如何修复错误:"操作失败"时,点击企业 DLP 配置文件和模式从 UI
21867
Created On 02/02/21 20:54 PM - Last Modified 09/30/21 18:58 PM
Objective
本文讨论了如何修复单击 DLP 10.0 中企业插件中的数据配置文件或数据模式部分时出现的通用"操作失败"错误 PAN-OS 。 有关错误的屏幕截图,请参阅所附图像。
Environment
- Panorama 具有企业 DLP 许可证
- DLP安装企业插件
- PAN-OS 10.0
Procedure
如果许可证上没有安装设备证书 Panorama ,或可能在 firewall 激活许可证的管理上安装此错误消息,则可以抛出此错误消息 DLP 。根据管理指南中找到的说明(见其他信息中的链接),必须安装设备证书,以便 DLP 插件正常工作。如果您收到此错误,请检查plugin_dlp.log,看看是否发现与以下日志类似的日志,其中指示缺少设备证书:
mp plugin_dlp.log 2021-01-30 14:02:09 2021-01-30 14:02:09.011 +0000 INFO: [dlp_agent] Accessing DLP URL : https://enforcer-hawkeye.services-edge.paloaltonetworks.com:443/v1/dlp/data-patterns/ mp plugin_dlp.log 2021-01-30 14:02:09 2021-01-30 14:02:09.176 +0000 INFO: [dlp_agent] Get server cert success mp plugin_dlp.log 2021-01-30 14:02:09 2021-01-30 14:02:09.176 +0000 INFO: [dlp_agent] Get issuer cert success mp plugin_dlp.log 2021-01-30 14:02:09 2021-01-30 14:02:09.356 +0000 ERROR: [dlp_agent] Cannot load the device certificate for authentication mp plugin_dlp.log 2021-01-30 14:02:09 2021-01-30 14:02:09.366 +0000 ERROR: [dlp_agent] Tenant: , Result: fail, Message: Cannot load the device certificate for authentication mp plugin_dlp.log 2021-02-01 20:28:39 2021-02-01 20:28:39.700 +0000 ERROR: [dlp-op-cmds] Failed to retrieve device certificate: expected a character buffer object mp plugin_dlp.log 2021-02-01 20:28:39 2021-02-01 20:28:39.700 +0000 INFO: [dlp-op-cmds] get_device_key mp plugin_dlp.log 2021-02-01 20:28:39 2021-02-01 20:28:39.718 +0000 ERROR: [dlp-op-cmds] key_store():Unable to get key device_cert_private_key mp plugin_dlp.log 2021-02-01 20:28:39 2021-02-01 20:28:39.718 +0000 ERROR: [dlp-op-cmds] (1, [], ['modify failed: USER\n'], 12801) mp plugin_dlp.log 2021-02-01 20:28:39 2021-02-01 20:28:39.718 +0000 ERROR: [dlp-op-cmds] Device private key not found mp plugin_dlp.log 2021-02-01 20:28:39 2021-02-01 20:28:39.718 +0000 ERROR: [dlp-op-cmds] Failed to retrieve device private key mp plugin_dlp.log 2021-02-01 20:28:39 2021-02-01 20:28:39.719 +0000 ERROR: [dlp-op-cmds] Error in set_cert coercing to Unicode: need string or buffer, NoneType found mp plugin_dlp.log 2021-02-01 20:28:39 2021-02-01 20:28:39.719 +0000 ERROR: [dlp-op-cmds] Critical: Unable to set device cert and capath
1) 检查以确保您同时拥有设备证书 Panorama 和安装的托管设备。有关如何做到这一点的链接,请参阅其他信息。
2) 完成后,卸载并重新安装 DLP 插件,从 Panorama >插件。在此之后,错误应该会消失。
NOTE-如果您在单击数据过滤配置文件/模式时看到类似的错误,但它提到"DLP 未为此租户提供"-请检查plugin_dlp.log,查看连接到云服务器是否有任何故障:例如:
2021-02-02 15:10:36.293 +0000 INFO: [dlp-op-cmds] Accessing DLP URL : https://enforcer-hawkeye.services-edge.paloaltonetworks.com:443/v1/dlp/tenant-id-query/ngfw/0007ev30198
2021-02-02 15:10:36.504 +0000 INFO: [dlp-op-cmds] Provision tenant: response : {'message': "Unable to connect to API gateway. (35, 'OpenSSL SSL_connect: SSL_ERROR_SYSCALL
in connection to enforcer-hawkeye.services-edge.paloaltonetworks.com:443 ')", 'result': 'fail'}
2021-02-02 15:10:36.505 +0000 ERROR: [dlp-op-cmds] Provisioning tenant failed. rc = {"message": "Unable to connect to API gateway. (35, 'OpenSSL SSL_connect:
SSL_ERROR_SYSCALL in connection to enforcer-hawkeye.services-edge.paloaltonetworks.com:443 ')", "result": "fail"}
2021-02-02 15:10:36.505 +0000 INFO: [dlp-op-cmds] Cannot perform operation : DLP not provisioned for this tenant如果您看到任何与连接相关的消息,则需要允许此流量才能使插件正常工作。Additional Information
Panorama 10.0
安装企业数据损失预防管理指南 DLP () 插件
https://docs.paloaltonetworks.com/ panorama /10-0/ panorama -admin/manage-firewalls/set-up-enterprise-data-loss-prevention/install-the-enterprise-data-loss-prevention-dlp-plugin.html
安装 Panorama 设备证书
panorama https://docs.paloaltonetworks.com//10-0/ panorama -管理员 panorama /设置/安装 panorama 设备-设备证书.html
安装管理 https://docs.paloaltonetworks.com//10 的设备证书Firewall
panorama - panorama 管理/管理防火墙/安装设备证书管理防火墙/安装设备证书管理 firewall .html:
NOTE
成功安装企业数据损失预防 DLP () 插件后,不再显示现有数据模式和过滤配置文件,但仍可以在安全规则中引用 policy 。 如果您在安装"企业"插件后需要编辑现有数据过滤模式和配置文件 DLP ,则可以再次在 Web 界面中显示它们 Panorama 。欲了解更多信息,请参阅 panorama https://docs.paloaltonetworks.com//10-0/- panorama 管理员/管理防火墙/设置企业数据损失预防/启用现有数据模式和过滤配置文件.html#id69f948d7-53b2-4aef-a735-77da15d5b3a6