Wildfire Events "failed to establish or resume a secure session"

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Wildfire Events "failed to establish or resume a secure session"

L4 Transporter

Hello

 

I Have a Cluster active-passive PA-820 version 10.0.7

 

I am receiving the following system events continuously

 

Alpalo_0-1631721155628.png

 

I have configured eu.wildfire.paloaltonetworks.com and wildfire.paloaltonetworks.com but the problem persists.

 

Alpalo_1-1631721179895.png

 

Can someone help me?

 

Thanks so much

 

18 REPLIES 18

L5 Sessionator

Are you decrypting outbound sessions? You will likely want to add a few domains to a decryption exclusion:

 

updates.paloaltonetworks.com/
proditpdownloads.paloaltonetworks.com/
staticupdates.paloaltonetworks.com/
*.urlcloud.paloaltonetworks.com
database.brightcloud.com
service.brightcloud.com
c733.r33.cf1.rackcdn.com
staticupdates.paloaltonetworks.com
wildfire.paloaltonetworks.com
*.wildfire.paloaltonetworks.com

Help the community! Add tags and mark solutions please.

Hello Slick

 

Thanks for your answer but I don't understand

 

Could you explain us where and how we can change it?

 

Regards

I have configured this *.wildfire.paloaltonetworks.com .

 

Alpalo_0-1631780072207.png

 

but I don't have configure SSL Decrypt

Cyber Elite
Cyber Elite

Hi @Alpalo thank you for information.

 

Would it be possible to check the output of: "show wildfire status" to see more details? Here is link for further troubleshooting tips: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oMCYCA2&lang=en_US%E2%80%A...

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Hello Pavel

 

Thanks for your answer, the problem is the Wildfire License :

 

show wildfire status

Connection info:
Signature verification: enable
Server selection: enable
File cache: enable

WildFire Public Cloud:
Server address: eu.wildfire.paloaltonetworks.com
Best server:
Device registered: no
Through a proxy: no
Valid wildfire license: no
Service route IP address: 
Global status: SSL/TLS handshake failure
Count of available workers: 20
Available worker indices: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
Upload status Usage: 'I': Idle, 'U': Uploading, 'Q': Querying
Upload worker index: 0 1 2 3 4 5 6 7 8 9
Upload status: I I I I I I I I I I
Status time (seconds): 24 24 24 24 24 24 24 24 24 24
Upload worker index: 10 11 12 13 14 15 16 17 18 19
Upload status: I I I I I I I I I I
Status time (seconds): 24 24 24 24 24 24 24 24 24 24

WildFire Private Cloud:
Server address:
Best server:
Device registered: no
Through a proxy: no
Valid wildfire license: no
Service route IP address:
Global status: Disabled due to configuration
Count of available workers: 0
Available worker indices:
Upload status Usage: 'I': Idle, 'U': Uploading, 'Q': Querying
Upload worker index: 0 1 2 3 4 5 6 7 8 9
Upload status: Idle Idle Idle Idle Idle Idle Idle Idle Idle Idle
Status time (seconds): 999+ 999+ 999+ 999+ 999+ 999+ 999+ 999+ 999+ 999+
Upload worker index: 10 11 12 13 14 15 16 17 18 19
Upload status: Idle Idle Idle Idle Idle Idle Idle Idle Idle Idle
Status time (seconds): 999+ 999+ 999+ 999+ 999+ 999+ 999+ 999+ 999+ 999+

File size limit info:
pe 16 MB
apk 10 MB
pdf 3072 KB
ms-office 16384 KB
jar 5 MB
flash 5 MB
MacOSX 10 MB
archive 50 MB
linux 50 MB
script 20 KB

Forwarding info:
file idle time out (second): 90
total bytes of concurrent files: 0
Public Cloud:
total file fwded : 0
total file failed: 0
total session info. upload failed: 0
total file skipped: 0
total cloud queries: 0
total cloud queries failed: 0
file forwarded in last minute: 0
bytes of concurrent files: 0
Private Cloud:
total file fwded : 0
total file failed: 0
total session info. upload failed: 0
total file skipped: 0
total cloud queries: 0
total cloud queries failed: 0
file forwarded in last minute: 0
bytes of concurrent files: 0



but ... Do you know how I can remove the messages from the system?

 

Alpalo_0-1631799020727.png

 

 

thanks for your help 🙂

 

Hello,

 

Thanks for your answer, the problem is that I have not license for it:

 

show wildfire status

Connection info:
Signature verification: enable
Server selection: enable
File cache: enable

WildFire Public Cloud:
Server address: eu.wildfire.paloaltonetworks.com
Best server:
Device registered: no
Through a proxy: no
Valid wildfire license: no

 

But...Do you know how I can remove the messages from the system?

 

Alpalo_0-1631799287728.png

 

Hi @Alpalo ,

 

I believe this is what you are looking for -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClyXCAS.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

I still continues with the problem...

 

delete deviceconfig system update-schedule wildfire

 

Object doesn't exist                         --------------

 

Any other suggest?

 

Regards

Hi @Alpalo ,

 

That's strange.  Do you have a valid Threat Prevention license?  What licenses are active under Device > Licenses?  If you have a  Threat Prevention license you still should be able get WildFire signature updates every 24-48 hours.  The object should not be completely gone.

 

What do you see under Device > Dynamic Updates?  Is there an update schedule for WildFire?  The CLI command refers to that section.

 

if you don't have a Threat license, try the CLI command "delete deviceconfig system update-schedule" without the wildfire parameter.  That should delete all dynamic update schedules.  You can then add the licensed ones back.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

L4 Transporter

Hello,

 

Yes I have  a valid Threat Prevention license... Yes... That's strange... 

 

Alpalo_0-1632123862641.pngAlpalo_1-1632123899267.png

 

Hi @Alpalo ,

 

Your NGFW is still trying to connect to WildFire every minute like the update-schedule is still there.  Maybe the config is in the CLI, but not the GUI.  Could you run the commands > "set cli config-output-format set", > "configure", and # "show deviceconfig system update-schedule"?  If the wildfire is still there, I would delete the whole section with "delete deviceconfig system update-schedule" and then add the pieces that you want back.  You can copy and paste the CLI for the other sections to quickly add them back.  You can also "commit" on the CLI.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

That is the configuration:

 

show deviceconfig system update-schedule
set deviceconfig system update-schedule threats recurring sync-to-peer yes
set deviceconfig system update-schedule threats recurring daily at 02:00
set deviceconfig system update-schedule threats recurring daily action download-and-install
set deviceconfig system update-schedule anti-virus recurring sync-to-peer yes
set deviceconfig system update-schedule anti-virus recurring daily at 03:00
set deviceconfig system update-schedule anti-virus recurring daily action download-and-install

Cyber Elite
Cyber Elite

I would delete the whole section, commit, then paste the 6 lines back, and commit again.

Help the community: Like helpful comments and mark solutions.

Hello,

 

I still have the problem, I was not able to delete the events...

 

Any idea or suggest?

 

Thanks

  • 10181 Views
  • 18 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!