Hello community, I hope you are all very well!
I have a question regarding the following behavior.
We have approximately 10 firewalls added to Panorama. All ok, config push via Template, Device, groups Logs.
Detail of enviroment:
-Panorama OK Internet access -8 FW with Internet access from their MGTs -2 FWs without Internet access
The issue is the following, when we run the refresh from Panorama, all refresh their licenses ( based on the previous renewal ) correctly except 2 Firewalls.
Panorama Administrator's Guide says the following:
Update the license status of firewalls. 1. Select Panorama > Device Deployment > Licenses. Each entry on the page indicates whether the license is acteve or inactive and displays the expiration date for active licenses. 2. If you previously activated auth codes for the support subscrition directly on the firewalls, click Refresh and select the firewalls from the list. Panorama retrieves the license, deploys it to the firewalls, and updates the licensing status on the Panorama web interface.
__________
These two Firewalls have the condition that they have complete connectivity with Panorama, everything OK, everything correctly, config, template, device, logs, etc, but the difference with these two is that their MGT, do not have access to Internet, by regulatory issues, those FWs can not, do not have, nor should have access to Internet, of any kind. Therefore, the previous time we had to import the license manually, that is to say, download from the CSP site of the FWs Support account, download the .LIC and upload it manually to the Fws. If one checks the License section in the Firewalls directly, after the Refresh from Panorama, the 8 Fw appears OK in the License section and the Support section, with the license renewed correctly, except these two FW. In support nothing appears and in license I do not refresh it.
Now reviewing the documentation, it is assumed that Panorama is the one that connects to the Internet to the licensing server and gets the information (as with all other firewalls) gets the information and then refreshes the FWs, therefore these 2 FWs without Internet access, but if total access with Panorama bidirectionally, should not be an impediment to refresh, but it does not happen, and the last time had to be done manually. The idea is that this next time, it will be done through Panorama and not manually in each of the FWs.
Please if this is an expected behavior, should I make any adjustments or review any configuration.
Thank you for your time.
I look forward to your comments, suggestions, tips, etc.
Best regards