Forum Discussion

Mike_Suding's avatar
Mike_Suding
Former Employee
6 years ago

Collector could not verify/register if using Palo Alto SSL decryption feature

Just in case this helps other customers...

SYMPTOMS:  The Windows collector installed ok and the two Collector services were running but the collector could not finish the verification/registration step and showing the 'flame alert' on Settings > Collectors screen.  After some troubleshooting, we looked in the wrapper.log file on the collector and saw this error message:

[MSG] [CRITICAL] [main::controller:main] [AgentHttpService.checkCertificateOrWait2Valid:1029] The santaba server is not trusted, and "EnforceLogicMonitorSSL" is enabled. Wait 1 minute to retry. Please check the network settings, or disable "EnforceLogicMonitorSSL" in agent.conf and restart collector

The customer set up a whitelist on their Palo Alto firewall for *.logicmonitor.com and it started working (or list of ~15 IP address ranges).  Alternatively you can lower security and change the agent.conf (config file) from EnforceLogicMonitorSSL=true to false.

collector
Palo Alto
  • Matthew_Dunham's avatar
    Matthew_Dunham
    Former Employee
    6 years ago

    Note that LogicMonitor does not endorse running Collectors with the EnforceLogicMonitorSSL configuration item set to "false". This setting disables certificate verification the Collector uses to authenticate our service platform before sending sensitive data. By disabling this, you risk exposing the data your Collector sends upstream to a man-in-the-middle attack.

    Where a decryption proxy is in use, we recommend that you disable proxying for Collector traffic as Mike specifies above.