The Zurich release has arrived! Interested in new features and functionalities? Click here for more

"Palo Alto - Firewall Manager" Discovery Pattern Error

Hayden Reid
Tera Guru

‎03-19-2025 07:36 AM

Hello,

We're encountering issues while setting up an OOB serverless execution pattern for our Palo Alto Firewalls to populate the CMDB with device data from Panorama.

We're getting two specific errors:
"Pattern exit because Graceful Termination, reason: Panorama manager information is empty. Please check Mid Server logs for more information. Failed Condition(s): [(${panorama_system_info} : value=) IS NOT EMPTY ]"

 

From Pattern Designer Debugging:
Pattern does not lead to the creation of any CI, please check the correctness of the identification sections. (immediately follows the previous message).

The pattern's javascript that throws the error is:
var panoramaSysInfoUrl = ${panoramaUrl} + "?key=" + ${apiKey} + encodeURI("&type=op&cmd=");
rtrn = firewallMgmtUtils.fetchPanoramaInfo(panoramaSysInfoUrl, trustInsecureHosts);

step { name = "Exit if panorama manager info is empty"

match { is_not_empty {get_attr {"panorama_system_info"}} terminate_op = graceful terminate_msg = "Panorama manager information is empty. Please check Mid Server logs for more information."

}

}


Here are some of the steps we've already taken:

1. Authenticated the API key

2. Confirmed network connectivity to the firewall

 

3. Verified Firewall extension classes are properly installed

 

4. Review MID server logs (found no additional information)

 

5. Reviewed the docs on serverless patterns.

 

What exactly does panorama manager information missing mean? Why might our pattern not be creating ny CI's despite following the standard docs? Any assistance would be greatly appreciated.

HaydenReid_0-1742394880247.png

 

 

0 Helpfuls
  • 804 Views
5 REPLIES 5

AJ-TechTrek
Giga Sage
Giga Sage

‎07-23-2025 07:20 AM

Hi @Hayden Reid ,

 

Here is my Understanding for the error:-


"Panorama manager information is empty. Please check Mid Server logs..."
means that the OOB pattern is making an API call to Panorama to get panorama_system_info — which should return metadata about the Panorama device (like serial number, version, connected devices).

 

If this is empty:


* It means the call didn't return data
* Or the API response was not parsed correctly
* As a result, the pattern has no data to identify a CI, so it exits gracefully (designed behavior)

 

Why it usually happens


1. API key issues: even if the key is valid, it might not have correct privileges (e.g., needs superuser or equivalent role to fetch device system info)
2. Incorrect Panorama URL: malformed URL, missing /api/ path, wrong IP/FQDN
3. Unsupported Panorama version: older versions may have slightly different API responses, breaking the parser
4. FirewallMgmtUtils / serverless JS: unable to parse the XML/JSON because of unexpected structure
5. MID Server issues: missing firewall pattern extension or missing JAR libraries
6. Pattern logic issue: the step checking for panorama_system_info exits because the value is actually empty

 

 Solution & troubleshooting :-


Step 1: Validate the Panorama API call manually
* Take your panoramaSysInfoUrl that the pattern constructs:
https://<PanoramaIP>/api/?key=<APIKEY>&type=op&cmd=<COMMAND>
* Try running this manually in browser / Postman
* Use the command: <show><system><info></info></system></show>
* Confirm you get a populated XML with Panorama system info
If this API call itself fails → problem is outside ServiceNow

 

Step 2: Check the API key and permissions
* Make sure the user that generated the API key has:
* superuser or role that can run operational commands
* Some read-only or device admin roles can’t execute certain operational commands (type=op)

 

Step 3: Check Panorama version
* Confirm Panorama is on a supported version per ServiceNow documentation
* Older versions sometimes respond differently, e.g., missing fields

 

Step 4: Confirm pattern inputs
* Make sure:
* panoramaUrl is correct (has the /api/ in path if needed)
* apiKey is valid and not expired

 

Step 5: Debug in Pattern Designer
* In Pattern Designer → run test discovery
* Expand the step where firewallMgmtUtils.fetchPanoramaInfo runs
 Check for the below -
* What is the raw response?
* Is panorama_system_info null/empty or populated but parser can't find it

 

Step 6: Check MID Server & extension
* Confirm the firewall extension plugin is installed (Firewall Pattern Extension or specific Palo Alto support pack)
* MID Server must be up-to-date (and match required version for serverless pattern)
* In some cases, the JAR/JS libraries used by firewallMgmtUtils must be on the MID

 

Step 7: Fix pattern logic (if needed)
* If your Panorama returns data but the pattern step still exits:
* Check if the attribute name used: ${panorama_system_info} matches exactly what's returned
* Sometimes need to adjust parsing logic (advanced)

 

Step 8: CI creation
* If panorama_system_info is empty → the pattern can't run the Identification section → no CI is created.
* Once fixed, the identification step should create/associate the CI.

 

What “panorama manager information missing” really means:
It means the discovery pattern was not able to fetch basic system info from Panorama → so it can't identify

Panorama or managed firewalls → exits early without creating CIs.

 

My Tip:


 

If you’re still stuck, enable debug on the MID server + collect logs from agent log and ecc_queue entries.
Also, run the API call manually and compare the XML structure with what the pattern expects.

 

Please appreciate the efforts of community contributors by marking appropriate response as Mark my Answer Helpful or Accept Solution this may help other community users to follow correct solution in future.
 
Thank You
AJ - TechTrek with AJ
LinkedIn:- https://www.linkedin.com/in/ajay-kumar-66a91385/
YouTube:- https://www.youtube.com/@learnitomwithaj
ServiceNow Community MVP 2025

0 Helpfuls