Install Device Certificate for LogCollector CLI

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Install Device Certificate for LogCollector CLI

L0 Member

Hello everyone,

I upgraded a Pan log collector to Software version 9.1.11 . Recently I receive the event "No valid device certificate found" . So I need to generate OTP certificate and install it . This can be done easily through GUI. However, with LogCollecor , Web UI is disabled and CLI is the only way to access the device .

Can anyone guide on how to install the OTP certificate on Pan LC through CLI ?

5 REPLIES 5

Cyber Elite
Cyber Elite

Thank you for posting question @omarbatis

 

I had the same issue and could not find any way to do it by CLI. I ended up opening a ticket to TAC. Unfortunately, the answer was it is not possible to provision a device certificate for log collector. Unless they came up with a new feature in future releases to do it, you will have to ignore warning about missing certificate.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

L2 Linker

PAN-OS 9.1.11

Panorama appliances in Log Collector mode only - The following CLI command was added to disable
No valid device certificate found messages in the system log:

debug skip-cert-renewal-check-syslog yes

Cyber Elite
Cyber Elite

Thank you for the post @MajesticSteel and great catch!

 

I based my reply on experience with PAN-OS earlier than 9.1.11 and did not realized this has been fixed: PAN-157089, however I tried to issue this in M-500 as well we M-600 running 9.1.12-h3, but this command is not available. I have opened a TAC case again, but there was no update since 3 days. Did you manage to resolve this issue?

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

I did not have the issue. Just happened to notice the post and a possible fix so I shared it.

Cyber Elite
Cyber Elite

Sorry for not getting back to you earlier. Yesterday after approximately 3 month, I got a reply from TAC. This debug command is not available for log collector, but will be added in the future release. Timeline for this is not defined yet. For now, there is no way to suppress this system log and they will update it as known issue.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.
  • 3795 Views
  • 5 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!