Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Unable to set SSL/TLS Service Profile with Panorama

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Unable to set SSL/TLS Service Profile with Panorama

L1 Bithead
Hello,

At a bit of a dead end with a template change. Essentially, I am trying to configure the VMSeries Firewalls SSL/TLS Service Profile under:

Device > Setup > Management > General Settings > SSL/TLS Service Profile

I have configured the profile and requisite certificates in my template but when I push the changes, the SSL/TLS Service Profile is never set on the firewall. However, as part of the same template I am changing the Time Zone and this change is effective. Is there something that I am missing when deploying this?

The certificates and profile are pushed to the device as I can manually set the SSL/TLS Service Profile post Panorama Commit and Push. So, if it can be pushed and I can see it and set it manually, why isn't Panorama doing it as part of the template rollout?
 
Any help appreciated!
 
Panorama TemplatePanorama TemplateProfile pushed and selectable on FirewallProfile pushed and selectable on FirewallSettings post panorama pushSettings post panorama push
6 REPLIES 6

Cyber Elite
Cyber Elite

Hello @C.Stuart

 

could you try to set TLSv1.3_Firewall profile from drop down list directly in Template Stack instead of Template to see it can push to Firewall?

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Cyber Elite
Cyber Elite

Hi @C.Stuart ,

 

You may need to Force Template Values, but that is dangerous because all of the template stack configurations will override the local configuration.  Let's put that on hold right now.

 

Instead you may try to delete the command from the CLI.  Maybe None is not the default.  Don't commit.  Then push from Panorama with the Edit Selections > Templates > Merge with Candidate Config box checked.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

L1 Bithead

Hi Both,

 

Thank you for your responses. It never occurred to me that you could change the settings on the stack (relatively new to Panorama). The changes appear to be reflected in the Template Stack. Regardless, I have set the values on the template stack directly and I still get the same result. Everything except the SSL/TLS Service Profile is set. Just to confirm that it is working, I have also set some additional values that were also applied to the Firewall. 

 

I've attempted to push to the Firewall with the 'Merge with Candidate Config' set although this was checked by default anyway. Unchecking, yields the same result as well. Similarly, I have also gone as far as forcing template values and, unfortunately (somehow), this has not worked either.

 

Template Stack SettingsTemplate Stack SettingsFirewall Settings post-commitFirewall Settings post-commit

 

Kind regards,

 

Carl

Cyber Elite
Cyber Elite

Hello @C.Stuart

 

thank you for reply.

 

Could you please confirm PAN-OS version running on Panorama and on Firewall? I came across known issues in some versions where Panorama pushed configuration was not applied in Firewall.

 

Kind Regards

Pavel 

Help the community: Like helpful comments and mark solutions.

L1 Bithead

Hi Pavel,

 

The Firewall is running 10.2.8-h5 and Panorama is running 11.1.3. 

 

Kind regards,

 

Carl

Cyber Elite
Cyber Elite

Hello @C.Stuart

 

thank you for reply.

 

I can see below addressed issue in PAN-OS 11.1.4:

 

PAN-244746
Fixed an issue where changes committed on Panorama were not reflected on the firewall after a successful push.

 

Also, there is another addressed issue in PAN-OS 11.1.5, however since you are able to push certificates and able to apply them through profile it might not be related:

 

PAN-251035
Fixed an issue where selective push operations did not push certificate changes to the firewall.

 

If you decide to upgrade Panorama, I would recommend to go straight to 11.1.5 to avoid the upgrade issue discussed in this thread: Unable to upgrade Panorama to 11.1.4-H1.

 

Kind Regards

Pavel 

Help the community: Like helpful comments and mark solutions.
  • 684 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!