How to troubleshoot certificate fetch failure for Cortex Data Lake (CDL)
24583
Created On 07/29/22 17:53 PM - Last Modified 08/23/23 22:40 PM
Objective
Troubleshooting certificate fetch failure for Cortex Data Lake (CDL)
Environment
- Palo Alto Networks Firewall
- Cortex Data Lake (CDL)
Procedure
- Check that the firewall is in sync with the NTP server:
> show ntp
- Re-fetch the certificate:
- For release 10.1or later, the device-certificate can be fetched using CLI below, where <value> is the one time password OTP needed to fetch the certificate from the customer support portal CSP server:
> request certificate fetch otp <value> - For release 10.0 or earlier, fetch the Logging-service certificate. Log files to check if any issue during the fetch is ms.log. CLI to manually fetch the Logging-service certificate in case of issues seen:
- For firewall managed by panorama:
> request logging-service-forwarding certificate fetch
- For unmanaged firewall:
> request logging-service-forwarding certificate fetch-noproxy pre-shared-key <value>
here value is the pre-shared key from the customer support portal CSP. - If needed to delete the CDL/logging service certificate prior to re-fetching it use:
> request logging-service-forwarding certificate delete
- For firewall managed by panorama:
- For release 10.1or later, the device-certificate can be fetched using CLI below, where <value> is the one time password OTP needed to fetch the certificate from the customer support portal CSP server:
- If none of the above fixes your problem, then contact our technical support team.