Troubleshooting WildFire Registration Issues
47242
Created On 06/14/21 01:46 AM - Last Modified 11/28/23 11:24 AM
Symptom
A successful registration is required before a WildFire appliance or firewall can forward files to the WildFire Cloud. When WildFire registration fails, the CLI command show wildfire status shows "Device registered: No". This article explains how to troubleshoot WildFire registration issues.
Here's the sample output of successful status scenario.
admin@PA-220> show wildfire status channel public
Connection info:
Signature verification: enable
Server selection: enable
File cache: enable
WildFire Public Cloud:
Server address: wildfire.paloaltonetworks.com
Status: Idle
Best server: panos.wildfire.paloaltonetworks.com
Device registered: yes
Through a proxy: no
Valid wildfire license: yes
Service route IP address: 172.28.172.1
:
Here's the sample output of failed status scenario.
admin@PA-220> show wildfire status channel public
Connection info:
Signature verification: enable
Server selection: enable
File cache: enable
WildFire Public Cloud:
Server address: wildfire.paloaltonetworks.com
Best server:
Device registered: no
Through a proxy: no
Valid wildfire license: yes
Service route IP address: 172.28.172.1
:
Cause
There could be various reasons for the WildFire registration issue to occur. Please refer to the Resolution section and Additional Information section below.
Resolution
General Troubleshooting approach:
Here is the general troubleshooting approach. The details are explained later.- Run show wildfire status command to check the status.
- Check configuration.
- Run show system info command to check PAN-OS version and Content version.
- Install the latest Content version manually.
- Run request wildfire registration command.
- Check varrcvr.log (less mp-log varrcvr.log). The log file is included in the tech support file.
- Check system log (show log system direction equal backward). The log file is included in the tech support file.
- Collect varrcvr debug log.
- Collect packet capture from the interface handling Palo Alto Network Services, usually being management interface if otherwise configured.
Status List:
| Status: Registering | |
| Status: Idle | |
| Status: Probing | |
| Status: Querying | |
| Status: Forwarding file | |
| Status: Disabled due to configuration | https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbmCAC |
| Status: SSL/TLS handshake failure | "debug wildfire server-selection disable" command may resolve this issue |
| Status: Unable to authenticate remote CA certificate | |
| Status: Unable to resolve host | DNS issue |
| Status: Server busy or error. Retry later. | One of the causes would be due to a device certificate renewal. (See below) |
| Status: Connection failed | |
| Status: Connection timed out | It times out in 60 seconds. Might be an MTU issue |
| Status: Disabled by cloud server |
Check configuration:
- In case show wildfire status command shows Status: Disabled due to configuration, please refer to the article in the table above. Or it could be a config commit issue. Please check the job status by running show jobs all command and try commit force.
- In case show wildfire status command shows Status: Unable to resolve host, please check the DNS settings. Please look for Failed to resolve host wildfire.paloaltonetworks.com in the system log. On CLI, run ping host wildfire.paloaltonetworks.com command to see if the name resolution works. If the name resolution works, an IP address is displayed in the output. (Ping itself would fail because WildFire clouds are configured not to respond to ICMP requests).
admin@PA-200> ping host wildfire.paloaltonetworks.com
PING wildfire.paloaltonetworks.com (35.247.145.234) 56(84) bytes of data.
- If a service route is configured and a data interface is used to communicate with WildFire cloud, check if Jumbo frame is enabled on the firewall. WildFire registration may fail with Status: Connection timed out error if Jumbo frame is enabled. The workaround is to change the MTU value of the interface to less than 1500.
- Also, in case a data interface is used with a service route, make sure that the application "paloalto-wildfire-cloud" is allowed by security polity on the firewall. SSL Decryption should not be applied for the traffic. This can be verified by checking Traffic log.
- Even without service route / Jumbo frame, WildFire registration can also fail with Status: Connection timed out error due to an MTU size if any upstream device has MTU size limitation. The workaround is to change the MTU value of the interface to a smaller size.
- On PA-7000 Series firewalls, a log card interface performs WildFire file-forwarding and it requires DNS support.
Collecting varrcvr debug log:
1. Enable debug
2. Trigger registration
3. Verify the status
4. Disable debug
> debug vardata-receiver on debug > debug vardata-receiver set third-party libcurl
2. Trigger registration
> show clock > request wildfire registration
3. Verify the status
> show wildfire status
4. Disable debug
> show clock > debug vardata-receiver on normal > debug vardata-receiver unset third-party lib curl
The debug log is included in the tech support file.
Additional Information
- WildFire registration succeeds even if there is no valid WildFire license. With the basic WildFire service, the firewall can forward portable executable (PE) files for WildFire analysis. The detail can be found in the following article.
- "Service route IP address" in the show wildfire status command output does not always mean that service route is used for WildFire service. If management port is used, the management IP address is displayed in the output.
- WildFire registration does not take place on passive device. Please refer to the following article for the detail.
TESTING WILDFIRE REGISTRATION FAILS IMMEDIATELY ON PASSIVE HA PEER
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgLCAS
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgLCAS
- There is a case where WildFire registration issue begins to happen right after the device certificate renewal. Here's the example of the system log.
2022/02/XX XX:26:26 high wildfir wildfir 0 WildFire registration failed.Authentication or Client Certificate failure. 2022/02/XX XX:25:26 info general general 0 Successfully renewed device certificate 2022/02/XX XX:25:24 info general general 0 Device certificate expires in 15 or less days
The show wildfire status command shows "Server busy or error. Retry later.".
> show wildfire status Connection info: Signature verification: enable Server selection: enable File cache: enable WildFire Public Cloud: Server address: wildfire.paloaltonetworks.com Best server: Device registered: no Through a proxy: no Valid wildfire license: yes Service route IP address: 10.1.0.248 Best server update interval: 504 minutes. Global status: Server busy or error. Retry later. ...This issue with the device certificate was resolved in September 2022 on all WildFire clouds by installing a certificate chain.