Checking Firewall Health and Status from Panorama (Version 11.0)

PCNSE Objective Focus

This topic aligns with PCNSE objectives related to monitoring the status and operational health of devices managed by Panorama.

Identify methods for monitoring managed devices using Panorama.
Interpret device status indicators within the Panorama interface.
Utilize Panorama features for basic troubleshooting of managed device connectivity and configuration synchronization.

Overview: Centralized Monitoring Power

Panorama provides a centralized platform not only for configuration but also for monitoring the operational health and status of its managed firewalls and Log Collectors. Regularly checking device status from Panorama allows administrators to proactively identify potential issues, verify connectivity, ensure configuration consistency, and maintain overall network security posture.

Key aspects monitored via Panorama include:

Connectivity between Panorama and managed devices.
Configuration synchronization state.
Device resource utilization (CPU, memory, sessions).
Software and content versions.
High Availability (HA) status for firewall pairs.

Utilizing Panorama's monitoring tools is essential for efficient management of a Palo Alto Networks environment.

Managed Devices > Summary View

The primary dashboard for a quick overview of all managed devices (Firewalls and Log Collectors) is found at Panorama > Managed Devices > Summary .

This view provides critical status indicators in sortable columns:

Serial Number: The unique identifier of the device.
Device Name: The hostname of the managed firewall.
IP Address: The management IP address of the device.
Connection: Indicates if the device has an active management connection to Panorama (e.g., 'Connected', 'Disconnected', 'Connection status mismatch').
Shared Policy Status: Shows if the Device Group configuration (Policies, Objects) is synchronized ('In sync', 'Out of sync', 'Pending', 'Commit Required').
Device Config Status: Shows if the Template configuration (Network, Device settings) is synchronized ('In sync', 'Out of sync', 'Pending', 'Commit Required').
Content Version: The version of the Applications and Threats content package installed.
PAN-OS Version: The operating system version running on the device.
HA State: For firewalls configured in an HA pair, indicates the role ('active', 'passive', 'suspended', etc.) and sync status.
Uptime: How long the device has been running since its last reboot.
Managed By: Shows which Panorama instance manages the device (relevant in multi-Panorama setups).

This view is ideal for quickly identifying devices that are disconnected, out of sync, or running outdated software/content.

You can filter and sort this view based on different columns (e.g., sort by 'Connection' to bring disconnected devices to the top).

Managed Devices > Health View

For more detailed resource monitoring of individual firewalls, navigate to Panorama > Managed Devices > Health .

This section polls selected managed firewalls (you may need to enable monitoring for specific devices) and displays near real-time and historical performance metrics, including:

CPU Utilization: Monitors the load on the management plane and data plane CPUs. High sustained CPU can indicate performance bottlenecks or specific issues.
Memory Utilization: Tracks RAM usage. High usage might suggest memory leaks or resource exhaustion.
Session Count: Shows the number of active sessions being processed by the data plane. Useful for capacity planning and identifying unusual traffic spikes.
Disk Usage: Monitors the utilization of various disk partitions (e.g., root, logs).
Throughput: Network traffic throughput (may require specific configuration).

The Health view is particularly useful for:

Troubleshooting performance degradation on a specific firewall.
Establishing baseline performance metrics.
Capacity planning based on resource trends.

Data collection for the Health view needs to be enabled and configured. It relies on Panorama periodically polling the firewalls, so it reflects near real-time data but isn't instantaneous.

Key Status Indicators and Their Meanings

Understanding the status messages in the 'Connection', 'Shared Policy Status', and 'Device Config Status' columns is crucial:

Status Indicator	Column(s)	Meaning	Common Causes / Next Steps
Connected	Connection	The firewall has an active and healthy management connection to Panorama.	Normal operating state.
Disconnected	Connection	Panorama cannot establish a management connection to the firewall.	Network reachability issue (routing, firewall rules blocking mgmt traffic), device powered off, device certificate issue, Panorama service down on firewall. Investigate connectivity.
Connection status mismatch	Connection	The firewall is connected, but there might be an issue with the secure channel or component mismatch (less common).	Check certificates, PAN-OS component status, potential need to restart management server on firewall. Check system logs.
In sync	Shared Policy Status, Device Config Status	The configuration pushed from Panorama (for that scope - DG or Template) matches the running configuration on the firewall.	Normal operating state.
Out of sync	Shared Policy Status, Device Config Status	The configuration on the firewall does not match the configuration intended by Panorama for that scope.	A recent commit/push may have failed, local changes might have been made on the firewall overriding Panorama, or a push is needed. Perform a Commit & Push from Panorama for the relevant DG/Template.
Pending	Shared Policy Status, Device Config Status	Panorama has changes staged for this device/scope that have been committed locally on Panorama but not yet pushed to the firewall.	Perform a Commit & Push from Panorama, or use 'Push to Devices'.
Commit Required	Shared Policy Status, Device Config Status	Changes affecting this device/scope have been made in Panorama but not yet committed locally on Panorama.	Perform a Commit (or Commit & Push) on Panorama.
N/A	Shared Policy Status, Device Config Status	Status is not applicable, often seen for disconnected devices or devices not assigned to a DG/Template.	Check connection status and DG/Template assignment.

Panorama Dashboard Widgets

The main Panorama > Dashboard tab can be customized with various widgets that provide summarized health and status information.

Useful widgets include:

Managed Devices: Shows counts of devices by connection status (Connected, Disconnected).
Device Sync Status: Summarizes how many devices are 'In sync' or 'Out of sync'.
Content Versions: Can display counts of devices running specific content versions.
Software Versions: Can display counts of devices running specific PAN-OS versions.
High Availability: Shows the status of configured firewall HA pairs.

Configuring relevant widgets provides an immediate, high-level view of the overall health of your managed devices upon logging into Panorama.

Using Logs and Task Manager

For deeper analysis and troubleshooting specific status issues:

Task Manager: ( Panorama > Task Manager ) Shows the status (Success, Fail, Pending) of recent jobs initiated from Panorama, such as Commits, Pushes to Devices, Software/Content installs. Error messages here are crucial for diagnosing failed operations that lead to 'Out of sync' states.
System Logs:
- Check Panorama's local System logs ( Monitor > Logs > System ) for events related to device connectivity, commit operations initiated from Panorama, and Panorama's own health.
- Examine System logs forwarded from the firewalls to Panorama/Log Collectors ( Monitor > Logs > System , filter by device). Look for events related to HA failovers, management server restarts, commit operations performed locally, or specific errors reported by the firewall.

Logs provide the detailed history needed to understand *why* a device might be disconnected or out of sync.

Best Practices for Monitoring

Regular Checks: Routinely review the `Managed Devices > Summary` view to catch issues early.
Utilize Dashboard Widgets: Configure dashboard widgets for an at-a-glance overview of key status indicators.
Investigate Disconnects Promptly: Treat disconnected devices as high priority; investigate network connectivity immediately.
Address 'Out of Sync' States: Understand why a device is out of sync (failed push, local changes?) and perform a Commit & Push from Panorama to resynchronize. Avoid leaving devices out of sync.
Monitor HA Status: Pay close attention to the HA state and sync status of firewall pairs.
Establish Baselines: Use the `Managed Devices > Health` view to understand normal resource utilization for your key firewalls.
Correlate Information: Use multiple views (Summary, Health, Logs, Task Manager) to get a complete picture when troubleshooting.
Configure Alerts (External): While Panorama's native alerting is limited, consider using external NMS/SIEM tools to poll Panorama (via API/SNMP) or receive logs/traps for critical status changes (e.g., device disconnects, HA failovers).

Caveats / Gotchas / Considerations

Status Update Latency: Status information in Panorama relies on polling or device check-ins. There might be a slight delay between an event occurring on the firewall and the status updating in Panorama.
Connectivity Required for Monitoring: Panorama cannot report the status of a device it cannot reach. A 'Disconnected' status means monitoring data (including Health metrics) is unavailable.
Panorama vs. Deep Monitoring Tools: Panorama provides essential status and basic health metrics but is not a replacement for dedicated Network Performance Monitoring (NPM) or Application Performance Monitoring (APM) tools for in-depth analysis.
Troubleshooting Requires Deeper Dive: While Panorama flags issues, resolving them often requires checking connectivity tools (ping, traceroute), firewall logs directly, or Panorama system logs for detailed error messages.
'Out of Sync' Causes: Remember this can be caused by failed pushes *from* Panorama *or* by local changes made *on* the firewall.

PCNSE Exam Focus (Relevant to 11.0 Concepts)

Know the primary location for overview status: Panorama > Managed Devices > Summary .
Know the location for resource health metrics: Panorama > Managed Devices > Health .
Understand the meaning of key status indicators: Connected , Disconnected , In sync , Out of sync , Pending , Commit Required .
Recognize the importance of the Task Manager ( Panorama > Task Manager ) for diagnosing failed operations.
Understand how to check basic HA status for firewalls from Panorama.
Know that Dashboard widgets can provide summarized status information.
Be aware that System Logs (Panorama and forwarded from devices) are crucial for detailed troubleshooting.

References (Version 11.0)

These links point to the relevant sections within the official Palo Alto Networks documentation for Panorama version 11.0.

Panorama 11.0 Admin Guide: Monitor Panorama and Managed Devices (Top Level) - Main section covering monitoring.
Panorama 11.0 Admin Guide: View the Managed Devices Summary - Details the Summary view.
Panorama 11.0 Admin Guide: Monitor Device Health - Explains the Health monitoring section.
Panorama 11.0 Admin Guide: Use the Panorama Dashboard - Covers dashboard widgets and customization.
Panorama 11.0 Admin Guide: Manage Tasks - Explains the Task Manager.