GUI not working after upgrade of the the firewall to 11.0.0.
43119
Created On 12/21/22 01:01 AM - Last Modified 01/05/23 03:59 AM
Symptom
- PAN-OS upgraded on the firewall to 11.0.0
- GUI connectivity does not work.
- GlobalProtect Portal configured on the Firewall does not work either
- Accessing the portal URL using Web browser displays "ERR_SSL_KEY_USAGE_INCOMPATIBLE"
Environment
- Palo Alto Firewall Upgrade PAN-OS 11.0.0.
- SSL-TLS profile configured for Web Access.
- GlobalProtect Portal configured
Cause
- When SSL/TLS service profile, protocol setting's max version is set to max.
- The client machine using TLSv1.2 fails to negotiate with the server which is responding at TLSv1.3.
- The issue is seen when configured SSL-TLS profile is used either in the GlobalProtect configuration or for management Web Access.
Resolution
- Set the TLS max version to 1.2 using CLI
> set shared ssl-tls-service-profile <SSL policy> protocol-settings max-version TLSv1.2
> configure
# commit
# exit
Or If one has access to GUI, Use
- Device > certificate management > SSL/TLS service profile
- Use the dropdown to set e protocol settings to the TLSv1.2:
Additional Information
4 Jan 22 (Vijay) - Article updated with Adnan and published external.