So today I had some weird stuff happening (Fedora Download was downloading slow, 300 KB/s)… I thought it was the mirror, but no matter what mirror I picked I had the same results, I asked a buddy to verify my findings and they could download Fedora with speed… Long story short, I thought maybe it was my firewall, and my colleague mentioned the same. Since this is a Lab setup it would be nice to get a perpetual license for learning purposes, but PAN clearly don’t work like. I was pretty sure my license had expired, so decided to first quick finds out what happens when a license expires: What Happens When Licenses Expire? (paloaltonetworks.com)…
Threat Prevention
|
Alerts appear in the System Log indicating that the license has expired.
You can still:
You can no longer:
|
Good to know, nothing that would cause the issue I’m experiencing….
DNS Security
|
You can still:
You can no longer:
|
nope… and…
Advanced URL Filtering / URL Filtering
|
You can still:
You can no longer:
|
|
WildFire
|
You can still:
You can no longer:
|
|
AutoFocus
|
You can still:
You can no longer:
|
|
Cortex Data Lake
|
You can still:
|
|
GlobalProtect
|
You can still:
You can no longer:
|
All a bunch of nope…
VM-Series
|
||
Support
|
You can no longer:
|
This is a VM series yes… so what does that link mean….
VM-Series
|
You can still:
You can continue to configure and use the firewall you deployed prior to the license expiring with no change in session capacity. The firewall won’t reboot automatically and cause a disruption in traffic.
However, if the firewall reboots for any reason, the firewall enters an unlicensed state. While unlicensed, a firewall supports a maximum of 1,200 sessions. No other management plane features or configuration options are restricted.
|
OK… Maybe… but I’m sure a download of a single file doesn’t take over 1,200 sessions… while I did reboot the unit (cloned, power off OG, power on clone, etc)
All other things are the same as posted above… Then I noticed some really weird things….
- Checking for updates doesn’t state anything about license status, just tries and quietly fails.
- Checking support status shows “Device not found on this update server”
- Dynamic Updates do not show a “currently installed” version.
- The current version installed with Review Policies, and review apps under action.
- The previous installed one will have the same plus a revert action.
- Downloaded one will have an install action.
- All others seen since last communication to PAN will have download
- Retrieving licenses from licenses server returns “Failed to install features. The device is not found.
- Finally the smoking gun… Serial Number on the Dashboard will be listed as unknown.
So, I ended Googling this and found not one, but TWO KB’s!!!
and
Serial number becomes “unknown” upon rebooting PA-VM – Knowledge Base – Palo Alto Networks
After reading these, it all made sense… and it’s all rather dumb… to paraphrase it simply….
It’s due to DRM, how the DRM works is it derives the serial number from two ID’s CPUID and UUID… and when you migrate a PAN VM the CPU is different cause of the different host it resides… this in turn breaks the licensing.
*Standing Ovation*
What’s PAN solution… Open a support ticket… that’s right.. instead of coming up with a technical solution to make DRM work while still retaining the ability to migrate the VM (The most important and valuable reason why you want to run it as a VM anyway)….
Instead of having a way to edit the CPUID and UUID in the PAN portal to fix this yourself…..
No they want you to waste their tech support personals time….
This ….. IS……. DUMB!!!!!