So I got the mail today about the certificate which is about to expire.
I installed App protection 694-4000 on the Panorama as described .
After the reboot I no longer have communication between my 2 PA-2050 boxes and Panorama. The log is no longer updated and it shows the 2 boxes "Device State" as Disconnected.
I currently run 7.0.10 on all devices.
I also installed 694-4000 on the firewall boxes and rebooted them, but it didn't change anything. Reverting to a previous versioun of app definition did not help (which seems clear as the new certificate gets probably not rolled back)
Even a Rollback of the config on the Panorama did not help.
Anyone has an idea what could be wrong?
Solved! Go to Solution.
Exactly the same problem after content update 694-4000 has been installed
In my case we have 2 PA-5050 boxes, and Panorama, running on software version 7.1.5
Is it possible that the firewalls are not trusting the renewed CA certificate on Panorama?
We have the same problem. A couple of our firewalls are connected, but we have some that are disconnected. We tried to reboot one of the disconnected firewalls, and it is still disconnected. We do have a case open with Palo Alto, but they haven't helped yet.
Did you find a fix for this? I'm concerned about trying to reboot Panorma again and lose the firewalls that are stil connected.
We've found the problem. The certificate is indeed the culprit.
With assistance from Palo Alto we've deleted the pem certiticates (of both the firewalls) from Panorama.
And once a new one was generated (or imported - not sure about this, and i forgot to ask) the firewalls succesfully connected to Panorama again.
The thing is that you need Root access on Panorama from the CLI, which we don't have, so you will need to contact support and they will need to delete the certs.
Steps support did in order to resolve the issue:
- You have reported that after the Panorama Certificate update, few of the managed devices are shown as disconnected
- From the Panorama CLI the devices are shown as connected
- In order to restore the connectivity, we entered the root shell and deleted the certificates of the affected device
- After that, we restarted the management server process and confirmed that all devices are shown as connected
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!