Error querying OCSP responder" as certificate revocation status checks fail on Panorama"
Symptom
Resolution
Panorama needs to access these FQDNs for the initial setup and one-time password, and for ongoing certificate revocation checks.
- https://api.paloaltonetworks.com (TCP port 443)
- https://apitrusted.paloaltonetworks.com (TCP port 443)
- http://ocsp.paloaltonetworks.com/
Note:
- http://crl.paloaltonetworks.com/
- http://ocsp.godaddy.com/ (TCP port 80)
- *.gpcloudservice.com ( TCP port 444)
Open the security policy to Logging service to add the the above FQDNS as 'Destination addresses' and services(444, 443, 80)
These are listed in the following document as well and should be allowed access to before fine tuning the security policies for Panorama access to Logging Service (internet bound). Cortex Data Lake Getting Started, TCP Ports and FQDNs Required for Cortex Data Lake
After successfully configuring the rule, Panorama should begin rendering logs and you can check connectivity to logging service using:
> request plugins cloud_services logging-service status pass {"@status": "success", "result": {"PODamericas": {"name": "americas", "Status": {"type": "status", "value": "OK", "tooltip": "OK"}, "@num_instances": 1, "Storage Us ed (TB)": {"type": "number", "value": "0.516887", "limit": 1}, "Estimated Log Retention (Days)": 132, "entry": [{"name": "Americas", "Status": {"type": "status", "v alue": "OK", "tooltip": "OK"}, "infra-audit-utilization": {"header": ["Infrastructure and Audit Logs", "Utilization"], "type": "number", "value": 1.94, "limit": 20. 48, "unit": "GB"}, "infra-audit-retention": {"header": ["Infrastructure and Audit Logs", "Retention"], "type": "number", "value": 151, "unit": "Days"}, "detail-util ization": {"header": ["Detailed Logs", "Utilization"], "type": "number", "value": 509.06, "limit": 819.2, "unit": "GB"}, "detail-retention": {"header": ["Detailed L ogs", "Retention"], "type": "number", "value": 132, "unit": "Days"}, "summary-utilization": {"header": ["Summary Logs", "Utilization"], "type": "number", "value": 1 8.29, "limit": 184.32, "unit": "GB"}, "summary-retention": {"header": ["Summary Logs", "Retention"], "type": "number", "value": 141, "unit": "Days"}, "@quota_info": {"quota_details": "{\"log-disk-quota\":{\"detailed\":80,\"infra-audit\":2,\"summary\":18},\"log-expiration-period\":{\"detailed\":395,\"infra-audit\":395,\"summary \":395},\"min-retention-warning-period\":{\"detailed\":14,\"infra-audit\":14,\"summary\":14},\"@name\":\"americas\",\"theater-quota\":{\"quota_count\":1}}", "quota_ count": 1}}]}}}
2018-08-27 15:25:47,108 lcaas_agent INFO Server-cert revocation check status: good
If the revocation status still shows 'unavailable', delete and re-fetch the Panorama-certificate using OTP.
Additional Information
For help to delete and re-fetch certificates on Panorama, please see The SSL certificate error" causing Panorama to not Display Logs from the logging-service"