Panorama 系统日志转发失败由于OCSP和CRL验证

Panorama 系统日志转发失败由于OCSP和CRL验证

23902
Created On 09/13/22 21:55 PM - Last Modified 03/02/23 05:28 AM


Symptom


系统日志转发结束TCP由于SSL握手失败。

Environment


  • Panorama.
  • PAN-OS 10.1.7 或更高版本
  • 帕洛阿尔托网络Firewall.
  • 配置的 Syslog 服务器SSL.

Cause


  • 在线证书状态协议 (OCSP ) 由证书颁发机构用来检查证书的吊销状态X.509 数字证书。
  • 在 Palo Alto Networks 防火墙上或Panorama, 系统日志转发配置文件可以配置为SSL作为运输方式,对于SSL,默认使用端口 6514。
  • 如果证书不包括OCSP URI, 这Firewall可以跳过这些证书验证并建立TLS与系统日志服务器的连接。

Resolution


运行以下CLI下面的命令跳过OCSP/CRL /SKU验证
> set syslogng ssl-conn-validation explicit OCSP skip CRL skip EKU skip
笔记:该命令适用于PAN-OS10.1.7 及以上。 虽然CLI在 10.1.5 和 10.1.6 中看到,它只适用于 10.1.7 或更高版本。

Additional Information


syslog-ng.log 日志文件包含以下错误
syslog-ng[50723]: syslog-ng no OCSP URI in cert; 
syslog-ng[50723]: syslog-ng ocsp over-riding errors due to global-flag;
syslog-ng[50723]: syslog-ng no CRL distribution points;
syslog-ng[50723]: issuer extended key-usage does not have OCSP signing; ihash='/opt/pancfg/mgmt/syslogng/ca.d/d6325660.0'
syslog-ng[50723]: Error connecting BIO;
syslog-ng[50723]: Error querying OCSP responsder;
syslog-ng[50723]: ocsp request failed; idx='0'
syslog-ng[50723]: syslog-ng ocsp over-riding errors due to global-flag;
syslog-ng[50723]: syslog-ng - converted CRL from DER to PEM;
syslog-ng[50723]: syslog-ng certificate is revoked; idx='0'
syslog-ng[50723]: syslog-ng CRL suppressing errors due to global settings;
syslog-ng[50723]: unable to load issuer cert; ihash='/opt/pancfg/mgmt/syslogng/ca.d/c43a77d9.0'
syslog-ng[50978]: syslog-ng starting up; version='3.29.1'
syslog-ng[50978]: SSL error while writing stream; tls_error='SSL routines:SSL3_WRITE_BYTES:ssl handshake failure', location='/opt/pancfg/mgmt/syslogng/pan_sysng.cfg:59:3'

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wlXXCAY&lang=zh_CN&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language