"

Note:

  • If firewalls in HA the sync will happen and both firewalls will be connected. But sometimes you have to perform the same steps on the passive also if it does not connect.
  • Please be patient it takes a while for the firewalls to show panorama as connected. 
  • Make sure Auth key has the serials of the firewalls on Panorama. If not generate a new Auth key and mention the firewall's serial numbers.
  • If still firewalls are disconnected check ms.log on the firewalls to gain more info about the issue.
  • The command request sc3 reset if run on Panorama causes all firewalls to be disconnected. This command must NOT be run on Panorama without consulting Support.


 



Additional Information


Recover Managed Device Connectivity to Panorama
Authentication Key for Secure Onboarding


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wlJpCAI&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language