What is the most likely cause of this issue?
Panorama by default does not allow different hypervisors in parent/child device groups, but this can be overridden with the command set device-group allow-multi-hypervisor enable.
Panorama must use the same plugin version numbers for both AWS and NSX-V environments before device group inheritance can function properly.
Panorama does not support policy inheritance across device groups containing firewalls deployed in different hypervisors when using multiple plugins.
Panorama requires the objects to be overridden in the child device group before firewalls in different hypervisors can inherit Security policies.
Answer (2)
The issue described revolves around Panorama, a network security management tool created by Palo Alto Networks. This tool manages and controls multiple firewalls through a centralized interface. In this context, troubleshooting involves understanding Panorama's behaviour with device groups and hypervisors.
Device Groups and Hypervisors : Panorama organizes firewalls into device groups, allowing them to inherit security rules and policies. However, by default, it does not allow a mixture of different hypervisors (e.g., VMware, AWS) in parent/child device groups. The command set device-group allow-multi-hypervisor enable can override this restriction, allowing diverse hypervisor types within these device groups.
Plugin Version Requirement : For successful device group inheritance, Panorama needs to synchronize plugin versions across different environments, such as AWS and NSX-V. If these versions differ, it could inhibit the proper inheritance of device group configurations.
Plugin Support Limitations : When using multiple plugins, Panorama may not support policy inheritance across device groups if the groups contain firewalls deployed on different hypervisors. This limitation could be a caused by architectural or compatibility issues within the software.
Object Override Necessity : In some scenarios, Panorama requires certain configurations, such as firewall objects or policies, to be overridden specifically in the child device group. This ensures that policies are appropriately applied, especially when dealing with different hypervisor environments.
To identify the most likely cause of the issue, consider the specific setup and recent changes made to the system. Each of these points relates to how Panorama handles device group configurations across mixed hypervisor environments, and incorrect configuration in any of these areas could be the root cause of the problem the question describes.
The issue likely arises from Panorama's restrictions on mixing hypervisors in device groups and the need for consistent plugin versions. Ensuring that necessary configurations and overrides are set within the child device group is crucial. Reviewing these elements can help pinpoint the root cause of the problem.
;
