Strata Cloud Manager でのファイアウォールのオンボーディングと接続の問題のトラブルシューティング方法
17368
Created On 12/19/23 21:58 PM - Last Modified 10/15/25 14:58 PM
Objective
ファイアウォールと Strata Cloud Manager 間の接続障害のトラブルシューティング
Environment
- ファイアウォール
- ストラタクラウドマネージャー
Procedure
- まず、 「ファイアウォールのオンボード」ドキュメントのすべての手順に従っていることを確認してください。
- TCPポートおよび完全修飾ドメイン名 (FQDN )でPalo Alto Networks Next-Gen Firewall (NGFW) と Strata Cloud Manager 間の通信を許可。
- Check the output of the CLI command:
> show cloud-management-status Managed by Cloud Management Service Endpoint : cyzf2994-f01f-48f7-ab8c-d1cd4b439200.prod.us.ngfw.cloudmgmt.paloaltonetworks.com Connected : yes DNS: msg: Successfully resolved FQDN status: success timestamp: 2023/11/07 12:43:15 TCP: msg: TCP channel established status: success timestamp: 2023/11/07 12:43:15 SSL: msg: SSL channel established status: success timestamp: 2023/11/07 12:43:15
- 上記のコマンドの出力にエンドポイントFQDN が表示されない場合は、ファイアウォールがクラウド サービスによって管理されるように構成されていない可能性があります。 [デバイス] > [セットアップ] > [管理]に移動し、 [Panorama 設定]を編集します。
- If the DNS doesn't show that it successfully has resolved FQDN in the command above, verify that both ntp and dns are configured properly under デバイス > セットアップ > サービス
> show ntp > traceroute host <Endpoint fqdn that is in the output of step 2 >
- If the TCP channel is not showing as established in the command above, then check the ms.log and look for message similar to below:
> less mp-log ms.log: 2023-10-09 13:24:27.060 -0700 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:702): COMM: cannot connect. remote ip=35.69.247.210 port=3978 err=Connection timed out(110) sock=18 2023-10-09 13:26:58.612 -0700 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:702): COMM: cannot connect. remote ip=35.69.247.210 port=3978 err=Connection timed out(110) sock=18 2023-10-09 13:29:17.876 -0700 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:702): COMM: cannot connect. remote ip=35.69.247.210 port=3978 err=Connection timed out(110) sock=18 2023-10-09 13:31:37.140 -0700 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:702): COMM: cannot connect. remote ip=35.69.247.210 port=3978 err=Connection timed out(110) sock=18
You can also use the output of the CLI command:> show netstat numeric-hosts yes numeric-ports yes | match 3978 tcp 0 1 192.168.34.137:52324 35.69.247.210:3978 SYN_SENT <<<<<
which indicates that the firewall is sending the SYN but there is a device in between the firewall and the Virtus server / endpoint of the Strata Cloud Manager that is blocking the SYN/ACK. Note: 35.69.247.210 is the IP address that the FQDN of the Virtus server "cyzf2994-f01f-48f7-ab8c-d1cd4b439200.prod.us.ngfw.cloudmgmt.paloaltonetworks.com" (shown in the output of the CLI command in step 2) resolves. - If TCP connection is established but the output for the SSL is empty as shown below:
TCP: msg: TCP channel established status: success timestamp: 2023/12/19 13:37:25 SSL: msg: status: timestamp:Then this most likely indicates a problem with the SSL handshake or a device blocking the SSL connection. To verify this, perform a tcpdump on the management interface with the host being the IP address to which the Endpoint FQDN resolves:> tcpdump filter "host 35.69.247.210"
Export the packet capture to an SCP server so you can check which device is resetting the connection.> scp export mgmt-pcap from mgmt.pcap to user1@192.168.222.88:/home/user1/
Also, since this traffic is identified as SSL on port 3978, make sure that your gateway FW's security policy rule, if applied to this traffic, is not configured with service "application-default". Otherwise it will not allow this traffic.
Additional Information
Palo Alto Networks NGFW (Strata Cloud Manager によって管理) は、デフォルトで専用の非標準ポート3978 を使用して Strata Cloud Manager と通信します。PAN -OS 11.2では、代わりに Strata Cloud Manager への NGFW (Strata Cloud Manager によって管理) オンボーディングを、ポート 3978 ではなく宛先ポート443 を使用するようにコンフィグできます。新しい機能については、こちらで確認できます。
https://docs.paloaltonetworks.com/pan-os/11-2/pan-os-release-notes/features-introduced-in-pan-os/management-features?otp=concept-nk2_nxh_2bc#concept-nk2_nxh_2bc