查询错误OCSPresponder”,因为证书吊销状态检查失败Panorama“

查询错误OCSPresponder”,因为证书吊销状态检查失败Panorama“

49310
Created On 09/25/18 15:19 PM - Last Modified 01/18/23 20:45 PM


Symptom


Panorama 一直在展示云logging service服务日志,然后由于无法联系到服务器而突然停止显示日志OCSP完成证书吊销检查。

诊断

  • 更少的 mp-log lcaas_agent.log

2018-08-27 15:16:47,108 lcaas_agent INFO Server-cert revocation check status: unavailable
这表明Panorama无法完成证书吊销检查。
 
2018-08-27 15:16:47,279 lcaas_agent INFO Resp from cloud service : [{"query":"8ad748e7-edbb-413a-b2c8-89c36750a859.api2-lc-prod-us.gpcloudservice.com:444","CustomerID":"117789002","region":"americas","region-display":"americas","ingest":"8ad748e7-edbb-413a-b2c8-89c36750a859.in2-lc-prod-us.gpcloudservice.com"}]
需要注意的是,上面的‘Resp from cloud service’并不一定意味着服务正在响应Panorama.
“request plugins cloud_services logging-service status”不返回任何输出并保持卡住,直到您使用“终止任务”CTRL +C “
 
  • 更少的 mp-log plugin_cloud_services.log
2018-08-27 16:27:36.712 -0500 INFO: [update-device-cert] OCSP/CRL check status:
('unavailable', 'Output to be sent to /tmp/ocspoutput_911171761.data.\nOCSP URL from the certificate http://ocsp.paloaltonetworks.com/ocsp.\nOCSP cert status check is hosted atocsp.paloaltonetworks.com.\nTrying connection to Host ocsp.paloaltonetworks.com for checking cert status.\nError querying OCSP responsder\n

2018-08-27 16:27:36.712 -0500 ERROR: [update-device-cert] No cert/key found. Probably trusted channel is not setup. Cannot continue.

从 plugin_cloud_services.log 可以看出Panorama无法得到回应ocsp.paloaltonetworks.com在哪里OCSP由于边缘上的安全规则,托管了证书状态检查firewall阻止访问此目的地。

怎么样Panorama能够在停止显示之前成功显示来自云服务的日志?
原因是在登录日志服务时,用户可能已经在周边配置了允许“任何”目标规则firewall后来修改了规则以允许精细访问Logging ServiceFQDN 仅基于区域(US或者EU) 从Panorama作为源跳过下面解决方案中列出的其他目的地: -

 

Resolution


Panorama 需要访问这些 FQDN 以获取初始设置和一次性密码,以及进行持续的证书吊销检查。


笔记:
为了OCSP,您还必须允许防火墙在端口 80 上访问 ocsp.paloaltonetworks.com


打开安全policy到Logging service添加以上内容FQDNS作为“目的地地址”和服务(444、443、80)

这些也列在以下文档中,在微调安全策略之前应该允许访问Panorama进入Logging Service(互联网绑定)。Cortex数据湖入门,TCP所需的端口和 FQDNCortex数据湖

配置规则成功后,Panorama应该开始呈现日志,您可以检查连接到logging service使用:

> request plugins cloud_services logging-service status

pass

{"@status": "success", "result": {"PODamericas": {"name": "americas", "Status": {"type": "status", "value": "OK", "tooltip": "OK"}, "@num_instances": 1, "Storage Us
ed (TB)": {"type": "number", "value": "0.516887", "limit": 1}, "Estimated Log Retention (Days)": 132, "entry": [{"name": "Americas", "Status": {"type": "status", "v
alue": "OK", "tooltip": "OK"}, "infra-audit-utilization": {"header": ["Infrastructure and Audit Logs", "Utilization"], "type": "number", "value": 1.94, "limit": 20.
48, "unit": "GB"}, "infra-audit-retention": {"header": ["Infrastructure and Audit Logs", "Retention"], "type": "number", "value": 151, "unit": "Days"}, "detail-util
ization": {"header": ["Detailed Logs", "Utilization"], "type": "number", "value": 509.06, "limit": 819.2, "unit": "GB"}, "detail-retention": {"header": ["Detailed L
ogs", "Retention"], "type": "number", "value": 132, "unit": "Days"}, "summary-utilization": {"header": ["Summary Logs", "Utilization"], "type": "number", "value": 1
8.29, "limit": 184.32, "unit": "GB"}, "summary-retention": {"header": ["Summary Logs", "Retention"], "type": "number", "value": 141, "unit": "Days"}, "@quota_info":
 {"quota_details": "{\"log-disk-quota\":{\"detailed\":80,\"infra-audit\":2,\"summary\":18},\"log-expiration-period\":{\"detailed\":395,\"infra-audit\":395,\"summary
\":395},\"min-retention-warning-period\":{\"detailed\":14,\"infra-audit\":14,\"summary\":14},\"@name\":\"americas\",\"theater-quota\":{\"quota_count\":1}}", "quota_
count": 1}}]}}}
 
查看证书吊销状态如下lcaas_agent.log
2018-08-27 15:25:47,108 lcaas_agent INFO Server-cert revocation check status: good


如果吊销状态仍然显示“不可用”,请删除并重新获取Panorama-证书使用OTP.

Additional Information


如需有关删除和重新获取证书的帮助Panorama, 请参阅这SSL证书错误”导致Panorama不显示来自日志记录服务的日志”
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClDiCAK&lang=zh_CN&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language