04-04-2023 11:45 AM
My PA-440 will not Retrieve license keys from license server. I made sure the server addy and DNS was set correctly. I am not using the ZTP WAN port currently, while I have it in our lab. I have 1/3 setup as outside facing to ISP and 1/4 setup as local LAN that I can access the internet, successfully on. I have tried under License Management to retrieve license keys from server, activate auth codes and manually upload key. Manually it said wrong file format, I downloaded the key files from my portal. Retrieve and activate fetch failed. This is my first rodeo, never setup a 440 before, so any help would be greatly appreciated.
Thank you all!
04-04-2023 02:35 PM
By default, the PAN will use the management interface to attempt to grab the licenses so the management interface should be plugged in to a switch or port on the PAN Alternatively, you can change the 'Service Route' to utilize a different interface. The 'use default' is the management interface. Also check to see if you have a NTP server setup. Then check the logs to see why/if the traffic is getting blocked.
04-05-2023 05:19 AM
Thank you for your quick response. Some background, his firewall is being setup in a lab environment in order to prove out IPsec tunnels to an ASA5512X firewall. On the initial config the ZTP is disabled, and I have my ISP WAN connection to the firewall on port 1/3 with a static of 126.96.36.199. I configured port 1/4 w/static IP 10.199.100.1 and I created a management profile call "TEST" and added it to the ethernet interface 1/4 so now I can manage and get out to internet from 1/4 on laptop with static of 10.199.100.5. Nothing currently plugged into Management port on PAN. I check my NTP server setup and looked ok, I tried to add a service route as you suggested but made no difference after the commit. Even if I plug in my ISP with static IP to management port on PAN I cannot reach the Licenses servers for Palo. The Management port has IP address of 10.99.1.2 and gateway of 10.99.1.1. Here are some pic's to show current config. Any suggestions on why I it will not reach out to Palo servers would be greatly appreciated.
04-06-2023 01:57 PM
I would not advise to hook the ISP into the management port, but understand the process. I would connect your ISP like you have it into port 1/3 then change the 'service routes' to use interface 1/3. Create security policies to allow the 1/3 interface/zone to go out to the internet and browse. Make sure you have logging enabled at session end on all security policies.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!