Firewall Unable to Register to Cortex Data Lake

Sai_Tumuluri · ‎08-15-2019

Symptoms

A firewall is unable to register to Cortex Data Lake (CDL) for log forwarding. You might see red lights under the logging status or the firewall fails to connect to the CDL.

Diagnosis

Make sure FQDN refresh is enabled on the firewall
Able to resolve CDL FQDN
Traffic from the firewall to CDL is not being decrypted
The URLs and ports below are whitelisted for Prisma Access communication.
NOTE: More information can be found at Set Up Prisma Access.
- Port 444 (for Cortex Data Lake)
- api.lc.prod.us.cs.paloaltonetworks.com (for Cortex Data Lake)
- api.gpcloudservice.com (for Prisma Access)
- api.paloaltonetworks.com (for Prisma Access)
- apitrusted.paloaltonetworks.com (for Prisma Access)

Solution

Try following these steps on the firewall's CLI.

Troubleshooting
1. delete license key <logging_service_key>
2. request logging-service-forwarding certificate delete
3. request logging-service-forwarding certificate fetch

Verification
1. show logging-status
2. debug log-receiver rawlog_fwd_trial stats global show
3. request logging-service-forwarding status
4. request license info
5. show system state | match lcaas
6. show system state | match cust
7. request logging-service-forwarding customerinfo show
8. request logging-service-forwarding certificate info
9. show netstat numeric-hosts yes numeric-ports yes | match 3978

If it does not help, please Start a Topic in the Prisma Access Discussions area for community help. You may also open a TAC Case for further assistance, and be sure to reference the error and the steps provided. You can reference this document if needed.