WebUI of Firewall/Panorama not able to connect with 400 Bad Request error
37022
Created On 01/25/20 19:47 PM - Last Modified 07/10/20 03:11 AM
Symptom
- WebUI of Firewall/Panorama not able to connect.
- 400 Bad Request error seen from browser
- Have access to management interface via CLI
Environment
- Panorama
- Firewall
- WebUI
- Certificates
- Certificate Profile
- TLS Service Profile
Cause
Generic causes of 400 Bad Request error:
- 400 Bad request can happen due to various reasons. This happens mostly because of error from client side
- Definition of 400 Bad Request:
- WebUI access using https uses SSL for which certificate is required
- In this case, user tries to access WebUI of Firewall/Panorama and gets error 400 Bad Request ERROR, no required SSL cert sent
- In this case based on certificate profile configured with authentication profile of management interface configuration, server (Webserver of Firewall/Panorama) sends Certificate Request during SSL handshake but since client does not have certificate signed by the Root CA used with Certificate profile, it sends a 400 Bad Request
Resolution
- To fix the issue of above error that prevents accessing GUI use CLI configure mode to delete certificate-profile and commit the changes
>configure #delete deviceconfig system certificate-profile #commit
- In case of need to use certificate based authentication, SSL/TLS Service Profile needs to be configured under Device > Setup > Management > General Settings to authenticate WebUI server by client accessing GUI
NOTE:Additionally if it is needed to use client authentication, certificate profile can be configured under Device > Setup > Management > Authentication Settings > Certificate Profile. However, Client accessing the system need to have client certificate pushed to machine store of client-machine.