Panorama shows FW as disconnected after App and Threats Update

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Panorama shows FW as disconnected after App and Threats Update

L2 Linker

So I got the mail today about the certificate which is about to expire.

I installed App protection 694-4000 on the Panorama as described .

After the reboot I no longer have communication between my 2 PA-2050 boxes and Panorama. The log is no longer updated and it shows the 2 boxes "Device State" as Disconnected.

 

I currently run 7.0.10 on all devices.

 

I also installed 694-4000 on the firewall boxes and rebooted them, but it didn't change anything. Reverting to a previous versioun of app definition did not help (which seems clear as the new certificate gets probably not rolled back)

 

Even a Rollback of the config on the Panorama did not help.

 

Anyone has an idea what could be wrong?

2 accepted solutions

Accepted Solutions

We've found the problem. The certificate is indeed the culprit.

 

With assistance from Palo Alto we've deleted the pem certiticates (of both the firewalls) from Panorama.

And once a new one was generated (or imported - not sure about this, and i forgot to ask) the firewalls succesfully connected to Panorama again.

 

The thing is that you need Root access on Panorama from the CLI, which we don't have, so you will need to contact support and they will need to delete the certs.

 

Regards

View solution in original post

L2 Linker

I installed App protection 702-4044 today, rebooted panorama and restarted the management process on the firewalls as described in the Paloalto newsletter I got today.

 

This also solved the problem

View solution in original post

5 REPLIES 5

L0 Member

Exactly the same problem after content update 694-4000 has been installed

In my case we have 2 PA-5050 boxes, and Panorama, running on software version 7.1.5

 

Is it possible that the firewalls are not trusting the renewed CA certificate on Panorama?

L1 Bithead

We have the same problem.  A couple of our firewalls are connected, but we have some that are disconnected.  We tried to reboot one of the disconnected firewalls, and it is still disconnected.  We do have a case open with Palo Alto, but they haven't helped yet.

 

Did you find a fix for this?  I'm concerned about trying to reboot Panorma again and lose the firewalls that are stil connected.

We've found the problem. The certificate is indeed the culprit.

 

With assistance from Palo Alto we've deleted the pem certiticates (of both the firewalls) from Panorama.

And once a new one was generated (or imported - not sure about this, and i forgot to ask) the firewalls succesfully connected to Panorama again.

 

The thing is that you need Root access on Panorama from the CLI, which we don't have, so you will need to contact support and they will need to delete the certs.

 

Regards

Steps support did in order to resolve the issue:

 

- You have reported that after the Panorama Certificate update, few of the managed devices are shown as disconnected
- From the Panorama CLI the devices are shown as connected
- In order to restore the connectivity, we entered the root shell and deleted the certificates of the affected device
- After that, we restarted the management server process and confirmed that all devices are shown as connected

L2 Linker

I installed App protection 702-4044 today, rebooted panorama and restarted the management process on the firewalls as described in the Paloalto newsletter I got today.

 

This also solved the problem

  • 2 accepted solutions
  • 6700 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!