Adding certificates for PAN-OS Integrated User-ID Agent WinRM over HTTPS connection may cause Terminal Server Agent connections to fail.
Symptom
Adding the required certificates for either PAN-OS Integrated User-ID agent WinRM over HTTPS transport protocol causes Terminal Server agent connections to fail if the Terminal Server agents are not using certificates signed by a CA included in the certificate profile which results in an outage.
User-ID logs on the firewall shows following errors:
2022-09-30 10:55:45.339 -0700 Error: pan_ssl_conn_open(pan_ssl_utils.c:843): Error: Failed to Connect to 10.x.x.x(source: 10.y.y.y), SSL error: error:00000000:lib(0):func(0):reason(0)(0)
In the error log it shows two IP addresses. The first IP address (in the example above 10.x.x.x) is the Terminal Server agent’s IP address. The second IP address (in the example above 10.y.y.y) is the firewall’s IP address.
Environment
Firewall/Panorama running PAN-OS 10.0 and above version
PAN-OS Integrated User-ID Agent
Terminal Server Agent
Cause
Starting from PAN-OS 10.0, customers have the ability to add certificates for secure communication between firewalls and agents. However, the certificate profile on the firewall is shared between the User-ID agent and Terminal Server agent.
So, when you add certificates for PAN-OS Integrated User-ID Agent WinRM HTTPS connection, the certificate profile will also affect the connection with the Terminal Server Agent and the connection to the Terminal Server agent will fail if the certificate cannot be verified.
Resolution
- Due to the expected behavior of User-ID agent and Terminal Server agent sharing a certificate profile, one way to prevent this from happening is to have the Terminal Server agent certificate signed by the same root CA cert specified in the cert profile on the firewall.
- See step 4 (optional) in the documentation: Configure the Palo Alto Networks Terminal Server (TS) Agent for User Mapping
- Switch the User-ID agent to use WinRM over HTTP. This method does not require the use of a certificate and therefore does not require a certificate profile.