Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
Unable to Access Web User Interface via HTTPS - Knowledge Base - Palo Alto Networks

Unable to Access Web User Interface via HTTPS

249369
Created On 09/25/18 20:34 PM - Last Modified 03/13/25 19:52 PM


Symptom


  • SSL-TLS profile with certificates has been configured for HTTPS authentication to Firewall.
  • After few days of operation, HTTPS access is not working
  • SSH is working fine.

Environment


  • Palo Alto Firewall.
  • PAN-OS 8.1 and above.
  • Management access using HTTPS
  • SSL-TLS profile configured.

Cause


The certificate is expired or there are other issues with the certificate. The web server process is not allowed to run on expired certificates as a standard security practice, which makes the GUI inaccessible.

Resolution


Option1:

  • Delete the system SSL-TLS profile

> configure
# delete deviceconfig system ssl-tls-service-profile
# commit
# exit

​​​​​
Option2:
  1. Since SSH access is possible, a new certificate can be created from the CLI.
  2. Add the certificate to the SSL TLS profile
  3. Use the newly configured certificate and SSL profile to be used for HTTPS.

Example below:

> request certificate generate ca yes certificate-name <ROOT cert name> name <IP or FQDN> algorithm RSA rsa-nbits 2048 
> request certificate generate signed-by <ROOT cert name> ca yes certificate-name <INTERMEDIATE cert name> name <IP or FQDN> algorithm RSA rsa-nbits 2048
> request certificate generate signed-by <INTERMEDIATE cert name> certificate-name <FINAL cert name> name <IP or FQDN> algorithm RSA rsa-nbits 2048
> configure
# set shared ssl-tls-service-profile admin-ssl_tls-profile certificate <FINAL cert name> protocol-settings min-version tls1-2 max-version tls1-2
# set deviceconfig system ssl-tls-service-profile admin-ssl_tls-profile
# commit
# exit 

 

Additional Information


To view the configured SSL-TLS-Service profiles, use the highlighted commands in configuration mode. 
FW> configure
Entering configuration mode
[edit]
FW#
FW# show deviceconfig system | match  ssl-tls-service-profile
FW# show shared ssl-tls-service-profile
FW# exit
Exiting configuration mode
FW>

 
Other users also viewed:
How to download GlobalProtect from the Customer Support Portal
Download and Install the GlobalProtect App for Windows
Resource List: GlobalProtect Configuring and Troubleshooting
PAN-OS Software Updates
Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)
Results 1-5 of 195,071
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cli0CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language