If you have problem like below with Palo Alto devcices
Here is the solutions:
delete deviceconfig system ssl-tls-service-profile
More details here if needed.
- SSL-TLS profile with certificates has been configured for HTTPS authentication to Firewall.
- After few days of operation, HTTPS access is not working
- SSH is working fine.
- Palo Alto Firewall.
- PAN-OS 8.1 and above.
- Management access using HTTPS
- SSL-TLS profile configured.
The certificate is expired or there are other issues with the certificate. The web server process is not allowed to run on expired certificates as a standard security practice, which makes the GUI inaccessible.
- If the SSL TLS profile used for management is known delete the same. This way the management access starts using the default certificate.
- For example, The following command deletes the SSL TLS profile used for HTTPS access named profile-1
# delete deviceconfig system ssl-tls-service-profile
# delete shared ssl-tls-service-profile profile-1
- Since SSH access is possible, a new certificate can be created from the CLI.
- Add the certificate to the SSL TLS profile
- Use the newly configured certificate and SSL profile to be used for HTTPS.
> request certificate generate ca yes certificate-name <cert name> name <IP or FQDN> algorithm RSA rsa-nbits 2048
# set shared ssl-tls-service-profile <profile name> certificate <cert name> protocol-settings min-version tls1-0 max-version tls1-2
# set deviceconfig system ssl-tls-service-profile <profile name>
To view the configured SSL-TLS-Service profiles, use the highlighted commands in configuration mode.
FW# show deviceconfig system | match ssl-tls-service-profile
FW# show shared ssl-tls-service-profile
FW# exit Exiting configuration mode