Firewall fails to register to Wildfire appliance

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Firewall fails to register to Wildfire appliance

L1 Bithead

Has anyone had TLS cert issues with firewalls registering to their assigned wildfire appliances/clusters?

When our firewalls attempt to register to an appliance, within the cluster, they appear to reject the server certificate being handed back during the exchange. The current client hello contains an SNI matching the private cloud FQDN, but the identity cert being returned by the WF-500B doesn't have a SAN field or common name matching that SNI. The firewall's system logs show a "wildfire-auth-failed" event with a description of "Server authentication failed".

I should note that we're using the cluster's built-in DNS functionality to provide load-balancing via a conditional forwarder for the cluster domain. Output from "show device-certificate status" and "show device-certificate info" all look good on the appliances.

1 accepted solution

Accepted Solutions

L1 Bithead

So we found the issue. Firewall registration to the Wildfire clusters was failing. Running "show wildfire status channel private" on the firewall showed a global status of "Remote SSL certificate verification failed".

The cluster was using a custom DNS domain name as part of its built-in load-balancing function. This was incorrectly configured at the cluster level which caused the individual appliance device certs to differ from the FQDN being used by the firewalls. Once that was corrected and pushed via Panorama, registration started working; followed shortly thereafter by successful sample submission.

View solution in original post

1 REPLY 1

L1 Bithead

So we found the issue. Firewall registration to the Wildfire clusters was failing. Running "show wildfire status channel private" on the firewall showed a global status of "Remote SSL certificate verification failed".

The cluster was using a custom DNS domain name as part of its built-in load-balancing function. This was incorrectly configured at the cluster level which caused the individual appliance device certs to differ from the FQDN being used by the firewalls. Once that was corrected and pushed via Panorama, registration started working; followed shortly thereafter by successful sample submission.

  • 1 accepted solution
  • 436 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!