topic Re: Push to devices failed reason SSL handshake fail in Next-Generation Firewall Discussions

Push to devices failed reason SSL handshake fail

Jbergill1 — Sun, 29 Jan 2023 02:12:34 GMT

Hello Team,

recently we are unable to push config changes to devices from Panorama (version 10.1.6-h6), it fails with this error message: Panorama connectivity check failed. SSL handshake failed, reverting configuration

Any suggestion?

Regards.

Re: Push to devices failed reason SSL handshake fail

A_Astardzhiev — Sun, 29 Jan 2023 21:35:36 GMT

Hi @Jbergill1 ,

Recent Panorama OS versions have a feature which tell the firewall to check connectivity with Panorama immaterially after the config push is completed. The purpose of this check is to verify if your last commit is not causing any issues with communication between firewall and Panorama, which will makes your firewall unmanageable (and probably unreachable).

If the check is success is successful - firewall can connect to Panorama, config is considered completely installed

If the check fails - firewall cannot reach Panorama, firewall will automatically start reverting your last push.

Unfortunately the error message in the commit is very generic - it just tells you that firewall cannot establish HTTPS connection with Panorama, but the real reason could be anything, really depends on what configuration you are trying to push and what is the difference between the new and the currently running config.

In nutshell your last commit breaks the communication between firewall and Panorama. You need to figure out what and fix it, before pushing to the device.

I recently experienced something similar - modified one rule on remote firewall from using any service to application-default. PAN FW have app-id for traffic to panorama - the app is called "panorama", but it is depending on ssl (because the real traffic is https based). The problem is that this traffic use specific port, which is not default for ssl, so my rule no longer was matching. For that reason when pushing the config to FW, it immediately start blocking the traffic from FW to Panorama.

So my advise is:

- Check your traffic/unified logs and see if you have any block traffic from FW mgmt to Panorama IP.

- Review your config push? Are you changing anything related to Panorama config? Panorama IP, FW mgmt, SSL certificates

Re: Push to devices failed reason SSL handshake fail

Jbergill1 — Tue, 31 Jan 2023 11:08:34 GMT

Thanks for your answer.

Regarding your advice: there was no denied traffic between fw and panorama, and there was no configuration change to justify it. Investigating the issue, the key was the secure connection between panorama and the fw, in fact the error was seeing the traffic capture, a tls handshake issue. Enabling and configuring secure communication between fw and panorama has solved the problem.

Palo Alto support can't explain to me how it has been working before without that configuration.

Thanks and regards.

Re: Push to devices failed reason SSL handshake fail

nikoolayy1 — Tue, 31 Jan 2023 21:14:33 GMT

I still remember the issue when people upgraded their globalprotect app and firewall they saw the error ""Could not verify the server certificate of the gateway" https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004O5iCAE

This issue was caused because the newer versions had stronger security checks, so this could be the same case.

Re: Push to devices failed reason SSL handshake fail

PS007 — Sun, 16 Jul 2023 01:43:48 GMT

Followed this doc & issue was resolved : https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wlJpCAI

However, this might not be scalable solution if you have to do this for large number of managed firewalls via Panorama. Expecting some better & easy resolution in future