11-19-2025 03:20 AM
HI all, I am encountering an issue with the Palo Alto Networks VM-Series firewall (VM-SERIES-2, VM Mode) running on Amazon AWS with software version 11.1.10-h5. The error message is:
Request made to the server "license.api.paloaltonetworks.com" returned with HTTP response code : 404.
The device certificate is valid and correctly retrieved from the server. The license status shows "Never expired," and the API key certificate has been generated properly. Despite this, the license API call returns the 404 error.
Has anyone experienced this? How can this be resolved?
11-19-2025 04:15 AM
Hi @MarcinKrasz ,
I have seen this behavior before when there was a License and Serial Number Mismatch.
The HTTP 404 from the licensing server occured because the Firewall GUI Serial Number 'xyz' didn't match the Registered Serial Number (abc) that holds your active subscription entitlements.
In my experience, this scenario typically arises when:
A VM-Series firewall is provisioned using a license token that was already consumed or incorrectly mapped.
A VM image was cloned or redeployed without properly clearing the previous license configuration, leading to the device adopting an unrecognized serial number.
Since the licensing server cannot find any active entitlement associated with the serial number the VM is presenting, it returns "404 Not Found."
If you are hitting this issue, it cannot be fixed via configuration on the firewall itself. The entitlements must be re-mapped on the backend.
Please contact support. You will need to provide them with the following information to facilitate the backend fix:
The Correct/Registered Serial Number
The Incorrect/GUI Serial Number
TAC will be able to disassociate the subscriptions from the incorrect serial number and re-map them to the correct one. Once they confirm the fix, a simple request license fetch command on the firewall will resolve the 404 error, and the GUI serial number should update.
If you're hitting a different issue then try restarting the management server using the command debug software restart process management-server
Also confirm the follwoing:
Please verify that the firewall can resolve the DNS name license.api.paloaltonetworks.com.
Verify that the firewall is not blocking traffic to license.api.paloaltonetworks.com.
Verify that the firewall has the correct time and date
Kind regards,
-Kim.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
