Paloalto TLS/SSL error while forwarding logs over TLS Syslog

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Paloalto TLS/SSL error while forwarding logs over TLS Syslog

PKCS12 Certificate  and Password generated from Paloalto is used at syslog server to establish connection between both system and used to decrypt the logs. However after establishing the connection the ssl handshake is broken and we see below error.

 

Syslog SSL error while writing stream; tls_error='rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding'. location='/opt/pancfg/mgmt/syslogng/pan_sysng,cfg:59:3'

 

Kindly help to understand this error, is it anything related to the certificate generated or do we have any other checklist to fix this issue. 

 

4 REPLIES 4

Cyber Elite
Cyber Elite

Hello,

 

Its possible its showing the incorrect error in relation to this bug ID:

PAN-241772
Fixed an issue where, when TLSv1.3 was used, an incorrect error message 
invalid padding was displayed instead of the expected error message Invalid server certificate
.

 

The certificate used for secure syslog on the firewall needs to have the CN set as the IP address of the interface that it is using to send the secure syslog information. Is this the case in your setup? And are you using a self-signed certificate, if so does wherever you're logging syslog data to trust this certificate?

 

How To Setup Syslog Monitoring Over TLS - Knowledge Base - Palo Alto Networks

 

 

Hi, 

 

We are using TLSv1.2,  is this also having incorrect error message issue?. 

And CN ip address used is the Firewall interface IP, also the self-signed certificate is imported to the syslog server still we are not able to fix this error. 

 

Syslog SSL error while writing stream; tls_error='rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding'. location='/opt/pancfg/mgmt/syslogng/pan_sysng,cfg:59:3'

 

Cyber Elite
Cyber Elite

What version of Pan-os are you using? We've got secure syslog setup and I personally havent received that error before. What happens if you generate a different cert and try that? To confirm, do you have the "Certificate for Secure Syslog" checked on the cert

pan os 10.2.8-h3 is the version. Yes we followed the guide How To Setup Syslog Monitoring Over TLS - Knowledge Base - Palo Alto Networks and "Certificate for Secure Syslog" checked on the cert. Also tried with different cert couple of time as well. 

 

We have onboarded 3 more firewalls folowing the guide and no issues. Only this firewall is having error. 

 

Attached the error for reference. 

Screenshot 2567-05-10 at 21.44.50.png

  • 2697 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!