如何使用 Strata Cloud Manager 解决防火墙启动和连接问题
17201
Created On 12/19/23 21:58 PM - Last Modified 10/15/25 14:58 PM
Objective
解决防火墙与 Strata Cloud Manager 之间的连接故障
Environment
- 防火墙
- Strata 云管理器
Procedure
- 首先确保您已遵循文档“加入防火墙”中的所有步骤。
- 允许Palo Alto Networks Next-Gen 防火墙 (NGFW) 与 Strata Cloud Manager 在TCP端口和完全限定域名 (FQDN)上进行通信。
- Check the output of the CLI command:
> show cloud-management-status Managed by Cloud Management Service Endpoint : cyzf2994-f01f-48f7-ab8c-d1cd4b439200.prod.us.ngfw.cloudmgmt.paloaltonetworks.com Connected : yes DNS: msg: Successfully resolved FQDN status: success timestamp: 2023/11/07 12:43:15 TCP: msg: TCP channel established status: success timestamp: 2023/11/07 12:43:15 SSL: msg: SSL channel established status: success timestamp: 2023/11/07 12:43:15
- 如果上述命令的输出中没有出现端点FQDN ,则很可能意味着您尚未将防火墙配置为由云服务管理。导航到设备 > 设置 > 管理并编辑Panorama 设置。
- If the DNS doesn't show that it successfully has resolved FQDN in the command above, verify that both ntp and dns are configured properly under 设备 > 设置 > 服务
> show ntp > traceroute host <Endpoint fqdn that is in the output of step 2 >
- If the TCP channel is not showing as established in the command above, then check the ms.log and look for message similar to below:
> less mp-log ms.log: 2023-10-09 13:24:27.060 -0700 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:702): COMM: cannot connect. remote ip=35.69.247.210 port=3978 err=Connection timed out(110) sock=18 2023-10-09 13:26:58.612 -0700 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:702): COMM: cannot connect. remote ip=35.69.247.210 port=3978 err=Connection timed out(110) sock=18 2023-10-09 13:29:17.876 -0700 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:702): COMM: cannot connect. remote ip=35.69.247.210 port=3978 err=Connection timed out(110) sock=18 2023-10-09 13:31:37.140 -0700 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:702): COMM: cannot connect. remote ip=35.69.247.210 port=3978 err=Connection timed out(110) sock=18
You can also use the output of the CLI command:> show netstat numeric-hosts yes numeric-ports yes | match 3978 tcp 0 1 192.168.34.137:52324 35.69.247.210:3978 SYN_SENT <<<<<
which indicates that the firewall is sending the SYN but there is a device in between the firewall and the Virtus server / endpoint of the Strata Cloud Manager that is blocking the SYN/ACK. Note: 35.69.247.210 is the IP address that the FQDN of the Virtus server "cyzf2994-f01f-48f7-ab8c-d1cd4b439200.prod.us.ngfw.cloudmgmt.paloaltonetworks.com" (shown in the output of the CLI command in step 2) resolves. - If TCP connection is established but the output for the SSL is empty as shown below:
TCP: msg: TCP channel established status: success timestamp: 2023/12/19 13:37:25 SSL: msg: status: timestamp:Then this most likely indicates a problem with the SSL handshake or a device blocking the SSL connection. To verify this, perform a tcpdump on the management interface with the host being the IP address to which the Endpoint FQDN resolves:> tcpdump filter "host 35.69.247.210"
Export the packet capture to an SCP server so you can check which device is resetting the connection.> scp export mgmt-pcap from mgmt.pcap to user1@192.168.222.88:/home/user1/
Also, since this traffic is identified as SSL on port 3978, make sure that your gateway FW's security policy rule, if applied to this traffic, is not configured with service "application-default". Otherwise it will not allow this traffic.
Additional Information
Palo Alto Networks NGFW(由 Strata Cloud Manager 管理)默认使用专用的非标准端口3978与 Strata Cloud Manager 进行通信。在PAN-OS 11.2中,您可以配置为使用目标端口443而不是端口 3978。您可以在此处查看新功能:
https://docs.paloaltonetworks.com/pan-os/11-2/pan-os-release-notes/features-introduced-in-pan-os/management-features?otp=concept-nk2_nxh_2bc#concept-nk2_nxh_2bc