Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

unable to access Palo Alto Web GUI.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

unable to access Palo Alto Web GUI.

L1 Bithead

Hello,

 

After a recent update from 8.1.20 to 9.0.0, we are not able to access the Palo Alto web GUI (hmmm.. can't reach this page)

But we are able to ssh to the device though. We are updating the firmware to the latest version but now need to figure out how to bring up the web gui. 

our device model is pa 3020

any thoughts?

 

Thank you.

 

 

11 REPLIES 11

Cyber Elite
Cyber Elite

Hi @SIIX_Support ,

 

Most likely it is an issue with the certificate.  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cli0CAC.  During the configuration conversion from 8.1 to 9.0, the cert or or SSL/TLS profile got corrupted.

 

Changing the certificate configuration and commiting should automatically restart the management plane.  If it is not a cert issue, maybe the management plane needs to be bounced.  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaGCAS

 

Please let us know if these steps fix the issue.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Cyber Elite
Cyber Elite

Hello,

Also try to connect with a different browser. Saved cookies and temp files could be preventing the page from rendering.

Regards,

L1 Bithead

Hello,

 

Sorry for the late response, we tried the suggested approach but we still unable to login via Gui.

We suspect the issue occurs when we upgrade to firmware from 8.1.20 to 9.0.0.

We just also noticed that even calling the software download or dynamic updates via cli are not functioning.

any other approach we can try?

Can we revert back to 8.1.20? will it there be a risk if we go to this path?

take note we can only access the PA firewall via site to site tunnel.

 

for your advice.

Thanks

Cyber Elite
Cyber Elite

Hi @SIIX_Support ,

 

So you can access the GUI from the VPN tunnel?  Then check your Monitor > Logs > Unified.  Filter on destination IP address = NGFW management interface.  See if the traffic is blocked by rule, threat, etc.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Cyber Elite
Cyber Elite

@SIIX_Support,

In addition to what @TomYoung already mentioned, have you verified that any service routes you have configured on the device were carried over if you're not able to download updates? Also take note that 9.0.0 itself had plenty of issues present, including several that directly addressed GUI issues specifically and an early bug in that code branch that had various issues with appweb that caused the interface to stop responding completely. I might try upgrading the device to 9.0.17 before attempting to downgrade to 8.1 again. 

Hi Tom,

 

No we cannot access the GUI and only via SSH that we can access the remote firewall.

already performed the certificate approach   https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cli0CAC.  to no avail.

 

@SIIX_Support 

 

Please open the TAC case.

 

Regards

Mahesh

MP

Help the community: Like helpful comments and mark solutions.

Have you checked the hard disk if it is full as this can cause such issues?

 

https://live.paloaltonetworks.com/t5/general-topics/knowledge-sharing-troubleshooting-and-investigat...

 

 

Also as suggested try to return to the old version and then upgrade to latest 9.0.x version.

Hi ,

 

This disk is still have enough space.

relating to reverting to the previous working Pan OS software, we found this link as the procedural approach:

How to Revert PAN-OS to the last installed software using CLI. - Knowledge Base - Palo Alto Networks

 

Our question is, if we will be coming from ver 9.0 and reverting back to ver 8.1.20 what things we need consider since it will reverting back from a major software version?

 

Thanks for the advise.

 

L1 Bithead

For some reason also, we noticed that after moving to ver 9.0, we couldnt download any dynamic update:

"Failed to check upgrade info due to generic communication error. Please check network connectivity and try again"

 

any idea why this occurs?

 

Thanks

@SIIX_Support 

Do you have DNS configured on the PA?

Make sure Firewall can ping and resolve the FQDN like

 

ping host www.google.com

 

 

 

Regards 

MP

Help the community: Like helpful comments and mark solutions.
  • 17604 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!