Unable to onboard Bundle 1 or Bundle 2 PAVM pay as you go (PAYG) firewalls to CDL.

Unable to onboard Bundle 1 or Bundle 2 PAVM pay as you go (PAYG) firewalls to CDL.

5070
Created On 07/06/22 21:21 PM - Last Modified 09/09/24 20:39 PM


Symptom


  • VM Firewall has the Logging license installed in "request license info"
admin@PA-VM> request license info
......
License entry:
Feature: PA-VM
Description: Standard VM-300
Authcode: 
Expires: Never
Expired?: no

License entry:
Feature: Logging Service
Description: Device Logging Service
Authcode: 
Expires: June 02, 2041
Expired?: no
Base license: PA-VM
Log Storage TB: 1
  • Logging service reports no license, and fails certificate fetch - requiring license: 
admin@PA-VM> request logging-service-forwarding status 
Logging Service Licensed: No 

admin@PA-VM > request logging-service-forwarding certificate fetch 
Server error : Logging Service License not installed. 
Install the license before fetching a certificate.
  •  Required SDB flag "cfg.lcaas-license" is missing; or reports as "None"
admin@PA-VM> show system state | match cfg cfg.lcaas

cfg.lcaas-connection-count: 5
cfg.lcaas-enabled: False
cfg.lcaas-orch-server-domain: ....paloaltonetworks.com
cfg.lcaas-orch-server-port: 444
cfg.lcaas-trial: False


Environment


  • PA-VM firewalls
  • PAN-OS 9.1 + 
  • Cortex Data Lake (CDL)
  • Bring Your Own License (BYOL)

Cause


The fetched license is not installed.

Resolution


  1. Login to Customer Support Portal.
  2. Download the "Cortex Data lake" License.
    • Click on Assets under Products.
    • Search for the serial number of PA-VM with the CDL License.
    • Use the down arrow button to expand the license information of the asset.
    • Download the license under "Actions" column.
  3. Open file in a text editor and copy contents.
  4. Login to Firewall CLI.
> request license install [press enter]
(paste the information from a downloaded key)

[Press enter twice]
  • Note: Ensure the PAYG firewall is registered in the  CSP. Licenses are updated on the backend. You can not update PAYG FW with an Authcode. 

Additional Information


  • CDL is available for both BYOL and PAYG 9.1 and higher.
  • For both AWS and Microsoft Azure, the licensing options are bring your own license (BYOL) and pay as you go/consumption-based (PAYG) subscriptions.
    • BYOL: Any one of the VM-Series models, along with the associated Subscriptions and Support, are purchased via normal Palo Alto Networks channels and then deployed through your AWS or Azure management console.
    • PAYG: Purchase the VM-Series and select Subscriptions and Premium Support as an hourly subscription bundle from the AWS Marketplace.
 

 

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wks0CAA&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language