Configuration Articles

Featured Article
Overview This document describes how to set up a replacement, from an RMA device, as a High Availability (HA) peer.   Steps Gather backup configuration Take a backup configuration of the faulty device: Go to Device > Setup > Operations > Configuration Management and click "Export device state." The device state contains the configuration for the device. Note: To take a backup of a device from Panorama, go to Panorama > Managed Devices and click "Manage…" under the backups column for the appropriate device, OR you can export the  device state bundle to a computer using SCP or TFTP  from CLI > scp export device-state device to username@serverip:/path/ For PA-7000 series devices, note the output of the following command  > show session distribution policy For all platforms, not the output of the following command > show system setting jumbo-frame Shut down the faulty unit using the command: > request shutdown system Rack the new unit and connect to the unit's Management Interface.   Set up basic configuration on the new device Transfer Licenses. Refer to the following document: How to Transfer Licenses to a Spare Device (Optional)  Set the operational mode to match that on the old firewall. A serial port connection is required for this task. Enter the following CLI command to access maintenance mode on the firewall: > debug system maintenance-mode To boot into the maintenance partition, enter maint  during the boot sequence. Select the operational mode as " Set FIPS Mode or Set CCEAL 4 Mode "   from the main menu. (Optional) Set the system settings to match the output from the commands in steps (2) and (3) in the previous section. Configure Management Access to the replacement device Access the console and log in using the default credentials: Username: admin Password: admin Configure the management IP address, netmask, and gateway, as well the DNS and update servers using the following CLI command: > configure # set deviceconfig system ip-address <value> netmask <value> default-gateway <value> # set deviceconfig system dns-setting servers primary 4.2.2.2 # set deviceconfig system update-server updates.paloaltonetworks.com # commit # exit Ping a domain to test, for example: > ping host paloaltonetworks.com Obtain licenses from the license server. Go to Device > Licenses. Click Retrieve license keys from license server. Make sure to have a URL filtering license and that the URL filtering is both activated and that the database has been successfully downloaded. Note: If a link "Download Now" is displayed the database has not. downloaded. Install the same GlobalProtect Client and PAN-OS versions on the replacement device as the existing HA Peer Install the GlobalProtect Client. Go to Device > GlobalProtect Client Download and active the appropriate version of the client. Install PAN-OS. Go to Device > Software. Download and install the appropriate image. Reboot. Make sure dynamic updates have the same version as the HA peer. If not, then download and install the appropriate version: Device > Dynamic Update > Download > Install. If the device is being managed from Panorama, replace the old serial number with the new one: > replace device old <Old Serial #> new <New Serial #>   Restore the configuration   For multi-vsys enabled systems, first enable multi vsys capability :  > set system setting multi-vsys on   (Optional) Enable jumbo frames and session distribution policy to match the old device. > set system setting jumbo-frame on (reboot required to take effect) > set session distribution policy [ fixed | hash | ingress-slot | random| round-robing | session-load ] Go to Dev ice > Setup > Operations. Click "Import device state" and import the previously backed up configuration from the faulty device. Commit once the import of the device state is complete. Ensure the new device stays in a passive state to prevent the configuration being pushed to the active device. Suspend the new unit from the CLI run the command: > request high-availability state suspend or From the GUI go to Device > High Availability > Operations > Suspend local device. or Perform the config change: Go to Device > High Availability > General > Setup and uncheck the Enable Config Sync option. Disable "Preemptive" under Election Settings. Configure device with the highest Device Priority value (255). Perform a commit Note: The device will not become active with this configuration. Refer toHigh Availability Synchronization Make sure the replacement device has the same configuration as the active device. Go to the Dashboard tab and check the High Availability widget. Note: If the High Availability widget is not displayed, then click Widgets > System > High Availability. If the configurations are not the same, go to Device > High Availability and click "Push configuration to peer" from the active device.    Log into the Active unit. Go to Device > Config Audit > Do config audit between "Running Config" and "Peers Running Config." Make sure both are the same. If the case of any differences, try to manually configure the passive unit. "Config Difference" can occur if a configuration backup was not taken for the faulty device, so the new device won't have the same configuration as the active unit. In this case, manual configuration is required. Enable config sync (Device > High Availability > General > Setup) and preemptive (Device > High Availability > General > Election Settings) on the replacement device. Commit the changes.   After the commit, connect the remaining cables to the new device.   owner: hshah
View full article
hshah ‎12-05-2017 06:07 AM
38,646 Views
7 Replies
3 Likes
Overview This document describes how to install an RMA replacement hard disk drive on a PA-2000 Series firewall.   Prerequisites The recommended best practice is to back up and export the running configuration, certificates, keys, and tech support file. This is only when the firewall is still up or degraded due to an HDD error (for example, "Drive error detected"). Go to Device > Setup > Operations > Saved named configuration snapshot. Go to Device > Setup > Operations > Export named configuration snapshot. Go to Device > Support > Generate Tech Support File. Go to Device > Support > Download Tech Support File. Go to Device > Certificates > [Select Certificates to Export] > Export (use PKCS12 so exported certificates will include private Keys).   Note: If the Palo Alto Networks firewall to receive the replacement disk drive is a passive device in an HA Pair, the prerequisites above are not required since the running configuration, certificates and keys can be synchronized from the active device provided that HA enable config sync is enabled. Highly recommended to perform the prerequisites for backup purposes. For active/active setup, perform the prerequisites since device-specific configurations are not synchronized to the peer device.   Steps Schedule a maintenance window since the HDD is not hot-swappable. Power down the Secondary or Passive firewall and replace the old HDD with the new one. Power up the firewall. The firewall should boot up with the same PAN-OS as with the replaced disk drive. However, if this is not the case, then follow the steps below: Configure the firewall for basic connectivity to network/internet to be able to fetch license. Upgrade the firewall PAN-OS version to the old working one, if needed. Download and install the latest dynamic updates. Import and load the previous working configuration, certificates and keys (or for HA A/P, configure HA setup and synchronize configuration from the active device). Go to Device > Setup > Import named configuration snapshot. Perform Certificates and keys import if the step above did not imported the certificates and keys properly. Go to Device > Certificates > Import. Note: Use PKCS12 to make sure imported certificates include private keys. If keys are not required, import certificates using Base64 Encoded Certificate (PEM) Commit.   owner: jlunario
View full article
pagmitian ‎11-15-2017 12:38 PM
14,489 Views
1 Reply
In order to recognize an application, the Palo Alto Network firewall needs to capture data to match a pattern contained in an application signature.   To compromise between application identification (App-ID) and security, we will be inspecting a limited amount of data before finally deciding if application is known or not.   Wait for a maximum of 4 packets or 2000 bytes of data in either direction (not including the TCP handshake). In most cases, the application will be recognized before receiving that amount of data.   If an application is decided as unknown, it will appear as "unknown-tcp" or "unknown-udp."
View full article
nbilly ‎12-21-2016 07:51 AM
3,999 Views
0 Replies
5 Likes
Overview This document describes the steps to configure a Palo Alto Networks M-100 to function as both Panorama and Log Collector.   Steps To configure Panorama to manage devices follow the instructions below: Navigate to Panorama > Managed Devices Click 'Add' to add devices that will be managed by the M-100 Navigate to Panorama > Device Groups Click 'Add' to create a device group Add the device into the group Note: The devices can be managed the same way as other Panorama deployments.   To configure the Log Collector functionality follow the instructions below: Add the M-100 as the collector Go to Panorama > Managed Collectors Enter the Serial Number (S/N) of the M-100 into the Collector S/N field Note: The S/N and hostname for this example are 009201000347 and panomgmt-a Perform a local commit before adding the disk from the Disks TAB. Otherwise you won't be able to see it. Under Panorama > Managed Collectors> Disks tab, define the RAID 1 disk pair that will be used to store logs. Note: Additional disk pairs can be added as needed to expand storage capacity. By default, the M-100 is shipped with the first RAID 1 pair enabled with drives installed in bays A1 and A2. To set up RAID, issue the > request system raid add command from CLI: > request system raid add A1 Executing this command may delete all data on the drive being added. Do you want to continue? (y or n) > request system raid add A2 Executing this command may delete all data on the drive being added. Do you want to continue? (y or n) Perform a local commit on the Panorama Configure Log Collection Navigate to Panorama > Collector Groups: Go to the Log Forwarding tab: Under collectors, add the M-100 hostname Note: This adds the M-100 into its own configuration Under Log forwarding preferences, add the device from which the log needs to be forwarded Perform a local commit on the Panorama Perform a Collector Group commit Note: if you skip step 5, you will see this error: "Ring version mismatch."  The Collector should appear connected and the Configuration Status field should be "In sync": Note: If step 5 is not performed, then the Collector Configuration state will be "Out of sync" as shown below: Note : While viewing the disk space of the system, show system logdb-quota does not display the usage of RAID disks. The command displays only the statistics of logs in the SSD. If the log quota settings of RAID disks needs to be configured or checked, go to Panorama > Collector Groups > ( Name of the collector Group) > General tab and select the link next to the Log Storage.   See Also M-100 Log Collector Configuration How to Change the Operational Mode from Log Collector to Panorama on the M-100 Device   owner: sraghunandan
View full article
sraghunandan ‎12-03-2015 03:59 PM
16,146 Views
6 Replies
2 Likes
Overview When deploying a new PA-7050 and only "Option 1" Network Processor Cards (NPCs) are used, the system cannot be directly upgraded to the required PAN-OS 7.0 software.   This document describes the one-time process (per PA-7050) needed so that the system can load into PAN-OS 7.0.1, or higher, as required by the Option 1 card. Once the system has been upgraded to 7.0.1 or higher, the Option 1 NPCs can be inserted and the system can be fully configured. This procedure will also be needed if an RMA is needed on the Switch Management Card (SMC). Note: If an Option 2 NPC is present, this procedure is not needed and the upgrade can proceed by using only the Option 2 NPC.   For reference: NPC option 1: 2x40 Gig QSFP, 12x10 Gig SFP+ (part: PAN-PA-7000-20GQ-NPC) NPC option 2: 12x10/100/1000, 8x1 Gig SFP, 4x10 Gig SFP+ (part: PAN-PA-7000-20G-NPC)   Steps Assumptions: Either an SSH or serial connection is available to the PA-7000 series firewall The management IP is 172.16.5.10 The management netmask is 255.255.255.0 (/24) The management default gateway is 172.16.5.1 The DNS server is 8.8.8.8   1. In CLI, enter the following commands: > debug management-server client disable device > debug management-server client disable useridd > configure # set deviceconfig system ip-address 172.16.5.10 netmask 255.255.255.0 default-gateway 172.16.5.1 # set deviceconfig system dns-setting servers primary 8.8.8.8 # commit force   2. Once the system has rebooted, GUI access is available, and the following items must be done: Device > Licenses > "Retrieve license keys from license server" Device > Dynamic Updates > "Check Now" at the bottom. Then download the latest "Applications" or "Applications and Threats", depending on your license. Either will work for this procedure. Device > Software > "Check Now" at the bottom. Download, then install PAN-OS 6.1.0. When prompted, reboot the system. Note: It may be necessary to re-run the following commands after the initial reboot to 6.1.0: > debug management-server client disable device > debug management-server client disable useridd > configure # commit force   3. Once the system has rebooted to 6.1.0, log back into the GUI: Device > Software > "Check Now" at the bottom. Download, then install PAN-OS 7.0.1. When prompted, reboot the system.   Once rebooted to 7.0.1, all components can be configured and deployed.   Below are the previously available steps to do the same operation. These are not required if the above process is done instead, but are kept here for archive purposes.   Assumptions: • PAN-OS 6.1.0 image is called "panos6.1.0" • PAN-OS 7.0.1 image is called "panos7.0.1" • Content file is called "content_curr" • The user configured on the SCP server is "username" • The computer used for this process is Windows 7, 8, or 10 Steps to upgrade a PA-7050 from 6.0.6 to 7.0.1 when only the newer "Que" NPC is available. This procedure is not needed if even one standard NPC is available. 1. Download the following files: a. PAN-OS 6.1.0 b. PAN-OS 7.0.1 c. Threat license key d. Current content version 2. Download and install SCP server software a. One example is SolarWinds free SCP server: http://www.solarwinds.com/products/freetools/free_tftp_server.aspx 3. Configure a computer to IP address as follows: a. IP: 192.168.1.2 b. Netmask: 255.255.255.0 c. Default GW: Not needed (can be 192.168.1.3 if desired) d. DNS: Not needed (can use any, such as 8.8.8.8 if desired) 4. Ensure there is SSH software, such as PuTTY, installed 5. Connect your Ethernet cable to the management port on the PA-7050 6. SSH to the management IP, 192.168.1.1. The default credentials are: a. Username: admin b. Password: admin 7. Open the threat license key file in a plain text editor (notepad, textpad, notepad++, editpad, etc.) 8. Enter the following: a. request license install b. Paste the key into the console window (PuTTY's default paste key is right-click) c. Hit <enter> two times 9. Enter the following: a. scp import content from username@192.168.1.2:/content_curr b. Enter the password (if configured) for your SCP server 10. Enter the following: a. scp import software from username@192.168.1.2:/panos6.1.0 b. Enter the password (if configured) for your SCP server 11. Enter the following: a. request content upgrade install file content_curr 12. Enter the following: a. request system software install file panos6.1.0 13. Reboot the system, wait until it finishes booting to 6.1.0 14. SSH back into the firewall 15. Enter the following: a. scp import software from username@192.168.1.2:/panos7.0.1 b. Enter the password (if configured) for your SCP server 16. Enter the following: a. request system software install file panos7.0.1 17. Reboot the system At this point, the system will be booted to PAN-OS 7.0.1, the NPC(s) will be able to boot and run, and any additional configuration changes can be done.   owner: gwesson
View full article
gwesson ‎09-01-2015 01:02 PM
15,452 Views
0 Replies
1 Like
Details The OID “IF-MIB::ifInDiscards” contains information about packets that are being dropped on the interface due to physical (Layer 1) errors, such as CRC, framing, and oversized packets. On the Palo Alto Networks firewall this information can be found in the output of the show system state filter sys.s1.p*.detail command, which shows all the details that are taken on the physical layer of the interface. Example When running the following CLI command, the Palo Alto Networks firewall displays: > show system state filter sys.s1.p*.detail sys.s1.p2.detail: { 'oversize_pkts': 0x1208cc42, 'pkts1024tomax_octets': 0x5f8ec69, 'pkts128to255_octets': 0xf9e181a0, 'pkts256to511_octets': 0x5cd02c5, 'pkts512to1023_octets': 0x1a14265, 'pkts64_octets': 0x3f016, 'pkts65to127_octets': 0x88820d3, } The counter, oversize_pkts, represents physical errors bound to interface ethernet1/2. It is written in Hex form. In this example, if the value is converted to Dec form it becomes 302566466. If an SNMP command from a Linux machine is performed to query the IF-MID::iflnDiscards OID on the firewall, the same value as shown by the CLI output above will be received: [root@MyUbuntu]# snmpwalk -v2c -c public 10.193.82.193 .1.3.6.1.2.1.2.2.1.13.4 IF-MIB::ifInDiscards.4 = Counter32: 302566466 owner: djoksimovic
View full article
djoksimovic ‎12-01-2014 12:55 AM
4,146 Views
1 Reply
1 Like
PAN-OS 6.0 Details Sometime it requires that traffic and threat logs are forwarded to Panorama and a syslog server. When this has to be done over a WAN link with bandwidth limitation, it is necessary to consider reducing the number of log streams that are sent over the link. When Palo Alto Networks firewalls are configured to forward traffic and threat logs to Panorama and syslog server separately, this can cause issues with the link especially when there are several firewalls. For example, see on the diagram below that with separate profiles configured on the firewalls for log forwarding to Panorama and syslog server, Fig I will be the result: However, the firewalls can be configured to forward these logs to Panorama only while the syslog profile is created in Panorama to forward the traffic and threat logs to the syslog server. This is represented by Fig II, as shown below: Prior to PAN-OS 6.0, only configuration and system logs could be forwarded from Panorama to a syslog server. On Panorama running PAN-OS 6.0, in addition to configuration and system logs; threat, traffic, HIP Match and WildFire logs can be forwarded from Panorama to a syslog server. Steps To configure Panorama to forward threat and traffic to syslog server, follow the steps below: Create the Syslog Server Profile, go to the Panorama Tab under Server Profile Go to Device Log Settings - Traffic and click on the Log Type desired to forward to the syslog server Select the profile that was created in the first step under Syslog, as shown in the screenshot below: With this configuration, firewalls will forward logs to Panorama, assuming that log forwarding was configured correctly on the firewall. The logs are forwarded to the syslog server, thus reducing the number of log streams significantly. owner: sodhegba
View full article
sodhegba ‎07-07-2014 11:55 PM
7,187 Views
2 Replies
Overview On a GP-100, it's possible to configure Scheduled Backup Export. With this export schedule, the following logs/configuration can be backed up: GP-100 device state GP-100 HIP match logs GP-100 MDM logs Steps Go to Setup > Scheduled Backup Export : Click Add to configure a new export schedule: owner: rvanderveken
View full article
rvanderveken ‎06-20-2014 02:52 AM
9,042 Views
1 Reply
Issue A PA-5000 Series firewall needs to be configured for RAID 1, but the device has mismatched SSD drive models. When the second drive is inserted into the drive bay and the device is powered on, it does not boot into the maintenance mode. The RAID details on the device do not show the second drive mirroring or sync status, as shown below: > show system raid detail Overall RAID status                        Good -------------------------------------------------------------------------------- Drive status   Disk id 1                            Present    (DENCSTE251M21-01)   Disk id 2                            Present    (WDC WD1600BEKT-0) -------------------------------------------------------------------------------- Partition status panlogs                        clean, degraded   Drive id 1                      active sync maint                          clean, degraded   Drive id 1                      active sync sysroot0                      clean, degraded   Drive id 1                      active sync sysroot1                      clean, degraded   Drive id 1                      active sync pancfg                        clean, degraded   Drive id 1                      active sync panrepo                        clean, degraded   Drive id 1                      active sync swap                          clean, degraded   Drive id 1                      active sync Resolution The Palo Alto Networks PA-5000 Series platform must have identical SSD drive models for RAID 1 configuration. An example of the RAID details on a properly configured device is shown below: > show system raid detail Overall RAID status                        Good -------------------------------------------------------------------------------- Drive status   Disk id 1                            Present    (WDC WD1600BEKT-0)   Disk id 2                            Present    (WDC WD1600BEKT-0) -------------------------------------------------------------------------------- Partition status panlogs                                  clean   Drive id 1                      active sync   Drive id 2                      active sync maint                                    clean   Drive id 1                      active sync   Drive id 2                      active sync sysroot0                                clean   Drive id 1                      active sync   Drive id 2                      active sync sysroot1                                clean   Drive id 1                      active sync   Drive id 2                      active sync pancfg                                  clean   Drive id 1                      active sync   Drive id 2                      active sync panrepo                                  clean   Drive id 1                      active sync   Drive id 2                      active sync swap                                    clean   Drive id 1                      active sync   Drive id 2                      active sync See Also PA-5000 Series SSD Upgrade Options owner: gchandrasekaran
View full article
gchandrasekaran ‎10-23-2013 03:03 AM
5,274 Views
0 Replies
1 Like
Overview This document describes how to verify MTU size and configure it on the interface. Details Look for the following global counters which indicate a drop on flow_fwd_mtu_exceeded: > show counter global filter packet-filter yes delta yes :flow_fwd_mtu_exceeded    7   0 info      flow     forward   Packets lengths exceeded MTU :flow_fwd_ip_df    5        0 drop      flow   forward   Packets dropped: exceeded MTU but DF bit present The above counters appear when the MTU size is less than 1500. If drops are seen on the counters specified above, set the MTU size for the applicable interface to 1500. Go to Network > Interface > Ethernet1/3 > Advanced > MTU to configure the MTU value. Also, via the CLI, you can check the MTU size with the following command: > show interface ethernet1/3 -------------------------------------------------------------------------------- Name: ethernet1/3, ID: 18 Link status:   Runtime link speed/duplex/state: 1000/full/up   Configured link speed/duplex/state: auto/auto/auto MAC address:   Port MAC address 00:1b:17:a6:41:12 Operation mode: layer3 Untagged sub-interface support: no -------------------------------------------------------------------------------- Name: ethernet1/3, ID: 18 Operation mode: layer3 Virtual router default Interface MTU 1500 Interface IP address: 10.66.24.60/23 Interface management profile: ping-only   ping: yes  telnet: no  ssh: no  http: no  https: no   snmp: no  response-pages: no Verify if the DF bit (Do not Fragment) is set to 1 in the packets received on the Palo Alto Networks firewall by looking at WireShark captures. Check for the MTU value of the packets received by the firewall and the MTU value of the interface. If the value on receiving packets exceed the value set on the interface, then the firewall would drop the packets giving the above counter values. Note: When MTU size is exceeded, it may cause issues loading some websites. owner: ssunku
View full article
Phoenix ‎05-01-2013 08:29 AM
22,966 Views
0 Replies
1 Like
The command to view incoming logs from the managed firewalls on M-100 is: > debug log-collector log-collection-stats show incoming-logs Incoming log rate = 209.69 Detail counts by logtype: traffic:115854811 config:10 system:10273 threat:108598180 appstat:0 trsum:0 thsum:0 event:0 alarm:0 hipmatch:0 userid:0 Inbound logger stats: traffic: logcount:115854811 blkcount:16402 config: logcount:10 blkcount:8 system: logcount:10273 blkcount:179 threat: logcount:108598180 blkcount:16164 appstat: logcount:0 blkcount:0 trsum: logcount:4220956 blkcount:589 thsum: logcount:2413 blkcount:17 event: logcount:0 blkcount:0 alarm: logcount:0 blkcount:0 hipmatch: logcount:0 blkcount:0 userid: logcount:0 blkcount:0 Num Entries in trsum:134455 Num Entries in thsum:0 Num WIP blocks:1 Num blocks in write queue:0 Num blocks in Summary Calc queue:0 Num blocks in Summary Flush queue:0 See also For more details refer to: PAN-OS Command Line Interface Reference Guide Release 5.0. Command Line Interface (CLI) Reference Guide Release 6.0 Command Line Interface (CLI) Reference Guide Release 6.1 owner: kadak
View full article
kadak ‎01-10-2013 08:30 AM
2,704 Views
0 Replies
Details Managing users and groups through the CLI can be a time saver when creating multiple users. Here is a list of useful CLI commands for user and group management. Creating a user: # set shared local-user-database user testuser The above command would be very useful when you want to add several users to the firewall at the same time. From the GUI, adding each user one by one will take a lot of time. Setting the password hash for a user: # set shared local-user-database user testuser <passwordhash> Creating a User-Group: # set shared local-user-database user-group testgroup Show the user groups: # show shared local-user-database user-group testgroup Putting a user in a group: # set shared local-user-database user-group testgroup user ppatel Display group information: # show shared local-user-database user-group testgroup testgroup {   user ppatel; } [edit] Note: All the above commands need to be run in configuration mode. A commit is also required when all the users have been created and put into groups. owner: ppatel
View full article
ppatel ‎07-10-2012 04:54 PM
6,705 Views
2 Replies
Ask Questions Get Answers Join the Live Community