Wildfire Events "failed to establish or resume a secure session"

cancel
Showing results for 
Search instead for 
Did you mean: 

Wildfire Events "failed to establish or resume a secure session"

L2 Linker

Hello

 

I Have a Cluster active-passive PA-820 version 10.0.7

 

I am receiving the following system events continuously

 

Alpalo_0-1631721155628.png

 

I have configured eu.wildfire.paloaltonetworks.com and wildfire.paloaltonetworks.com but the problem persists.

 

Alpalo_1-1631721179895.png

 

Can someone help me?

 

Thanks so much

 

18 REPLIES 18

L4 Transporter

Are you decrypting outbound sessions? You will likely want to add a few domains to a decryption exclusion:

 

updates.paloaltonetworks.com/
proditpdownloads.paloaltonetworks.com/
staticupdates.paloaltonetworks.com/
*.urlcloud.paloaltonetworks.com
database.brightcloud.com
service.brightcloud.com
c733.r33.cf1.rackcdn.com
staticupdates.paloaltonetworks.com
wildfire.paloaltonetworks.com
*.wildfire.paloaltonetworks.com

Help the community! Add tags & mark solutions please.

Hello Slick

 

Thanks for your answer but I don't understand

 

Could you explain us where and how we can change it?

 

Regards

I have configured this *.wildfire.paloaltonetworks.com .

 

Alpalo_0-1631780072207.png

 

but I don't have configure SSL Decrypt

L4 Transporter

Hi @Alpalo thank you for information.

 

Would it be possible to check the output of: "show wildfire status" to see more details? Here is link for further troubleshooting tips: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oMCYCA2&lang=en_US%E2%80%A...

 

Kind Regards

Pavel

Pavel Kucera

Hello Pavel

 

Thanks for your answer, the problem is the Wildfire License :

 

show wildfire status

Connection info:
Signature verification: enable
Server selection: enable
File cache: enable

WildFire Public Cloud:
Server address: eu.wildfire.paloaltonetworks.com
Best server:
Device registered: no
Through a proxy: no
Valid wildfire license: no
Service route IP address: 
Global status: SSL/TLS handshake failure
Count of available workers: 20
Available worker indices: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
Upload status Usage: 'I': Idle, 'U': Uploading, 'Q': Querying
Upload worker index: 0 1 2 3 4 5 6 7 8 9
Upload status: I I I I I I I I I I
Status time (seconds): 24 24 24 24 24 24 24 24 24 24
Upload worker index: 10 11 12 13 14 15 16 17 18 19
Upload status: I I I I I I I I I I
Status time (seconds): 24 24 24 24 24 24 24 24 24 24

WildFire Private Cloud:
Server address:
Best server:
Device registered: no
Through a proxy: no
Valid wildfire license: no
Service route IP address:
Global status: Disabled due to configuration
Count of available workers: 0
Available worker indices:
Upload status Usage: 'I': Idle, 'U': Uploading, 'Q': Querying
Upload worker index: 0 1 2 3 4 5 6 7 8 9
Upload status: Idle Idle Idle Idle Idle Idle Idle Idle Idle Idle
Status time (seconds): 999+ 999+ 999+ 999+ 999+ 999+ 999+ 999+ 999+ 999+
Upload worker index: 10 11 12 13 14 15 16 17 18 19
Upload status: Idle Idle Idle Idle Idle Idle Idle Idle Idle Idle
Status time (seconds): 999+ 999+ 999+ 999+ 999+ 999+ 999+ 999+ 999+ 999+

File size limit info:
pe 16 MB
apk 10 MB
pdf 3072 KB
ms-office 16384 KB
jar 5 MB
flash 5 MB
MacOSX 10 MB
archive 50 MB
linux 50 MB
script 20 KB

Forwarding info:
file idle time out (second): 90
total bytes of concurrent files: 0
Public Cloud:
total file fwded : 0
total file failed: 0
total session info. upload failed: 0
total file skipped: 0
total cloud queries: 0
total cloud queries failed: 0
file forwarded in last minute: 0
bytes of concurrent files: 0
Private Cloud:
total file fwded : 0
total file failed: 0
total session info. upload failed: 0
total file skipped: 0
total cloud queries: 0
total cloud queries failed: 0
file forwarded in last minute: 0
bytes of concurrent files: 0



but ... Do you know how I can remove the messages from the system?

 

Alpalo_0-1631799020727.png

 

 

thanks for your help 🙂

 

Hello,

 

Thanks for your answer, the problem is that I have not license for it:

 

show wildfire status

Connection info:
Signature verification: enable
Server selection: enable
File cache: enable

WildFire Public Cloud:
Server address: eu.wildfire.paloaltonetworks.com
Best server:
Device registered: no
Through a proxy: no
Valid wildfire license: no

 

But...Do you know how I can remove the messages from the system?

 

Alpalo_0-1631799287728.png

 

Hi @Alpalo ,

 

I believe this is what you are looking for -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClyXCAS.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

I still continues with the problem...

 

delete deviceconfig system update-schedule wildfire

 

Object doesn't exist                         --------------

 

Any other suggest?

 

Regards

Hi @Alpalo ,

 

That's strange.  Do you have a valid Threat Prevention license?  What licenses are active under Device > Licenses?  If you have a  Threat Prevention license you still should be able get WildFire signature updates every 24-48 hours.  The object should not be completely gone.

 

What do you see under Device > Dynamic Updates?  Is there an update schedule for WildFire?  The CLI command refers to that section.

 

if you don't have a Threat license, try the CLI command "delete deviceconfig system update-schedule" without the wildfire parameter.  That should delete all dynamic update schedules.  You can then add the licensed ones back.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!