Meraki

Community

Onboarding Catalyst behind Palo Alto

Tom_CFCU
New here
a week ago
a week ago

Onboarding Catalyst behind Palo Alto

Has anyone had success onboarding a Catalyst switch behind a Palo Alto firewall?

 

We do have TLS Inspection but added the appropriate domains to our exclusion list without success.

 

The app fails to open and throws an error during 'Checking for updates...' about a self-signed cert in certificate chain.

 

We've tried adding all sorts of additional exclusions, including some temporary *.amazonaws.com and *.*.amazonaws.com (due to the hostname resolution we saw in the Monitor logs)

 

I do have a support ticket open with Meraki, but unsure if they'll be able to help much in regards to the Palo's.

 

Thanks,

Tom

0 Kudos
5 Replies 5
Mloraditch
Head in the Cloud
a week ago
a week ago

Have you programmed all the necessary rules as listed under Help/Firewall Info?

https://documentation.meraki.com/General_Administration/Other_Topics/Upstream_Firewall_Rules_for_Clo...

 

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to Mloraditch
Tom_CFCU
New here
a week ago
a week ago

Yes, we have.  We have MX's and MR's at all locations that successfully communicate without issue through the Palo's.

0 Kudos
In response to Tom_CFCU
Mloraditch
Head in the Cloud
a week ago
a week ago

You mention an app so I presume you are onboarding for cloud monitoring vs management? If so, have you tried just completely whitelisting the PC running the app temporarily? You only need the app during the setup so the rules aren't needed permanently.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to Mloraditch
Tom_CFCU
New here
a week ago
a week ago

Yes, onboarding for cloud monitoring our 9200L fleet. 

 

Our PA's have a 'source any/destination Meraki' rule so Security Policies allow all traffic, but that wouldn't stop the SSL Forwarding/Inspection.

 

I did find a workaround by launching the app off network, connecting back to the network, and continuing the process.  However, now I'm faced with a new issue of 'Cloud is not able to login to device' after everything else is successful.  I do see it trying in the switch logs and passed that along in my Meraki ticket.  Also, all of this traffic is being allowed in the PA logs.

0 Kudos
ch303
Conversationalist
Monday
Monday

I'm not sure if you've come across this yet, but I had a similar issue and I believe it was related to my AAA config - more info here: https://community.meraki.com/t5/Switching/Catalyst-9300-Meraki-onboarding-Authorization-issue/m-p/26...

 

However while that fixed my issue on the first one, I am once again running into the same error with my AAA configured the same as my successfully onboarded switch. I've run AAA debug commands on the Catalyst switch while doing the onboarding and it appears the "meraki-user" account is able to login successfully so I'm not sure what the deal is.

 

I'm going to keep investigating, let me know if you make any progress!

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2025 Cisco Systems, Inc.