WINRM-HTTP Server Monitoring status shows "Authentication failed" when using DNS proxy object for the management interface

•  "connection failed" messages are seen in useridd.log (less mp-log useridd.log)

Error:  pan_user_id_winrm_query(pan_user_id_win.c:2751): failed to connect to winrm server <server_name>
Error:  pan_user_id_winrm_query(pan_user_id_win.c:2795): Connection failed. response code = 401, error: (null) in vsys 1, server=<server_name>.

• Similar "connection failed" messages are also in system.log (show log system)

high     userid    connect 0  Server monitor proddc01-ushyc(vsys1): connection failed, HTTP code 401, (null)
high     userid    connect 0  Server monitor proddc01-ushyc(vsys1): connection failed, HTTP code 401, (null)

• Palo Alto Networks Firewall
• Server Monitoring
• DNS proxy object on management interface

• Server Monitoring using WinRM-HTTP is not supported with DNS Proxy.
• With HTTP we use Kerberos for security reasons and the library implementing the protocol performs the DNS resolution internally (and we cannot redirect it to DNS Proxy)

1. If DNS proxy is required, then configure the WinRM-HTTPS.
2. Refer to How to Configure WinRM over HTTPS with Basic Authentication and Configure Server Monitoring Using WinRM.

• The reason for the limitation is that since HTTP is not encrypted, we use Kerberos to protect the content of messages over the network.
• The Server Monitoring WinRM feature in PAN-OS is implemented using the openwsman open source library (https://openwsman.github.io/).
• To perform the DNS resolution for the Kerberos Server, openwsman utilizes the libcurl library (https://curl.se/libcurl/) and does not allow to customize how the DNS resolution is performed.