topic Re: What does not get uploaded in Config that needs changed via CLI? in General Topics

What does not get uploaded in Config that needs changed via CLI?

lucius.l.rusher — Wed, 16 Oct 2013 21:35:37 GMT

We have a PA-500 that has a bad hard drive in it. We copied the config from the bad device and transferred it to the new RMA device they have sent us. on the GUI all the settings have transferred over just fine and nothing looks different. But when the device is in place we have network issues and it is looking like packets are being dropped (some users can get to say google.com while the person next to them cant.) I have worked with about 6 different engineers on this issue and finally have had one notice one difference. The difference had to do with the "show running tcp state". The "bypass-exceed-oo-queue" = NO on the new device BUT was set to YES on the old device. So it does not look like this setting is transferred when you upload the config to a new device. My question is what else is not transferred from the old device to the new one? The engineer was able to see this difference while comparing the two tech support files. Is there anything else that needs to be manually changed on the new device? I am afraid to send the defective device back if we still need to look at settings on it and make changes on the new one to match. Any help/advice would be great, and by the way we are using PAN OS v4.1.13. Thanks in advance.

Re: What does not get uploaded in Config that needs changed via CLI?

SMF — Mon, 28 Oct 2013 16:45:00 GMT

As a rule I've found that anything on the Device tab or any configuration that can only be input through the CLI needs to be checked that its HA synchronized or configuration exported. The obvious stuff is the device addresses etc. but some of the other stuff is less obvious such as how certificates are handled.

Re: What does not get uploaded in Config that needs changed via CLI?

indup089 — Thu, 31 Oct 2013 10:20:21 GMT

There are some configuration-settings which can be configured from operational mode and therefore not resides in the configuration-file.

For example you can configure "tcp-non-syn-check" in following two ways:

set session tcp-reject-non-syn <yes|no> -> active but not in the config-file....

config

set deviceconfig setting session tcp-reject-non-syn <yes|no>

commit -> active an in the config-file...

As far as I know the only way to configure the bypass-exceed-oo-queue is the following:

config

set deviceconfig setting tcp bypass-exceed-oo-queue <yes|no>

commit

Though this setting should had definitely resided in the config-file....is the setting really not available under deviceconfig-stanza in the exported config-file..?

If no indeed a very odd behaviour. Any statements from PAN-support yet?

Regarding the gerneral PAN tcp handling the following document is maybe helpful for you:

https://live.paloaltonetworks.com/docs/DOC-1731