1. Home
    2. Security Operations
    3. Cortex Data Lake
    4. Cortex Data Lake Getting Started
    5. Monitor Cortex Data Lake
    6. Troubleshooting Firewall Connectivity

    Troubleshooting Firewall Connectivity

    If you’re having trouble connecting your firewall to Cortex Data Lake, here are some steps you can try to solve the issue.
    If your firewall is showing connectivity issues in your
    Inventory
    , try checking the license, certificate, log forwarding configuration, and ingest/query FQDN.

    License Expired

    If a firewall is disconnected, check its license status by logging into the firewall CLI and entering the following:
    request license info
    Sample output:
    Feature: Logging Service
				Description: Device Logging Service
				Expires: April 06, 2038
				Expired?: no
    If you see
    Expired?: yes
    , follow the steps below to refresh the license on the firewall or on the Panorama managing the firewall.
    Firewall
    Panorama
    For Panorama-managed firewalls, refresh the license from Panorama.
    For firewalls not managed by Panorama, manually refresh the license from Device > License in the firewall UI.
    If the license on the Panorama managing the firewall is expired, refresh the license on Panorama.
    If the above does not resolve the issue, enter the following command in the firewall CLI:
    request logging-service-forwarding status
    Sample output:
    Logging Service Licensed: Yes
Logging Service forwarding enabled: No
Duplicate logging enabled: No
Enhanced application logging enabled: No

Logging Service License Status:
Status:

Fetch:

Install:
        Status: Success
        Msg: Successfully install fetched license
        Last Fetched: 2021/12/22 11:56:34

Upgrade:



Logging Service Certificate information:
        Info: Failed
        Status: failure
        Last fetched: Mon Dec 27 15:20:44 2021



Logging Service Customer file information:
        Info: Failed to validate server certificate for endpoint api.paloaltonetworks.com
        Status: failure
        Last Fetched: 2021/12/27 15:24:24
    If your output contains similar failures, this means that you upgraded a device from PAN-OS 10.0 or earlier to PAN-OS 10.1 or later, or you installed a device certificate on your 10.1 or later device. In that case, you should restart the
    mgmtsrvr
     or restart the device. You can use the following CLI commands to restart the
    mgmtsrvr
    :
    masterd mgmtsrv stop
    masterd mgmtsrv start

    Needs Certificate

    If the Certificate Status of a firewall indicates that the firewall Needs Certificate, this means that the firewall must be onboarded to Cortex Data Lake.

    Certificate Expired

    If the Certificate Status of a firewall indicates that the certificate is Expired, then log into the firewall CLI and enter the following:
    request logging-service-forwarding status
    If the output states that the certificate has expired, then follow the steps below for manually refreshing the certificate on the firewall.
    If the output contains
    Info: Error sending CSR signing request to Panorama
    , then follow the steps for refreshing the certificate on Panorama.
    Firewall
    Panorama
    In the firewall CLI, enter
    request logging-service-forwarding certificate delete
    request logging-service-forwarding certificate fetch
    In the Panorama CLI, enter
    request plugins cloud_services logging-service status
    If the output contains
    Logging service certificate expired
    , then fetch a new certificate using the following command:
    request plugins cloud_services panorama-certificate fetch otp <xxx>
    If the command failed, check the plug-in log file with the following command:
    less mp-log plugin_cloud_services.log
    Otherwise, return to the CLI of the firewall you are troubleshooting and enter
    request logging-service-forwarding certificate fetch
    After you’ve completed the above, check the certificate status in your Cortex Data Lake
    Inventory
    .

    Connected but Logging Rate is Zero

    If the Connection Status of your firewall is Connected but the Ingestion Rate is zero, then verify that your log forwarding profiles are correctly configured.

    Failed to Fetch FQDN

    The firewall may be unable to connect because it is not successfully retrieving the ingest/query FQDN for Cortex Data Lake. To find out if this is the case, log in to the firewall CLI and enter
    request logging-service-forwarding status
    Sample output:
    Logging Service Customer file information:
				Customer ID: xxxxxxx
				EAL Ingest FQDN: xxxxx.fei.lcaas-qa.us.paloaltonetworks.com.
				Ingest FQDN: xxxxxx.in2.lcaas-qa.us.paloaltonetworks.com
				Info: Failed to fetch ingest/query FQDN for customer (curl failed)
				Query FQDN: xxxxx.api2.lcaas-qa.us.paloaltonetworks.com:444
				Status: failure
				Last Fetched: 2020/07/22 19:01:06
    If you see
    Info: Failed to fetch ingest/query FQDN for customer (curl failed)
     as in the above, then enter
    request logging-service-forwarding customer-info fetch
    to manually refresh the certificate. Then, check the Connection Status in your Cortex Data Lake
    Inventory
     to see if the firewall is now connected.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo