How to fix Error: "operation failed" when clicking on Enterprise DLP profiles and patterns from the UI
Objective
This article discusses how to fix a generic "Operation Failed" error seen when clicking on the data profiles or data patterns sections of the enterprise DLP plugin in PAN-OS 10.0. See the attached image for a screenshot of the error.
Environment
- Panorama with Enterprise DLP license
- Enterprise DLP Plugin installed
- PAN-OS 10.0
Procedure
This error message can be thrown if there is no device certificate installed on the Panorama, or potentially on the managed firewall where the DLP license is activated. Per the instruction found in the admin guide (see link in additional information) the device certificates must be installed in order for the DLP plugin to work correctly. If you receive this error, check the plugin_dlp.log to see if you find any logs similar to the following, which indicate a missing device certificate:
> less mp-log plugin_dlp.log mp plugin_dlp.log 2021-01-30 14:02:09 2021-01-30 14:02:09.011 +0000 INFO: [dlp_agent] Accessing DLP URL : https://enforcer-hawkeye.services-edge.paloaltonetworks.com:443/v1/dlp/data-patterns/ mp plugin_dlp.log 2021-01-30 14:02:09 2021-01-30 14:02:09.176 +0000 INFO: [dlp_agent] Get server cert success mp plugin_dlp.log 2021-01-30 14:02:09 2021-01-30 14:02:09.176 +0000 INFO: [dlp_agent] Get issuer cert success mp plugin_dlp.log 2021-01-30 14:02:09 2021-01-30 14:02:09.356 +0000 ERROR: [dlp_agent] Cannot load the device certificate for authentication mp plugin_dlp.log 2021-01-30 14:02:09 2021-01-30 14:02:09.366 +0000 ERROR: [dlp_agent] Tenant: , Result: fail, Message: Cannot load the device certificate for authentication mp plugin_dlp.log 2021-02-01 20:28:39 2021-02-01 20:28:39.700 +0000 ERROR: [dlp-op-cmds] Failed to retrieve device certificate: expected a character buffer object mp plugin_dlp.log 2021-02-01 20:28:39 2021-02-01 20:28:39.700 +0000 INFO: [dlp-op-cmds] get_device_key mp plugin_dlp.log 2021-02-01 20:28:39 2021-02-01 20:28:39.718 +0000 ERROR: [dlp-op-cmds] key_store():Unable to get key device_cert_private_key mp plugin_dlp.log 2021-02-01 20:28:39 2021-02-01 20:28:39.718 +0000 ERROR: [dlp-op-cmds] (1, [], ['modify failed: USER\n'], 12801) mp plugin_dlp.log 2021-02-01 20:28:39 2021-02-01 20:28:39.718 +0000 ERROR: [dlp-op-cmds] Device private key not found mp plugin_dlp.log 2021-02-01 20:28:39 2021-02-01 20:28:39.718 +0000 ERROR: [dlp-op-cmds] Failed to retrieve device private key mp plugin_dlp.log 2021-02-01 20:28:39 2021-02-01 20:28:39.719 +0000 ERROR: [dlp-op-cmds] Error in set_cert coercing to Unicode: need string or buffer, NoneType found mp plugin_dlp.log 2021-02-01 20:28:39 2021-02-01 20:28:39.719 +0000 ERROR: [dlp-op-cmds] Critical: Unable to set device cert and capath
- Check to make sure you have device certificates in both Panorama and the managed device(s) installed.
- Once that is done, uninstall and reinstall the DLP plugin from Panorama > Plugins. After this, the error should go away.
NOTE: If you see a similar error when clicking data filtering profiles / patterns, but it mentions "DLP not provisioned for this tenant" - check the plugin_dlp.log to see if there is any failure connecting to the cloud server, for instance:
2021-02-02 15:10:36.293 +0000 INFO: [dlp-op-cmds] Accessing DLP URL : https://enforcer-hawkeye.services-edge.paloaltonetworks.com:443/v1/dlp/tenant-id-query/ngfw/0007ev30198
2021-02-02 15:10:36.504 +0000 INFO: [dlp-op-cmds] Provision tenant: response : {'message': "Unable to connect to API gateway. (35, 'OpenSSL SSL_connect: SSL_ERROR_SYSCALL
in connection to enforcer-hawkeye.services-edge.paloaltonetworks.com:443 ')", 'result': 'fail'}
2021-02-02 15:10:36.505 +0000 ERROR: [dlp-op-cmds] Provisioning tenant failed. rc = {"message": "Unable to connect to API gateway. (35, 'OpenSSL SSL_connect:
SSL_ERROR_SYSCALL in connection to enforcer-hawkeye.services-edge.paloaltonetworks.com:443 ')", "result": "fail"}
2021-02-02 15:10:36.505 +0000 INFO: [dlp-op-cmds] Cannot perform operation : DLP not provisioned for this tenant
If you see any messages related to connectivity, you will need to allow this traffic for the plugin to work correctly.Additional Information
Panorama Admin guide for 10.0
Install the Enterprise Data Loss Prevention (DLP) Plugin
https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/manage-firewalls/set-up-enterprise-data-loss-prevention/install-the-enterprise-data-loss-prevention-dlp-plugin.html
Install the Panorama Device Certificate
https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/set-up-panorama/install-the-panorama-device-certificate.html
Install the Device Certificate for a Managed Firewall
https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/manage-firewalls/install-the-device-certificate-for-managed-firewalls/install-the-device-certificate-for-a-managed-firewall.html
NOTE:
After successfully installing the Enterprise Data Loss Prevention (DLP) plugin, existing data patterns and filtering profiles are no longer displayed but can still be referenced in Security policy rules. If you have existing data filtering patterns and profiles configured that you need to edit after installing the Enterprise DLP plugin, you can once again display them in the Panorama web interface. For more information, see https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/manage-firewalls/set-up-enterprise-data-loss-prevention/enable-existing-data-patterns-and-filtering-profiles.html#id69f948d7-53b2-4aef-a735-77da15d5b3a6