No service profile found” Error When Deploying the VM-Series with Panorama"

Issue

When attempting to deploy the VM-Series firewall using Panorama 6.0 or 6.1 and NSX Manager version 6.1, the  “no service profile found” error displays in the Service Composer > Security Policy > Network Introspection Services tab:

Cause

This error displays because NSX Manager 6.1 requires an additional attribute to complete the registration process for the Next Generation Firewall Service.

Resolution

To fix this error, you will need to use the XML API to first find the Service ID for the Palo Alto Networks NGFW service and then register the missing attributes to this service.

1. Install a REST client in your browser.
2. Use the Authentication option in the REST client to enter the username and password for the NSX Manager.
3. On the same tab or in a new tab in the REST client, set the request header as follows:
   Name: Content-Type;
   Value: application/xml
   
4. To view the list of services deployed and the name and service ID for the Palo Alto NGFW Service, use the following API call:
   GET https://<nsx mgr ip>/api/2.0/si/services
   If you receive a 403 status code, it indicates that the login session has expired. Login to NSX Manager again and then check the Response Body (Highlight) tab and search for “Palo”.
   
5. Locate the service ID associated with the Palo Alto Networks NGFW.
   For example, in the response look for …<serviceId>service-13</serviceId> that precedes the <serviceName>Palo Alto Networks NGFW</serviceName>…
6. Use the following REST API call to provide the additional attribute to the NSX Manager:
   PUT https://<nsx mgr ip>/api/2.0/si/service/service-13/functionalities
   Body:  <set><string>FIREWALL</string></set>
              <set><string>IDS_IPS</string></set>
   
7. On the NSX Manager, Service Composer > Security Policy > Network Introspection Services tab, verify that the Palo Alto NFGW Service is registered with the IDS IPS, and Firewall attributes, as shown below.
   

owner: mvaidyanathan