So beheben Sie Probleme bei der Firewall-Onboarding und Verbindung mit Strata Cloud Manager

So beheben Sie Probleme bei der Firewall-Onboarding und Verbindung mit Strata Cloud Manager

17398
Created On 12/19/23 21:58 PM - Last Modified 10/15/25 14:58 PM


Objective


Beheben von Verbindungsfehlern zwischen Firewall und Strata Cloud Manager

Environment


  • Firewall
  • Strata Cloud Manager

Procedure


  1. Stellen Sie zunächst sicher, dass Sie alle Schritte im Dokument „Onboarding einer Firewall“ befolgt haben.
    1. zulassen die Kommunikation zwischen Palo Alto Networks Next-Gen Firewall (NGFW) und Strata Cloud Manager über die TCP Ports und vollqualifizierten Domänennamen (FQDN) .
  2. Check the output of the CLI command: 
    > show cloud-management-status

Managed by Cloud Management Service
Endpoint : cyzf2994-f01f-48f7-ab8c-d1cd4b439200.prod.us.ngfw.cloudmgmt.paloaltonetworks.com
Connected : yes
DNS:
msg: Successfully resolved FQDN
status: success
timestamp: 2023/11/07 12:43:15
TCP:
msg: TCP channel established
status: success
timestamp: 2023/11/07 12:43:15
SSL:
msg: SSL channel established
status: success
timestamp: 2023/11/07 12:43:15
    1. Wenn der Endpunkt FQDN in der Ausgabe des obigen Befehls nicht angezeigt wird, bedeutet dies höchstwahrscheinlich, dass Sie die Firewall nicht so konfiguriert haben, dass sie vom Cloud-Dienst verwaltet wird. Navigieren Sie zu Gerät > Setup > Verwaltung und bearbeiten Sie die Panorama-Einstellungen .
Cloud Service Managed Firewall
  1. If the DNS doesn't show that it successfully has resolved FQDN in the command above, verify that both ntp and dns are configured properly under Gerät > Setup > Dienste 
    > show ntp
> traceroute host <Endpoint fqdn that is in the output of step 2 >
  2. If the TCP channel is not showing as established in the command above, then check the ms.log and look for message similar to below: 
    > less mp-log ms.log:
2023-10-09 13:24:27.060 -0700 Error:  pan_comm_get_tcp_conn_gen(comm_utils.c:702): COMM: cannot connect. remote ip=35.69.247.210 port=3978 err=Connection timed out(110) sock=18
2023-10-09 13:26:58.612 -0700 Error:  pan_comm_get_tcp_conn_gen(comm_utils.c:702): COMM: cannot connect. remote ip=35.69.247.210 port=3978 err=Connection timed out(110) sock=18
2023-10-09 13:29:17.876 -0700 Error:  pan_comm_get_tcp_conn_gen(comm_utils.c:702): COMM: cannot connect. remote ip=35.69.247.210 port=3978 err=Connection timed out(110) sock=18
2023-10-09 13:31:37.140 -0700 Error:  pan_comm_get_tcp_conn_gen(comm_utils.c:702): COMM: cannot connect. remote ip=35.69.247.210 port=3978 err=Connection timed out(110) sock=18
    You can also use the output of the CLI command: 
    > show netstat numeric-hosts yes numeric-ports yes | match 3978
tcp        0      1 192.168.34.137:52324      35.69.247.210:3978      SYN_SENT  <<<<<
    which indicates that the firewall is sending the SYN but there is a device in between the firewall and the Virtus server / endpoint of the Strata Cloud Manager that is blocking the SYN/ACK. Note: 35.69.247.210 is the IP address that the FQDN of the Virtus server "cyzf2994-f01f-48f7-ab8c-d1cd4b439200.prod.us.ngfw.cloudmgmt.paloaltonetworks.com" (shown in the output of the CLI command in step 2) resolves.
  3. If TCP connection is established but the output for the SSL is empty as shown below: 
     TCP:
       msg: TCP channel established
       status: success
       timestamp: 2023/12/19 13:37:25
    SSL:
       msg:
       status:
       timestamp:
    Then this most likely indicates a problem with the SSL handshake or a device blocking the SSL connection. To verify this, perform a tcpdump on the management interface with the host being the IP address to which the Endpoint FQDN resolves: 
    > tcpdump filter "host 35.69.247.210"
    Export the packet capture to an SCP server so you can check which device is resetting the connection. 
    > scp export mgmt-pcap from mgmt.pcap to user1@192.168.222.88:/home/user1/
    Also, since this traffic is identified as SSL on port 3978, make sure that your gateway FW's security policy rule, if applied to this traffic, is not configured with service "application-default". Otherwise it will not allow this traffic.

Additional Information


Palo Alto Networks NGFW (Managed by Strata Cloud Manager) verwendet Standard(-) den dedizierten , nicht standardmäßiger Port 3978 zur Kommunikation mit Strata Cloud Manager. In PAN-OS 11.2 können Sie stattdessen die Onboarding-Konfiguration von NGFW (Managed by Strata Cloud Manager) zu Strata Cloud Manager so konfigurieren , dass Destination 443 anstelle von Port 3978 verwendet wird. Sie können die neue Merkmal hier überprüfen:


https://docs.paloaltonetworks.com/pan-os/11-2/pan-os-release-notes/features-introduced-in-pan-os/management-features?otp=concept-nk2_nxh_2bc#concept-nk2_nxh_2bc
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008WHJCA2&lang=de&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language