Comment résoudre les problèmes d'intégration et de connexion du pare-feu avec Strata Cloud Manager

Comment résoudre les problèmes d'intégration et de connexion du pare-feu avec Strata Cloud Manager

17384
Created On 12/19/23 21:58 PM - Last Modified 10/15/25 14:58 PM


Objective


Résoudre les problèmes de connexion entre le pare-feu et Strata Cloud Manager

Environment


  • Pare-feu
  • Gestionnaire de nuages Strata

Procedure


  1. Assurez-vous d’abord d’avoir suivi toutes les étapes du document Intégrer un pare-feu .
    1. Autoriser la communication entre Palo Alto Networks Next-Gen Firewall (NGFW) et Strata Cloud Manager sur les ports TCP et les noms de domaine entièrement qualifiés (FQDN) .
  2. Check the output of the CLI command: 
    > show cloud-management-status

Managed by Cloud Management Service
Endpoint : cyzf2994-f01f-48f7-ab8c-d1cd4b439200.prod.us.ngfw.cloudmgmt.paloaltonetworks.com
Connected : yes
DNS:
msg: Successfully resolved FQDN
status: success
timestamp: 2023/11/07 12:43:15
TCP:
msg: TCP channel established
status: success
timestamp: 2023/11/07 12:43:15
SSL:
msg: SSL channel established
status: success
timestamp: 2023/11/07 12:43:15
    1. Si le FQDN complet du point de terminaison n'apparaît pas dans la sortie de la commande ci-dessus, cela signifie probablement que vous n'avez pas configuré le pare-feu pour qu'il soit géré par le service cloud. Accédez à Appareil > Configuration > Gestion et modifiez les paramètres Panorama .
Cloud Service Managed Firewall
  1. If the DNS doesn't show that it successfully has resolved FQDN in the command above, verify that both ntp and dns are configured properly under Appareil > Configuration > Services 
    > show ntp
> traceroute host <Endpoint fqdn that is in the output of step 2 >
  2. If the TCP channel is not showing as established in the command above, then check the ms.log and look for message similar to below: 
    > less mp-log ms.log:
2023-10-09 13:24:27.060 -0700 Error:  pan_comm_get_tcp_conn_gen(comm_utils.c:702): COMM: cannot connect. remote ip=35.69.247.210 port=3978 err=Connection timed out(110) sock=18
2023-10-09 13:26:58.612 -0700 Error:  pan_comm_get_tcp_conn_gen(comm_utils.c:702): COMM: cannot connect. remote ip=35.69.247.210 port=3978 err=Connection timed out(110) sock=18
2023-10-09 13:29:17.876 -0700 Error:  pan_comm_get_tcp_conn_gen(comm_utils.c:702): COMM: cannot connect. remote ip=35.69.247.210 port=3978 err=Connection timed out(110) sock=18
2023-10-09 13:31:37.140 -0700 Error:  pan_comm_get_tcp_conn_gen(comm_utils.c:702): COMM: cannot connect. remote ip=35.69.247.210 port=3978 err=Connection timed out(110) sock=18
    You can also use the output of the CLI command: 
    > show netstat numeric-hosts yes numeric-ports yes | match 3978
tcp        0      1 192.168.34.137:52324      35.69.247.210:3978      SYN_SENT  <<<<<
    which indicates that the firewall is sending the SYN but there is a device in between the firewall and the Virtus server / endpoint of the Strata Cloud Manager that is blocking the SYN/ACK. Note: 35.69.247.210 is the IP address that the FQDN of the Virtus server "cyzf2994-f01f-48f7-ab8c-d1cd4b439200.prod.us.ngfw.cloudmgmt.paloaltonetworks.com" (shown in the output of the CLI command in step 2) resolves.
  3. If TCP connection is established but the output for the SSL is empty as shown below: 
     TCP:
       msg: TCP channel established
       status: success
       timestamp: 2023/12/19 13:37:25
    SSL:
       msg:
       status:
       timestamp:
    Then this most likely indicates a problem with the SSL handshake or a device blocking the SSL connection. To verify this, perform a tcpdump on the management interface with the host being the IP address to which the Endpoint FQDN resolves: 
    > tcpdump filter "host 35.69.247.210"
    Export the packet capture to an SCP server so you can check which device is resetting the connection. 
    > scp export mgmt-pcap from mgmt.pcap to user1@192.168.222.88:/home/user1/
    Also, since this traffic is identified as SSL on port 3978, make sure that your gateway FW's security policy rule, if applied to this traffic, is not configured with service "application-default". Otherwise it will not allow this traffic.

Additional Information


Palo Alto Networks NGFW (Managed by Strata Cloud Manager) utilise le port non standard dédié 3978 pour communiquer avec Strata Cloud Manager par par défaut. Dans PAN-OS 11.2 , vous pouvez à la place configurer l'intégration de NGFW (Managed by Strata Cloud Manager) à Strata Cloud Manager pour utiliser le port de destination 443 au lieu du port 3978. Vous pouvez consulter la nouvelle fonctionnalité ici :


https://docs.paloaltonetworks.com/pan-os/11-2/pan-os-release-notes/features-introduced-in-pan-os/management-features?otp=concept-nk2_nxh_2bc#concept-nk2_nxh_2bc
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008WHJCA2&lang=fr&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language