Access to PA-200 Web GUI is Denied.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Access to PA-200 Web GUI is Denied.

L1 Bithead

When I open up a https://if_of_pa-200

I get access denied message with You dont have authorization to view this page.

I have logged into this firewall many times before but have not for several months now.

I can use putty to get into the console.  I found some online solution that would give this error is I was out of space.

My root partition was at 95%.   I was able to get it to 93 but not any lower.  Not sure what else I can delete but that did not resolve this issue.

I started looking at the certificates and followed other instructions on generating a new SSL cert but that also did not resolve the issue.

Not sure what else I can look at to fix this issue.  

10 REPLIES 10

L2 Linker

What version of PAN-OS is the PA-200 running? Sounds like either the authentication or apache processes have done an oops (probably the latter, since you can auth via CLI). You can either restart them individually;

"How to Restart the Web-related Processes" - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POIHCA4

 

Or, I'd recommend just restarting the whole management server:

"How to Restart the Management server "mgmtsrvr" Process" - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaGCAS

 

 

If that doesn't help, reboot the box.

Kiki

L1 Bithead

Sadly that did not fix the issue.  Since I cant get in to see what version I have I believe it is 8.x.  What is odd is that the documentation shows you should see a process for web_backend, but it looks like that has been replaced with webapp but not sure.  Cannot find how to reset certificate on the PA since I think this is my issue.  Only one computer gives me this access denied error.  All other when I try to go the the browser IP, I get site cannot be found.

Interesting - to clarify, did you end up rebooting the box?

 

You should be able to get into the CLI and remove the SSL/TLS Service Profile that's applied to the management interface - it'll then start using the built-in self-signed webgui certificate.

 

Since it sounds like you can get into the console, you can just run "show system info" to get the PAN-OS version and other key details.

 

Failing everything, if you can console in you can save a named config version, export it via SCP or TFTP, and factory reset the box (though there are various things you can try before then).

Kiki

Cyber Elite
Cyber Elite

Hello,

Have you tried a different browser, such as IE?

Regards,

I have.  Different computers as well. 

8.1.7.  I looked for the command to find the name of the profile but not luck.  Only other command I ran that also did not fix it is 'debug system ssh-key-reset management'

I believe its a certificate issue on the PA. Since I only have
console access, I'm looking for the command to renew the certificate. I
would think that the PA would auto update if the date on the cert expires
or at least warn me that its expired.

Cyber Elite
Cyber Elite

@Omni918,

The firewall will warn you about expiring certificates as an informational system log 15 days prior to the expiration if you have it enabled. Being an informational warning, you'd probably want to setup log forwarding for that particular event since most people wouldn't monitor informational logs.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POWJCA4&lang=en_US%E2%80%A...

Cyber Elite
Cyber Elite

Sorry to suddenly jump into this discussion. I have enabled: "Certificate Expiration Check" on all Firewalls (Pushed globally by Panorama), however I have never seen any log generated even though the certificate already expired, so last year I have opened a TAC case. TAC engineer was able to reproduce the issue and escalated this to engineering team. After approximately half year of waiting, I got this reply:

"I have got an update from our engineering. Your reported issue was marked as an enhancement request. We will not change the current behavior as a bug. If you want to request us to change this behavior to your expectation, please contact our account team to submit a Feature Request."

 

Based on my experience, there is a chance that feature: Certificate Expiration Check might not work as expected.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

L1 Bithead

I have been fighting with this for a month now.  I'm just going to do a factory reset and start all over and hopefully that works. I have rebooted this a dozen times and it takes 17 min to come back up and during that time, I have no internet access.  So, I will wait for the weekend when no one needs it and try then.  I appreciate all the advice and suggestions on this issue.  Thanks again for your help.  Your awesome!

  • 3847 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!