Newly added Dedicated Log Collectors running PAN-OS 10.1 cannot be registered to Panorama

Newly added Dedicated Log Collectors running PAN-OS 10.1 cannot be registered to Panorama

11920
Created On 10/20/21 01:23 AM - Last Modified 11/17/22 04:05 AM


Symptom


Newly added Dedicated Log Collectors running PAN-OS 10.1 cannot be registered to Panorama.

Environment


  • Any Panorama
  • Newly added dedicate Log Collector
  • PAN-OS version 10.1 or later 

Cause


  • New Feature "Authentication Key for Secure Onboarding"  is implemented in PAN-OS 10.1. Refer to Panorama Features
  • A device registration authentication key is required for mutual authentication between the Panorama management server and the firewall, Log Collector, or WildFire appliance on first connection.

Resolution


  1. Generate a device key on new managed collectors. Refer Authentication Key for Secure Onboarding
  2. If  the failures are seen after the above page setting, Try the following steps on the dedicated Log Collector. It will reset the existing connection settings to connect the Panorama, and apply a new device key for the connection.

Note:The commands listed below reset the connection and restart the management server. This may cause temporary reset of connections. If needed, use a maintenance window to run the commands

On the Dedicated log-collector CLI:

> request sc3 reset
> y
> debug software restart process management-server     =>!!(SSH reconnection needed)!!
> request authkey set <key>                            => Key from Step 1.

Additional Information


Recover Managed Device Connectivity to Panorama
Authentication Key for Secure Onboarding
Deploy Panorama with Dedicated Log Collectors
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004M1eCAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language