If you have problem like below with Palo Alto devcices
Here is the solutions:
configure
delete deviceconfig system ssl-tls-service-profile
commit
More details here if needed.
Symptom
- SSL-TLS profile with certificates has been configured for HTTPS authentication to Firewall.
- After few days of operation, HTTPS access is not working
- SSH is working fine.
Environment
- Palo Alto Firewall.
- PAN-OS 8.1 and above.
- Management access using HTTPS
- SSL-TLS profile configured.
Cause
The certificate is expired or there are other issues with the certificate. The web server process is not allowed to run on expired certificates as a standard security practice, which makes the GUI inaccessible.
Resolution
Option1:
- If the SSL TLS profile used for management is known delete the same. This way the management access starts using the default certificate.
- For example, The following command deletes the SSL TLS profile used for HTTPS access named profile-1
> configure
# delete deviceconfig system ssl-tls-service-profile
# delete shared ssl-tls-service-profile profile-1
# commit
# exit
Option2:
- Since SSH access is possible, a new certificate can be created from the CLI.
- Add the certificate to the SSL TLS profile
- Use the newly configured certificate and SSL profile to be used for HTTPS.
Example below:
> request certificate generate ca yes certificate-name <cert name> name <IP or FQDN> algorithm RSA rsa-nbits 2048
> configure
# set shared ssl-tls-service-profile <profile name> certificate <cert name> protocol-settings min-version tls1-0 max-version tls1-2
# set deviceconfig system ssl-tls-service-profile <profile name>
# commit
# exit
Additional Information
To view the configured SSL-TLS-Service profiles, use the highlighted commands in configuration mode.
FW> configure
FW#
FW# show deviceconfig system | match ssl-tls-service-profile
FW# show shared ssl-tls-service-profile
FW# exit Exiting configuration mode
FW>
Ref:
Unable to Access Web User Interface via HTTPS – Knowledge Base – Palo Alto Networks