https://live.paloaltonetworks.com/t5/general-topics/unable-to-set-ssl-tls-service-profile-with-panorama/m-p/603151#M119898 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/857727651">@C.Stuart</a></P> <P>&nbsp;</P> <P>could you try to set TLSv1.3_Firewall profile from drop down list directly in Template Stack instead of Template to see it can push to Firewall?</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel</P> Thu, 17 Oct 2024 01:21:39 GMT PavelK 2024-10-17T01:21:39Z https://live.paloaltonetworks.com/t5/general-topics/unable-to-set-ssl-tls-service-profile-with-panorama/m-p/601829#M119734 <DIV> <DIV><SPAN>Hello,</SPAN></DIV> <BR /> <DIV><SPAN>At a bit of a dead end with a template change. Essentially, I am trying to configure the VMSeries Firewalls SSL/TLS Service Profile under:</SPAN></DIV> <BR /> <DIV><SPAN>Device &gt; Setup &gt; Management &gt; General Settings &gt; SSL/TLS Service Profile</SPAN></DIV> <BR /> <DIV><SPAN>I have configured the profile and requisite certificates in my template but when I push the changes, the SSL/TLS Service Profile is never set on the firewall. However, as part of the same template I am changing the Time Zone and this change is effective. Is there something that I am missing when deploying this?</SPAN></DIV> <BR /> <DIV><SPAN>The certificates and profile are pushed to the device as I can manually set the SSL/TLS Service Profile post Panorama Commit and Push. So, if it can be pushed and I can see it and set it manually, why isn't Panorama doing it as part of the template rollout?</SPAN></DIV> <DIV>&nbsp;</DIV> <DIV><SPAN>Any help appreciated!</SPAN></DIV> <DIV>&nbsp;</DIV> <DIV><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Panorama Template" style="width: 643px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62969iD4578E3451C07DF1/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="panorama_template.png" alt="Panorama Template" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Panorama Template</span></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Profile pushed and selectable on Firewall" style="width: 481px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62970i312BD3B93B9E48FC/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="fw_profile.png" alt="Profile pushed and selectable on Firewall" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Profile pushed and selectable on Firewall</span></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Settings post panorama push" style="width: 481px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62971i672FD5F5EB3A1783/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="fw_general_settings.png" alt="Settings post panorama push" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Settings post panorama push</span></span></SPAN></DIV> </DIV> Wed, 16 Oct 2024 13:27:31 GMT https://live.paloaltonetworks.com/t5/general-topics/unable-to-set-ssl-tls-service-profile-with-panorama/m-p/601829#M119734 C.Stuart 2024-10-16T13:27:31Z https://live.paloaltonetworks.com/t5/general-topics/unable-to-set-ssl-tls-service-profile-with-panorama/m-p/603151#M119898 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/857727651">@C.Stuart</a></P> <P>&nbsp;</P> <P>could you try to set TLSv1.3_Firewall profile from drop down list directly in Template Stack instead of Template to see it can push to Firewall?</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel</P> Thu, 17 Oct 2024 01:21:39 GMT https://live.paloaltonetworks.com/t5/general-topics/unable-to-set-ssl-tls-service-profile-with-panorama/m-p/603151#M119898 PavelK 2024-10-17T01:21:39Z https://live.paloaltonetworks.com/t5/general-topics/unable-to-set-ssl-tls-service-profile-with-panorama/m-p/603563#M119929 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/857727651">@C.Stuart</a> ,</P> <P>&nbsp;</P> <P>You may need to Force Template Values, but that is dangerous because all of the template stack configurations will override the local configuration.&nbsp; Let's put that on hold right now.</P> <P>&nbsp;</P> <P>Instead you may try to delete the command from the CLI.&nbsp; Maybe None is not the default.&nbsp; Don't commit.&nbsp; Then push from Panorama with the Edit Selections &gt; Templates &gt; Merge with Candidate Config box checked.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Thu, 17 Oct 2024 03:28:33 GMT https://live.paloaltonetworks.com/t5/general-topics/unable-to-set-ssl-tls-service-profile-with-panorama/m-p/603563#M119929 TomYoung 2024-10-17T03:28:33Z https://live.paloaltonetworks.com/t5/general-topics/unable-to-set-ssl-tls-service-profile-with-panorama/m-p/604729#M120058 <P>Hi Both,</P> <P>&nbsp;</P> <P>Thank you for your responses. It never occurred to me that you could change the settings on the stack (relatively new to Panorama). The changes appear to be reflected in the Template Stack. Regardless, I have set the values on the template stack directly and I still get the same result. Everything except the SSL/TLS Service Profile is set. Just to confirm that it is working, I have also set some additional values that were also applied to the Firewall.&nbsp;</P> <P>&nbsp;</P> <P>I've attempted to push to the Firewall with the '<SPAN>Merge with Candidate Config' set although this was checked by default anyway. Unchecking, yields the same result as well.&nbsp;</SPAN>Similarly, I have also gone as far as forcing template values and, unfortunately (somehow), this has not worked either.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Template Stack Settings" style="width: 478px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/63014i28CC780A1947A2D5/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="stack.png" alt="Template Stack Settings" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Template Stack Settings</span></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Firewall Settings post-commit" style="width: 480px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/63015i2D64FBD2A77C7BF3/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="firewall.png" alt="Firewall Settings post-commit" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Firewall Settings post-commit</span></span></P> <P>&nbsp;</P> <P>Kind regards,</P> <P>&nbsp;</P> <P>Carl</P> Thu, 17 Oct 2024 09:29:28 GMT https://live.paloaltonetworks.com/t5/general-topics/unable-to-set-ssl-tls-service-profile-with-panorama/m-p/604729#M120058 C.Stuart 2024-10-17T09:29:28Z https://live.paloaltonetworks.com/t5/general-topics/unable-to-set-ssl-tls-service-profile-with-panorama/m-p/606646#M120324 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/857727651">@C.Stuart</a></P> <P>&nbsp;</P> <P>thank you for reply.</P> <P>&nbsp;</P> <P>Could you please confirm PAN-OS version running on Panorama and on Firewall? I came across known issues in some versions where Panorama pushed configuration was not applied in Firewall.</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel&nbsp;</P> Thu, 17 Oct 2024 22:07:37 GMT https://live.paloaltonetworks.com/t5/general-topics/unable-to-set-ssl-tls-service-profile-with-panorama/m-p/606646#M120324 PavelK 2024-10-17T22:07:37Z https://live.paloaltonetworks.com/t5/general-topics/unable-to-set-ssl-tls-service-profile-with-panorama/m-p/606851#M120440 <P>Hi Pavel,</P> <P>&nbsp;</P> <P>The Firewall is running 10.2.8-h5 and Panorama is running&nbsp;<SPAN>11.1.3.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>Kind regards,</SPAN></P> <P>&nbsp;</P> <P><SPAN>Carl</SPAN></P> Fri, 18 Oct 2024 09:22:52 GMT https://live.paloaltonetworks.com/t5/general-topics/unable-to-set-ssl-tls-service-profile-with-panorama/m-p/606851#M120440 C.Stuart 2024-10-18T09:22:52Z https://live.paloaltonetworks.com/t5/general-topics/unable-to-set-ssl-tls-service-profile-with-panorama/m-p/608921#M120565 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/857727651">@C.Stuart</a></P> <P>&nbsp;</P> <P>thank you for reply.</P> <P>&nbsp;</P> <P>I can see below addressed issue in PAN-OS 11.1.4:</P> <P>&nbsp;</P> <P><STRONG>PAN-244746</STRONG><BR />Fixed an issue where changes committed on Panorama were not reflected on the firewall after a successful push.</P> <P>&nbsp;</P> <P>Also, there is another addressed issue in PAN-OS 11.1.5, however since you are able to push certificates and able to apply them through profile it might not be related:</P> <P>&nbsp;</P> <P><STRONG>PAN-251035</STRONG><BR />Fixed an issue where selective push operations did not push certificate changes to the firewall.</P> <P>&nbsp;</P> <P>If you decide to upgrade Panorama, I would recommend to go straight to 11.1.5 to avoid the upgrade issue discussed in this thread:&nbsp;<A href="https://live.paloaltonetworks.com/t5/panorama-discussions/unable-to-upgrade-panorama-to-11-1-4-h1/td-p/599188" target="_self">Unable to upgrade Panorama to 11.1.4-H1</A>.</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel&nbsp;</P> Sun, 20 Oct 2024 22:23:13 GMT https://live.paloaltonetworks.com/t5/general-topics/unable-to-set-ssl-tls-service-profile-with-panorama/m-p/608921#M120565 PavelK 2024-10-20T22:23:13Z https://live.paloaltonetworks.com/t5/general-topics/unable-to-set-ssl-tls-service-profile-with-panorama/m-p/1226146#M123931 <P>&nbsp;still see this issue on&nbsp;11.1.5-h1 with f/w on&nbsp;10.2.12-h2.</P> Wed, 09 Apr 2025 21:03:45 GMT https://live.paloaltonetworks.com/t5/general-topics/unable-to-set-ssl-tls-service-profile-with-panorama/m-p/1226146#M123931 CHKlomp 2025-04-09T21:03:45Z https://live.paloaltonetworks.com/t5/general-topics/unable-to-set-ssl-tls-service-profile-with-panorama/m-p/1226147#M123932 <P>Work-around is to disable TLSv1.3 on the profile.</P> Wed, 09 Apr 2025 21:45:22 GMT https://live.paloaltonetworks.com/t5/general-topics/unable-to-set-ssl-tls-service-profile-with-panorama/m-p/1226147#M123932 CHKlomp 2025-04-09T21:45:22Z