Hello, good afternoon everyone, thank you very much for your time, help and support.
I have the following scenario:
1.- Panorama managing 6 firewalls 2.- Panorama version 9.1.6 3.- Firewall HA 9.1.6 (5250 - This will be used for configuration migration ) 4.-Other HA 7.1.15 ( 5060 ) 5.- Firewall HA 9.1.13-h3 (5250) 6.- All the previously named devices are being reported and managed (template and device group) in Panorama
Which is what it intends to do, the 5060 firewalls will be taken offline and a HA 5250 will be used instead.
The HA 5250 (with its corresponding Template and personalized Device group) is connected to Panorama with its respective MGT IP and also the HA 5060 units with their respective MGT IP (also with their corresponding Template and personalized Device group).
So what is going to be done, what is intended is to clone the profiles (device group and templates) from the 5060 and use it to migrate the configuration to the HA 5250. After this, it is necessary to use the same MGT IPs that have or had the 5060 in the 5250.
It is there with the details already delivered, after the change of IP and obviously the PA-5060 firewalls, they will be disconnected and eliminated from Panorama, the question is if it will be necessary to remove and re-add the 5250 firewalls after the IP change or will the Panorama recognize the IP change and only focus on the Serial Number-SN and the IP change will be transparent?
Thank you very much in advance for the support, I remain tense, best regards
Firewalls make a connection TO panorama, so for normal mgmt panorama doesn't need to be in the access list on the firewall (firewalls do need to be in panorama ACL) Just as a nice to have, it can't hurt to add panorama in there simply so you can, for example, ssh from the panorama cli into the firewall cli (since that's not available in context switching)
Firewalls connect to the panorama and "authenticate" themselves using their serial number. Panorama doesn't care about the source IP