Troubleshooting Paloalto Firewall

This section helps you troubleshoot the common problems that you might encounter while using Paloalto firewall functionalities. This guide will give more troubleshooting processes on Paloalto firewall certificate config fetch, discovery, CSR creation, backup, push, bind, rollback, and other actions associated with Paloalto firewall.

Issues in Fetch Config


Error Message	Possible Cause	Possible Solution
Exception occured while getting Api key - Invalid credentials.	Credentials may be invalid.	Provide valid credentials.

Issues in CSR Generation


Error Message	Possible Cause	Possible Solution
Exception occured while getting Api key - Invalid credentials.	Credentials may be invalid.	Provide valid credentials.
Unsupported Key type provided	Unsupported key type is selected.	Please select RSA or EC.
Csr generation is device failed	CSR generation has failed.	CSR generation has failed. Please refer to the associated error message.
Invalid parameter for number of bits Csr generation is device failed	Selected EC bit length may not be supported by Paloalto.	Please select valid bit length supported.

Issues in Certificate Discovery


Error Message	Possible Cause	Possible Solution
Please provide information as required	Discovery name not given or length less than 2 characters.	Enter a valid name with a minimum of 2 characters.
Please provide information as required	Interval between batches info. is missing when execution type is sequential.	Provide a time interval between batches in minutes.
Please select a device	No device is selected in the “Discover By” section.	Select at least one device to discover certificates from.
Exception occured while getting Api key - Invalid credentials.	Credentials may be invalid.	Provide valid credentials.

Issues in Backup, Push, Bind and Rollback


Error Message	Possible Cause	Possible Solution
Unable to initiate request.	Pushing to device when certificate is unavailable, i.e, in a new state.	Push to device after certificate has been retrieved from CA.
	Previous work order is in progress and not completed.	Initiate push after previous work order is finished.
	AppConnector might not be in sync.	Synchronize the appConnector and retry.
Unable to initiate request, template is in disabled state	Given workflow is not in enabled state	Enable the push/rollback workflow from the Workflow section.
User is not authorized	User does not have required permissions to push to the device.	Retry after getting the access for required action.
Application connector(s) not found	Application connector info was not found.	Provide the correct connectorId if not pushing using AppViewX UI.
Request associated with the application connector is in progress	Previous work order is in progress and not completed.	Initiate this request after the previous work order is finished.
Push not triggered or succeeded or No existing data available for backup process.	Rollback couldn’t proceed because push was not successful.	Only successfully pushed certificates can be rolled back.
Certificate not found.	Pushing to device when certificate is unavailable, i.e, in a new state.	Push to device after certificate has been retrieved from CA.
Exception occured while getting Api key - Invalid credentials.	Credentials may be invalid.	Provide valid credentials.
Certificate <cert name> is not a valid reference	Private key not available in the certificate or the certificate is not in the required partition to bind.	Certificate should be pushed with the private key to bind with the profile.
Creating local certificate file failed	Unable to create the folder in EXPORT_DIRECTORY.	Please check whether the user has permission to create a folder or file in EXPORT_DIRECTORY in AppViewX.
Certificate name already exists in inventory, Cannot overwrite until Overwrite is enabled in Profile connector	Certificate with the same name already exists on the device.	Please change the certificate name or enable overwrite in the application connector.
Certificate is expired	Certificate is expired.	Push the certificate which is currently valid.
Unknown certificate algorithm	Unknown certificate algorithm.	Push the certificates only with RSA or EC.
certificate is not yet valid	Certificate valid from value is greater than current time.	Only valid certificates can be pushed.