Failure of Secure communication between Firewall and Log Collector when custom certificate is used
23143
Created On 01/19/23 14:25 PM - Last Modified 02/03/23 03:58 AM
Symptom
- Firewall cannot establish connection with log collector and so unable to forward logs.
- Under GUI: Panorama >Manage collector > (select the LC) > Communication > Secure server communication > custom certificate only is enabled.
Environment
- Panorama managing the Log collector.
- PAN-OS 9.1 and above
- External Log collector is configured on Panorama.
- Custom certificate used on Panorama.
Cause
As custom certificate only is enabled, the Log Collector only accepts custom certificates for authentication with managed firewalls and Log Collectors.
Resolution
- Enable LC secure communication in Firewall.
- This can be configured under GUI: Device >Setup > Management > Secure communication settings >Custom certificate settings > Customize communication.
- Commit the configuration.
Additional Information
- On the firewall, Logrcvr log (less mp-log logrcvr.log) shows the error about Firewall unable to exchange the cert with Log Collector to form SSL channel
+0800 connecting to remote address x.x.x.x @ fd 153
+0800 Error: cs_load_certs_ex(cs_common.c:655): keyfile not exists
+0800 SSL connect retry. sock=153 retry=3 sslretry=0 sslerr=2. <<<<<<<<
+0800 SSL connect retry. sock=153 retry=3 sslretry=1 sslerr=1. <<<<<<<<
- Packet Capture shows that Log collector responds with Fatal alert , unrecognized name to the client hello request (Firewall).
x.x.x.x m.m.m.m 3978 56322 Alert (Level: Fatal, Description: Unrecognized Name)
Transport Layer Security
>TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Unrecognized Name)
Content Type: Alert (21)
Version: TLS 1.2 (0x0303)
Length: 2
>Alert Message
Level: Fatal (2)
Description: Unrecognized Name (112)