Strata Cloud Manager에서 방화벽 온보딩 및 연결 문제를 해결하는 방법
17231
Created On 12/19/23 21:58 PM - Last Modified 10/15/25 14:58 PM
Objective
방화벽과 Strata Cloud Manager 간 연결 실패 문제 해결
Environment
- 방화벽
- Strata 클라우드 관리자
Procedure
- 먼저 방화벽 등록 문서에 나와 있는 모든 단계를 따라했는지 확인하세요.
- TCP 포트와 FQDN (정규화된 도메인 이름)을 통해 Palo Alto Networks Next-Gen Firewall(NGFW)과 Strata Cloud Manager 간의 통신을 허용 .
- Check the output of the CLI command:
> show cloud-management-status Managed by Cloud Management Service Endpoint : cyzf2994-f01f-48f7-ab8c-d1cd4b439200.prod.us.ngfw.cloudmgmt.paloaltonetworks.com Connected : yes DNS: msg: Successfully resolved FQDN status: success timestamp: 2023/11/07 12:43:15 TCP: msg: TCP channel established status: success timestamp: 2023/11/07 12:43:15 SSL: msg: SSL channel established status: success timestamp: 2023/11/07 12:43:15
- 위의 명령 출력에 Endpoint FQDN 나타나지 않으면 방화벽 클라우드 서비스에서 관리하도록 구성하지 않은 것일 가능성이 큽니다. 장치 > 설정 > 관리 로 이동하여 Panorama 설정을 편집합니다.
- If the DNS doesn't show that it successfully has resolved FQDN in the command above, verify that both ntp and dns are configured properly under 장치 > 설정 > 서비스
> show ntp > traceroute host <Endpoint fqdn that is in the output of step 2 >
- If the TCP channel is not showing as established in the command above, then check the ms.log and look for message similar to below:
> less mp-log ms.log: 2023-10-09 13:24:27.060 -0700 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:702): COMM: cannot connect. remote ip=35.69.247.210 port=3978 err=Connection timed out(110) sock=18 2023-10-09 13:26:58.612 -0700 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:702): COMM: cannot connect. remote ip=35.69.247.210 port=3978 err=Connection timed out(110) sock=18 2023-10-09 13:29:17.876 -0700 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:702): COMM: cannot connect. remote ip=35.69.247.210 port=3978 err=Connection timed out(110) sock=18 2023-10-09 13:31:37.140 -0700 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:702): COMM: cannot connect. remote ip=35.69.247.210 port=3978 err=Connection timed out(110) sock=18
You can also use the output of the CLI command:> show netstat numeric-hosts yes numeric-ports yes | match 3978 tcp 0 1 192.168.34.137:52324 35.69.247.210:3978 SYN_SENT <<<<<
which indicates that the firewall is sending the SYN but there is a device in between the firewall and the Virtus server / endpoint of the Strata Cloud Manager that is blocking the SYN/ACK. Note: 35.69.247.210 is the IP address that the FQDN of the Virtus server "cyzf2994-f01f-48f7-ab8c-d1cd4b439200.prod.us.ngfw.cloudmgmt.paloaltonetworks.com" (shown in the output of the CLI command in step 2) resolves. - If TCP connection is established but the output for the SSL is empty as shown below:
TCP: msg: TCP channel established status: success timestamp: 2023/12/19 13:37:25 SSL: msg: status: timestamp:Then this most likely indicates a problem with the SSL handshake or a device blocking the SSL connection. To verify this, perform a tcpdump on the management interface with the host being the IP address to which the Endpoint FQDN resolves:> tcpdump filter "host 35.69.247.210"
Export the packet capture to an SCP server so you can check which device is resetting the connection.> scp export mgmt-pcap from mgmt.pcap to user1@192.168.222.88:/home/user1/
Also, since this traffic is identified as SSL on port 3978, make sure that your gateway FW's security policy rule, if applied to this traffic, is not configured with service "application-default". Otherwise it will not allow this traffic.
Additional Information
Palo Alto Networks NGFW(Strata Cloud Manager에서 관리)는 디폴트 으로 Strata Cloud Manager와 통신하기 위해 전용 비표준 포트 3978을 사용합니다. PAN-OS 11.2 에서는 대신 Strata Cloud Manager에 NGFW(Strata Cloud Manager에서 관리) 온보딩을 구성 포트 3978 대신 데스티네이션 포트 443을 사용할 수 있습니다. 여기에서 새로운 기능 검토할 수 있습니다.
https://docs.paloaltonetworks.com/pan-os/11-2/pan-os-release-notes/features-introduced-in-pan-os/management-features?otp=concept-nk2_nxh_2bc#concept-nk2_nxh_2bc