Troubleshooting Firewall Connectivity
If you’re having trouble connecting your firewall to
Cortex Data Lake, here are some steps you can try to solve the issue.
Find out what to do if one of the firewalls
in your
Inventory
show one of these issues:License
Expired
If a firewall is disconnected, check
its license status by logging into the firewall CLI and entering
the following:
request license info
Sample output:
Feature: Logging Service Description: Device Logging Service Expires: April 06, 2038 Expired?: no
If you see
Expired?:
yes
, follow the steps below to refresh the license
on the firewall or on the Panorama managing the firewall. Firewall | Panorama |
For Panorama-managed firewalls, refresh the license from Panorama. | If the license on the Panorama managing the firewall
is expired, refresh the license on Panorama. |
If the above does not resolve the issue, enter
the following command in the firewall CLI:
request
logging-service-forwarding status
Sample output:
Logging Service Licensed: Yes Logging Service forwarding enabled: No Duplicate logging enabled: No Enhanced application logging enabled: No Logging Service License Status: Status: Fetch: Install: Status: Success Msg: Successfully install fetched license Last Fetched: 2021/12/22 11:56:34 Upgrade: Logging Service Certificate information: Info: Failed Status: failure Last fetched: Mon Dec 27 15:20:44 2021 Logging Service Customer file information: Info: Failed to validate server certificate for endpoint api.paloaltonetworks.com Status: failure Last Fetched: 2021/12/27 15:24:24
If your output contains similar failures, this means
that you upgraded a device from PAN-OS 10.0 or earlier to PAN-OS
10.1 or later, or you installed a device certificate on
your 10.1 or later device. In that case, you should restart the
management-server
or
restart the device. You can use the following CLI command to restart
the management-server
: debug
software restart process management-server
Needs
Certificate
If the Certificate Status of a firewall indicates
that the firewall Needs Certificate, this means that the firewall
must be onboarded
to Cortex Data Lake.
Certificate
Expired
If the Certificate Status of a firewall
indicates that the certificate is Expired, then log into the firewall
CLI and enter the following:
request logging-service-forwarding
status
If the output states that the certificate
has expired, then follow the steps below for manually refreshing
the certificate on the firewall.
If the output
contains
Info: Error sending CSR signing request to
Panorama
, then follow the steps for refreshing the
certificate on Panorama. Firewall | Panorama |
In the firewall CLI, enter request logging-service-forwarding
certificate delete request logging-service-forwarding
certificate fetch | In the Panorama CLI, enter request plugins cloud_services logging-service status If the output contains Logging service certificate
expired , then fetch a new certificate using the following command: request plugins cloud_services panorama-certificate fetch
otp <xxx> If the command failed,
check the plug-in log file with the following command: less
mp-log plugin_cloud_services.log Otherwise,
return to the CLI of the firewall you are troubleshooting and enter request logging-service-forwarding certificate fetch |
After you’ve completed the above, check the
certificate status in your Cortex Data Lake
Inventory
. Connected
but Logging Rate is Zero
If the Connection Status of your
firewall is Connected but the Ingestion Rate is zero, then verify
that your log forwarding
profiles are correctly configured.
Failed
to Fetch FQDN
The firewall may be unable
to connect because it is not successfully retrieving the ingest/query
FQDN for Cortex Data Lake. To find out if this is the case, log
in to the firewall CLI and enter
request logging-service-forwarding
status
Sample output:
Logging Service Customer file information: Customer ID: xxxxxxx EAL Ingest FQDN: xxxxx.fei.lcaas-qa.us.paloaltonetworks.com. Ingest FQDN: xxxxxx.in2.lcaas-qa.us.paloaltonetworks.com Info: Failed to fetch ingest/query FQDN for customer (curl failed) Query FQDN: xxxxx.api2.lcaas-qa.us.paloaltonetworks.com:444 Status: failure Last Fetched: 2020/07/22 19:01:06
If
you see
Info: Failed to fetch ingest/query FQDN for
customer (curl failed)
as in the
above, then enter request logging-service-forwarding
customerinfo fetch
to manually refresh
the certificate. Then, check the Connection Status in your Cortex
Data Lake
Inventory
to see if the firewall
is now connected. Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.