- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
- Panorama
- AIOps for NGFW
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- Cloud NGFW for AWS
- CN-Series
- VM-Series:
- Private Cloud
- OCI
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
- Cortex Xpanse
Security Operations
- Resources
- COVID-19 Response Center
how to View Pre-Shared key in PA
- LIVEcommunity
- Collaboration
- Discussions
- General Topics
- how to View Pre-Shared key in PA
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-14-2020 03:13 PM
i'm have issues with IPSEC Tunnel which is configured by another engineer. currently facing issues with Tunnel connectivity and i need to cross verify the parameters. So can someone guide how to heck pre shared key in plain text format
@IPSec IPSec S2S VPN between Palo Alto and 3rd party Security FW Vendor -> ISAKMP Negotiation Question regarding site to site VPN
Accepted Solutions
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-14-2020 08:34 PM
This isn't possible. You can't go back and get the clear text value for anything in the configuration when it comes to passwords, pre-shared keys or anything of the sort. The firewall simply stores hash or encrypted form of the value.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-14-2020 08:34 PM
This isn't possible. You can't go back and get the clear text value for anything in the configuration when it comes to passwords, pre-shared keys or anything of the sort. The firewall simply stores hash or encrypted form of the value.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-14-2020 11:28 PM
as @BPry said, but to verifiy if there is a mismatch you can use this command in CLI:
less mp-log ikemgr.log
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-15-2020 06:37 AM
@Abdul-Fattah , you will see "pre-share mismatch" only if the remote site is initiator of the tunnel negotiation and you are receiver. If you are the initiator you will only see "IKE phase1 timeout" message in the logs. This is caused by the nature of the IPsec
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-15-2020 07:22 AM - edited 09-15-2020 07:24 AM
If you see in logs as @Astardzhiev mentioned then best thing is to have new key on both ends.
Unless you can get the Pre-Shared key from other side of the connection.
Regards
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-15-2020 08:32 AM
Thanks guys for your response...what i understand is that we have very limited options in Paloalto in terms of troubleshooting Tunnel down issues.. So i can go ahead and reconfigure Pre-shared key and test again.
Appreciated Everyone for your response !! @BPry @Abdul-Fattah @MP18
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-15-2020 11:22 AM
Hey @iamvivekms ,
I cannot agree with your statement - "we have very limited options in Paloalto in terms of troubleshooting Tunnel down issues"
It is quite the opposite:
- 1. Palo Alto is not the only vendor that does not store pre-shared key in plain text. It is actually way better to do it this way rather have it in plain text just because you lack proper documentation. Having the psk in plain-text for troubleshooting is like having your password written on sticky note on your monitor in case you forgot it...
- Palo Alto firewall provides you several ways to troubleshoot IPsec tunnel. PAN is actually my favorite vendor for IPsec troubleshooting as it has excellent document and easy to use tools/commands.
- You can check here for commands that you can use for debug/troubleshooting - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC
- If you have multiple tunnels configured on your firewall it is recommended to enable tunnel debug only for specific peer - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcKCAS
- You could also be useful for you - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PORsCAO
- You need to remember that the receiver of the tunnel negotiation will log the actual reason for negotiation failure. So if you want to troubleshoot the tunnel at your end (on the Palo) you can "enable passive mode" under the IKE Gateway -> Advance options. This will force your firewall to only act as receiver and never as initiator for this peer. I believe Palo Alto TAC recommend this option only during t-shoot as it will cause traffic drop if your fw receive traffic that needs to be sent over the tunnel, but it is not established yet.
Wrong PSK is the most common mistake when configuring new tunnel so my suggest in this case is:
1. Re-Enter the psk again at your end of the tunnel.
2. Re-enter the psk at remote end of the tunnel
3. Agree on new psk
- Determining WHO Resolved An Incident In Cortex XDR in Cortex XDR Discussions
- Global Protect Portal - Azure SAML Authentication in GlobalProtect Discussions
- Analytic BIOC Rules, right click open in query builder, informational severity not available in Cortex XDR Discussions
- Http logs collector example not working in Cortex XDR Discussions
- Access to PA-200 Web GUI is Denied. in General Topics
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
