Panorama - Wrong Password Hashes/Salts After Migration To Panorama

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Panorama - Wrong Password Hashes/Salts After Migration To Panorama

L1 Bithead

Hi everybody,

 

I noticed something when migration stand alone firewalls to panorama managed. 
In the past, I had multiple customers where I needed to migrate the local firewall configuration to panorama managed and I am allways following the official documentation here: https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/manage-firewalls/transition-a-firewal...

 

What I noticed is, that after the config migration to panorama, all secrets in the config were invalid. I noticed it especially on a customer with around 50 ipsec tunnels, where after the migration the log was full with authentication failures. So after reentering all preshared keys in the panorama templates for all of the ipsec tunnels, they all came up.

I also noticed it with the ldap configuration. Right after the migration I was not able to login to the firewall with an LDAP user and we saw in the logs of the LDAP server, that there was a wrong password for the configured palo alto LDAP service user. Again, after reentering the password of the LDAP service user on the panorama template, I was able to login again with LDAP.

 

I have seen this behavior on multiple customers now, with different firewalls (440, 5220, vm-series). They all had in common that they were running a Panorama version 10.0.8+ or 10.1.2+ with firewalls running 10.0.8+ (5220, vm-series) or 10.1.2+ (440).

 

Has anyone else seen this behavior? Am I missing something in the steps for Panorama migration?

I learned now, that when I have to migrate to panorama, that I change all passwords before I push the config back to the devices.

 

Thank you all,

Martin

Nothing lasts longer than a temporary solution.
3 REPLIES 3

Cyber Elite
Cyber Elite

Hi @MHuschenbett ,

 

I have seen same thing.  I don't think we missed anything.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

L1 Bithead

Hi Tom,

 

Thank you for your response. It's good to know that I am not the only one with this problem.

Maybe someone from Palo Alto can tell us, if this is known and if there will be a "fix" for it or if it's currently not planned.

 

Best Regards,

Martin

Nothing lasts longer than a temporary solution.

L1 Bithead

Hi Martin,

 

Ii have the same issue with my lab device. I have just migrated my PAN VM on 10.1.4 to a PANO on 10.1.4-h4. After a successful migration, all tunnels are down. I am seeing a authentication failure and PSK mismatch in the System logs. Thankfully, as this is a lab I am not having PD traffic affected.

 

But as you stated had to re-put the PSK in for my tunnels, and the associations succeeded.

 

Kind Regards,

 

Callum

  • 2418 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!