Management Articles

Featured Article
Issue A vpn tunnel goes down and comes back up. A look at the global counters shows that the flow_fwd_zonechange counter is incrementing.   > show counter global   Cause The flow_fwd_zonechange counter indicates that the egress zone of a packet does not match the egress zone of the matching session. For this reason, the packet is dropped and the flow_fwd_zonechange counter is incremented.   Scenario 1 Packets are dropped due to a route change. The flow_fwd_zonechange counter increments when a packet is to be forwarded, but the zone of egress interface does not match the egress zone in the session due to a route change because the tunnel is not up. To verify global counter increments please refer to the following knowledge base How to Check Global Counters for Specific Source and Destination IP Address   In this scenario, the initial routing table is as follows: 0.0.0.0/0 metric 10 untrust zone. A tunnel route to 10.10.10.10/24 through 1.1.1.1 metric 5 tunnel-zone. When the tunnel goes down, the tunnel route is removed from the table and the default route is used for the 10.10.10.10 network in the untrust zone. When the tunnel comes back up, it considers this a zone change and drops the packets incrementing the flow_fwd_zonechange counter.   Resolution 1 All sessions destined to the untrust zone when going to 10.10.10.10/24 need to be cleared and re-initiated. To avoid this zone change, create a dummy IP address (ex: loopback interface IP address 5.5.5.5) in the tunnel zone to make the routing table look like this: 0.0.0.0/0 metric 10 untrust zone. A tunnel route to 10.10.10.10/24 through 1.1.1.1 metric 5 tunnel-zone. Another tunnel route to 10.10.10.10/24 through 5.5.5.5 metric 10 tunnel-zone. This forces the traffic to use the route with metric 10 in the same tunnel zone when the primary tunnel route fails, and there is no zone change that occurs when the tunnel comes back up. Scenario 2 Packets designated to exit out an ingress interface is dropped by the Firewall with "flow_fwd_zonechange".     Resolution 2   In this case, the interface had a /32 (host) instead of /24 (network). Make sure that the interface is showing as a /24. For example 10.10.10.1/24.   owner: pvemuri
View full article
pvemuri ‎10-23-2018 12:33 PM
3,929 Views
0 Replies
Details   Commit warning message The following warning displays during a commit if a block or allow list contains an entry using multiple wildcards: Warning: Nested wildcard(*) in URLs may severely impact performance. It is recommended to use a single wildcard to cover multiple tokens or a caret(^) to target a single token.       Reason of warning message   The asterisk (*) character is used as a wildcard token in the FQDN and path for custom URL filtering. The Palo Alto Networks firewall accepts multiple wildcard tokens in the field (ex. *.*.domain.com) and processes them appropriately.   However, as the number of wildcard tokens increases, the load on the system CPU increases exponentially (for example, *.*.*.domain.com, or just *.*.domain.com). Therefore, we recommend to avoid Nested asterisk(*)  for practical usage.     Below is Wildcard usage and its example   Wildcard character Usage Example "*" asterisk match with one or more subdomains The asterisk (*) wildcard does not respect the period (.) as a delimiter and will continue as a wildcard until a subdomain, domain or top level domain is matched.   sub1.*.*.com will match sub1.sub2.sub3.com and *.*.sub3.com will match sub1.sub2.sub3.com.  However, this should be avoided as a best practice as nested asterisks can create a performance impact on the device.     Instead, as a best practice you can use:  sub1.*.com or *.sub3.com.  This will match sub1.sub2.sub3.com    "^" caret match with only one subdomains. The caret (^) wildcard does respect the period (.) as a delimliter and will stop matching as a wildcard once a match has occurred.   sub1.^.^.com and  ^.^.sub3.com are able to match with sub1.sub2.sub3.com   Hence, ^.sub3.com and sub1.^.com are not able to match with sub1.sub2.sub3.com,   since "^" caret only matches with one subdomain.   If you'd like to replace "*" with "^", the following replacements are required:    x.*.net is partically covered by the following: x.^.net x.^.^.net x.^.^.^.net (continued...)   Nested carets has a practical limit of 9 carets for the same DP resource usage reason above.      Same limitation for Path This limitation is applied to the pattern matching on path after FQDN. (i.e. http://<FQDN>/<path>), though we don't throw the commit warning message above for path. Practical limit for nested asterisk in path is 2. But we highly recommend to use minimun number of asterisk for better DP utilization (CPU load/ Memory usage).   Side note: Currently we have limitation that asterisk and caret should not be used in the same configuration. As mentioned above, caret cannot be fully replaced with asterisk.  Therefore replacing nested asterisks to single asterisk is considered best solution for most of customers practically.  "1" for  nested asterisk in path and "9" for nested caret are practical number we suggest. Please consider to use lowest number as possible for better DP load (i.e. lower platform).    
View full article
sunright ‎10-23-2018 12:32 PM
15,373 Views
0 Replies
5 Likes
Overview The Palo Alto Networks device needs to be booted into maintenance mode. However, a console cable is not available. This document describes how to use SSH to connect to a Palo Alto Networks device that has been booted into maintenance mode.   Steps Prior to rebooting, run show system info and write down the management IP address and the device serial number (case sensitive) : Reboot your Palo Alto Networks device into maintenance mode with debug system maintenance-mode : Now open a terminal window (MAC) or other SSH client (ex. Putty) and connect to the management IP. User: maint Password: device serial number (case sensitive, any letters should be upper case) The screenshot below shows an established SSH connection in maintenance mode :   owner: rvanderveken
View full article
rvanderveken ‎10-23-2018 12:32 PM
42,624 Views
1 Reply
6 Likes
This article has been deprecated, please follow this link instead: Transition From an Evaluation to a Paid License  
View full article
bfrentz ‎09-19-2018 02:41 PM
1,967 Views
0 Replies
1 Like
  Overview The GlobalProtect Portal configuration allows the user to define whether the GlobalProtect user can "disable" the GlobalProtect agent on the local machine.   From the WebGUI, go to the Network > GlobalProtect > Portals > Client Configuration.     Symptom If the option is set to "disabled," you only allow user to click on the "Disable" option within the GlobalProtect agent. This configuration works fine on PC, MAC and Android platforms.   There is a restriction for this option on iOS devices (iPhone, iPad), which prevents it from working. This is the expected behavior and it is there due to a limitation on interacting with operating system. The user can always disable VPN connection from global Settings menu, regardless of the GlobalProtect configuration.   In GlobalProtect version 2.2 and above, there is one behavior change where the user can disconnect the VPN connection from the GlobalProtect client, but the subsequent traffic will re-initiate the connection if we set the mentioned option to "Disable." However, the user can still disable the VPN through system settings.   Workaround Create different proxy policies within .pac files that will be pushed to users: Create a URL hosting a .pac file, for example: http:// The <server_name> should resolve to a private IP within the corporate network (or when the client is connected to GlobalProtect Gateway) <server_name> should resolve to a public IP if the client is not within the corporate network (using public DNS servers, which are not pushed by the GlobalProtect Gateway) Depending on the DNS resolution, .pac file will be fetched from different servers and will provide a different configuration. Internally fetched .pac will tell the client to forward all http(s) requests directly to the Internet, and externally fetched .pac will force the client to redirect all traffic to a page, which is asking the user to enable GlobalProtect client VPN connection in order to have internet access. Aproxy configuration can be pushed to the clients using an MDM solution.   owner: nmarkovic
View full article
nimark ‎09-18-2018 11:27 AM
5,929 Views
0 Replies
1 Like
Issue Sometimes when PAN-OS 7.0 or above is downloaded on a Palo Alto Networks firewall, the download may fail and display the following error: "Failed to download due to server error. Please try again later. Failed to download file".   Detail Use the following CLI command to review the ms.log: > less mp-log ms.log   Look for a similar error message: "2014-07-18 16:20:15.701 -0600 Error: _pan_mgmtop_system_upgrade_download_version(pan_ops_common.c:9107): Failed to purge old uploaded files grep: /tmp/pan/downloadprogress.10999: No such file or directory"    The following is the output for the CLI command, > less mp-log ms.log   Resolution To resolve, follow the steps below: In the WebGUI, go to the Device > Software To check for the latest software version, Click 'Check Now' in the lower left corner. Go to the software version to download and click Download:
View full article
achalla ‎09-17-2018 09:31 AM
34,110 Views
3 Replies
5 Likes
Overview The following procedure explains how to configure Radius on Windows 2008 Server.   Details To configure RADIUS (or Network Policy Server, in Windows 2008), add a RADIUS client. Inside the Network Policy Server (Start > Administrative Tools > Network Policy Server), right-click on RADIUS Clients and select New RADIUS Client. Complete the form using the IP address on the Management Interface of the Palo Alto Networks device and the password configured for RADIUS in the Palo Alto Network device. Then click OK. Use the default Connection Request Policy. There is no need to create a new one.   Configure a Network Policy, right-click Network Policies within the Network Policy Server, then click New.   Other User Groups besides the Domain Users group can be used:   Select Unencrypted Authentication (PAP, SPAP):   Click Next, the Defaults are fine.   Click Next, the Defaults are fine.   owner: panagent
View full article
nrice ‎09-14-2018 01:08 PM
7,375 Views
0 Replies
1 Like
Issue If the "scp export logdb" command is used on the CLI on a PA-7050, it will not export Traffic, Threat, Data Filtering and URL logs.  This command does not pickup any logdbs from the logcard, so it will not pick up Traffic, Threat, Data Filtering and URL logs.   This is expected behavior for the PA-7050 platform.   Command "scp export logdb" will only export system, config and alarm logdbs only.
View full article
gbogojevic ‎09-14-2018 12:38 PM
1,691 Views
0 Replies
Overview GlobalProtect clients installed on Windows 7/8 machines. Following the install, there are multiple login tiles for the same user account. Issues are present regardless as to whether the screen is locked, account is logged off or if the workstation is rebooted.   Issue Issues were isolated to the workstation in question which utilizes a Fingerprint Logon CP (Credential Provider).  End result in certain scenarios is duplicate SSO Logon tiles as seen above.   Resolution Workarounds in this case would be as follows:   Option 1 DISABLE the Fingerprint Logon CP as the GP client will utilize it's own built-in CP. Conflict would be removed & issues should no longer be present (though obviously customers may wish to utilize this functionality).   Option 2 DISABLE Our Logon CP which should still allow full functionality of the GP client, while allowing the use of the 3rd Party Fingerprint CP. Workaround requires issuing the following commands via CLI: Via command prompt, run the following: "c:\program files\Palo alto networks\globalprotect\PanGPUpdater.exe" -u Restart PC & verify whether duplicate login options are still present. If duplicate tiles are no longer present, proceed with step 3. Via command prompt, run the following: "c:\program files\Palo alto networks\globalprotect\PanGPUpdater.exe" –c Logoff (or restart) & verify whether duplicate login options have returned.   Desktop should now be restored to expected functionlity without duplicate users:   Note: As of GP Client v1.2.x the previous utility (PanGPUpdater.exe) has now been merged into the service process, hence the removal off this executable altogether. Workaround still stands though now referencing 'PanGPS.exe', i.e.: Via command prompt, run the following: "c:\program files\Palo alto networks\globalprotect\PanGPS.exe" -u Restart PC & verify whether duplicate login options are still present. If duplicate tiles are no longer present, proceed with step 3. Via command prompt, run the following: "c:\program files\Palo alto networks\globalprotect\PanGPS.exe" –c Logoff (or restart) & verify whether duplicate login options have returned.   owner: bryan
View full article
bryan ‎09-14-2018 12:21 PM
5,086 Views
1 Reply
Issue   If Global Protect VPN realized in “on-demand” mode remote GlobalProtect Agent clients will be able to connect to VPN network by doing a right click on GlobalProtect Agent icon on the Taskbar and choosing the “Connect” option from the drop down list, as shown in the following picture:       If remote user changes IP address of Portal field in GlobalProtect Agent, the ”Connect” option from the dropdown list will become inactive and it would not be possible to use it to connect to VPN. Instead we would need to select the option “Open” in order to open the whole GlobalProtect Agent application and navigate to Settings in order to establish a connection:     Explanation If Portal’s IP address in GlobalProtect Agent is changed to a new one, GlobalProtect Agent flushes the existing configuration considering it obsolete, since it was given by the old Portal.   This basically means that it reset the original "on-demand" mode and instead fell back to the default user-logon mode, until new configuration is downloaded. And, in user-logon mode, the "Connection" button will always be greyed out until GlobalProtect Agent connects. If the connection is established, then the "Disable" button turns active. 
View full article
djoksimovic ‎09-14-2018 12:11 PM
7,031 Views
0 Replies
Palo Alto Networks suggests using the following settings for port allocation on the Terminal Server Agent:     If the Port Allocation Start Size per User is set to 400 and the Port Allocation Maximum Size per User is set to 4000, each time a user takes up 400 ports the TS-Agent will allocate another 400 ports until the max of 4000 is reached, at which point the allocation will fail. If a user application connects and closes a connection to the same destination port multiple times in a very short time, the source ports can be used to connect to another destination port.   If the "TCPTImedWaitDelay" on the Windows server hasn't expired from the previous connection, the same destination port cannot be used. The TCPTimedWaitDelay can be decreased to a smaller value (valid range is 30-300 seconds, default is 240) to free up the destination port.   It is also possible to decrease the Port Allocation Start Size Per User and the Port Allocation Maximum Size per User if there is a need to free up ports to allow more user connections.   The Source Port Allocation Range can be configured between 1 - 65535, but it is also required to reserve the server source ports (Reserved Source Ports) to ensure they aren't allocated to users. You can verify the user-to-port-range mapping by viewing the TS-Agent Monitor to determine current users and port allocations.   Refresh the count by clicking the Refresh Ports Counts.     owner: panagent
View full article
nrice ‎09-14-2018 12:02 PM
10,792 Views
0 Replies
1 Like
While configuring firewalls to forward logs to the logging service based on the steps provided in the following document, you might run into an issue where the drop-down for 'Region' is empty and won't display the region on the Panorama and the firewall.   This is a mandatory step in the configuration to enable log forwarding to the logging-service [Step 4] :-   https://www.paloaltonetworks.com/documentation/10/cloud-services/logging-service-gsg/get-started-with-logging-service/configure-the-firewalls-to-forward-logs-to-the-logging-service#id177S00F0R2G       Logs :   The firewall will show the following error when you attempt to see customerinfo :     lcaas_agent.log for logging-service shows '502 Bad Gateway' error :       To fix this :   You will need to enable the 'Region' on the Panorama CLI using the following command :-   > Login to Panorama CLI > enter configure mode using the command ">configure" > run "set template <template_name> config deviceconfig setting logging logging-service-forwarding enable yes logging-service-regions <region>" > commit    <template_name> is the template the device is part of. <region> can be americas, europe, etc   > Then, push the changes to the firewall. Verify Device > Setup > Management page to make sure the Region populates correctly.    
View full article
ptarra ‎09-12-2018 08:49 AM
2,480 Views
0 Replies
Issue PCI compliance scan failed for GlobalProtect IP address not using minimum version of TLS 1.2   Cause Running PAN-OS 6.1.4 and below, b y default the GlobalProtect Agent connects using TLS 1.0.   Resolution To resolve this, we have to configure a minimum version of TLS to be used to secure the connection between the GlobalProtect agent and the firewall.   Steps Go to Device > Certificate Management > SSL/TLS Service Profile > Create a new profile. Go to the GlobalProtect configuration under Network > GlobalProtect. Map the newly created SSL/TLS service profile to both the portal and the gateway configuration. Commit the configuration. Reconnect to the GlobalProtect from the client machine.    
View full article
rchougale ‎09-07-2018 01:15 AM
5,137 Views
3 Replies
Overview When configuring a Palo Alto Networks Next Generation Firewall, a certificate signed by a trusted public Certificate Authority (CA) may be desired on:   Captive Portal ("CP") pages Response Pages GlobalProtect ("GP") Portal Many public CAs use chained certificates, that is, certificates not signed by the Root CA itself, but one or more Intermediate CAs. These are usually owned and operated by the same CA but gives that CA flexibility and ease of revocation if a problem arises.   Steps 1. Requesting the certificate Depending on which PAN-OS version is installed on the firewall, a private key and CSR may need to be generated on a third-party program such as OpenSSL. If using PAN-OS 5.0, refer to How to Generate a CSR(Certificate Signing Request) and Import the Signed Certificate   2. Creating the combination certificate When a certificate is not signed by the Root CA, the intermediate CAs should be sent to clients in case those clients do not have the intermediate CAs in their trusted key store already. To do that, a combination certificate that consists of the signed certificate (CP, GP, and so on), followed by the intermediate CAs. The image below shows two, but the same process is valid for only one intermediate CA or several.   To get each of these certificates: Open the "Server Cert" file sent by the CA. In Windows, the certificate dialog box has three tabs: General, Details, and Certification Path. Click the Certification Path and click the certificate one step above the bottom. Open that certificate and click the Details tab, then Copy To File. Save the file as a Base-64 encoded X.509 (.CER) formatted certificate. Do the same for all certificates in the chain except the top (Root). Open each certificate .CER file in a plain-text editor (such as Notepad). Paste each certificate end-to-end, with the Server Cert on top and each signer below that. Save the file as a .TXT or .CER file Note: The name of the file cannot contain spaces, as this may cause the import to fail. 3. Importing the Certificate Take the combined certificate and import it on the firewall. In PAN-OS 5.0 and above, the private key is on the firewall already. Follow these steps to import the certificate: How to Generate a CSR and Import the Signed CA Certificate   Workaround In the event that you can not generate a new CSR , but still need to export a certificate, please try these Steps: Export the current Certificate on the Firewall , PEM format and with Private key exported. Open the cert in a Text editor. Separate the public key from the private key in two separate text files (being careful not to add any spaces). Save the private key text file and keep it aside. Edit the file where the public key is and have the public key at the top and add the intermediate CA below it as in the url shared, and save the file. Delete the certificate already on the firewall. Import the private key with the edited certificate.   owner: gwesson
View full article
gwesson ‎08-30-2018 07:00 AM
84,213 Views
6 Replies
3 Likes
Issue When running “show routing route” command routing table of Palo Alto firewall displays multiple entries for the same route (prefix and mask).   Details This is expected behavior because Palo Alto Networks firewall routing scheme is designed to take the best route from each protocol and put them all into the routing table. The best route is then selected among them based on Administrative Distance (AD) value of routing protocols which routes came from and that route is marked with flag A, stating that it is the Active route.   For example:   > show routing route flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp, Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2 VIRTUAL ROUTER: default (id 1) ========== destination nexthop metric flags age interface next-AS ... 10.175.0.0/16 10.175.59.1 10 A S ethernet1/2 10.175.0.0/16 192.168.200.99 ?B 92699 0   The route marked with the A flag is further installed into the RIB and FIB table and used for traffic forwarding.   See Also Understanding Route Redistribution and Filtering
View full article
djoksimovic ‎08-28-2018 10:38 AM
8,149 Views
0 Replies
To check the severity of a certain file type supported in file blocking profile on the Palo Alto Networks firewall, run the following command in CLI session:   show threat id <file type ID>   To get a severity of the “zip” file type run the following command:   admin@PA-VM-Dragoslav-1> show threat id 52004   ZIP file upload or download has been detected. A ZIP file is a compressed archive. It can contain only one file or many files in multiple directories. ZIP utilities allow you to extract single files or a complete directory structure. This file detection might also include a JAVA JAR archive file, since the JAR file is based on the ZIP format with an optional manifest file.   low   file-blocking   http://www.pkware.com/index.php?option=com_content&task=view&id=64&Itemid=107
View full article
djoksimovic ‎08-28-2018 10:37 AM
1,992 Views
0 Replies
GlobalProtect versions 2.1.1-25 and above   Issue GlobalProtect Agent fails to connect to the GlobalProtect portal when using the portal’s FQDN. It generates the following error message:   (T8728) 02/13/15 13:58:55:137 Info (2184): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_SECURE_FAILURE, this=0000000001CE29A0) (T8728) 02/13/15 13:58:55:137 Info (2197): winhttpObj, dwCertError is: (T8728) 02/13/15 13:58:55:137 Info (2202): WINHTTP_CALLBACK_STATUS_FLAG_CERT_CN_INVALID   This issue is not seen when the portal’s IP address is configured in GlobalProtect Agent, instead of FQDN.   Explanation The GlobalProtect Agent performs an additional check in order to protect the SSL connection with the portal by comparing the portal’s certificate common name with the FQDN name put in the GlobalProtect Agent. The GlobalProtect Agent will consider the portal’s certificate as invalid if the CN doesn’t match the locally configured FQDN name.
View full article
djoksimovic ‎08-28-2018 10:36 AM
2,433 Views
0 Replies
Explanation   To check which version of OpenSSH the Palo Alto Networks firewall PAN-OS is running, make a telnet session to the firewall’s management interface on port 22, which will simulate a SSH session. The firewall will close the session and will reply with a connection status message that includes OpenSSH version used. Here is an example:   dragoslav@dragoslav:~$ telnet 10.193.80.51 22 Trying 10.193.80.51... Connected to 10.193.80.51. Escape character is '^]'. SSH-2.0-OpenSSH_11.1 Connection closed by foreign host.   In this example, the Palo Alto Networks firewall is using OpenSSH version 11.1.    
View full article
djoksimovic ‎08-28-2018 10:36 AM
5,635 Views
2 Replies
Issue The Palo Alto Networks firewall currently doesn't have SNMP OIDs to monitor IPSec tunnel status, so network management systems cannot rely on SNMP protocol to receive notifications when the IPSec tunnel on the Palo Alto Networks firewall changes it's status.       Workaround Perform the following workaround on the Palo Alto Networks firewall: Configure and enable IPSec Tunnel Monitor feature for the desired IPSec tunnel.(https://live.paloaltonetworks.com/docs/DOC-1323) Configure the Syslog server profile to send syslog messages to the desired Syslog server.(https://live.paloaltonetworks.com/docs/DOC-3837) Go to Device > Log Setting > System to send logs to previously created Syslog server.   When the tunnel monitor fails the firewall generates the following message in the system log:   Time Severity Subtype Object EventID ID Description =============================================================================== 2015/03/15 13:24:34 low vpn <object name> tunnel- 0 Tunnel <tunnel name> is down   The Syslog server receives a "tunnel down" message. After the IPSec tunnel is brought up, the tunnel interface also goes up and a new message "tunnel is UP" is generated in the system logs. Then, a newly generated log is sent to the Syslog server.
View full article
djoksimovic ‎08-28-2018 10:35 AM
9,116 Views
1 Reply
1 Like
Details A question mark next to the route in the routing table symbolizes a  “loose” flag.   This flag is often used for routes coming from BGP protocol because the next-hop attribute is not being changed among iBGP neighbors, so routed process should do reverse routing lookup to determine the real next-hop IP of given route.   See this example:   > show routing route flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp, Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2 VIRTUAL ROUTER: default (id 1) ========== destination nexthop metric flags age interface next-AS ... 10.10.0.0/16 192.168.200.99 ?B 92699 0 10.150.0.0/17 10.150.59.1 10 A S ethernet1/2   owner: djoksimovic
View full article
djoksimovic ‎08-28-2018 10:35 AM
4,424 Views
3 Replies
GlobalProtect agent collects vendor-specific data about the end-user security packages that are running on the computer (as compiled by the OPSWAT global partnership program) and reports this data to the GlobalProtect gateway for use in policy enforcement. Following are the third-party vendor products that GlobalProtect can detect using the specified OPSWAT SDK.   The attached pdf documents pertain to GlobalProtect version 4.0.x.
View full article
srajasekar ‎08-28-2018 10:30 AM
26,916 Views
5 Replies
1 Like
PAN-OS 6.1+   Issue The system log on the Palo Alto Networks firewall generated a message that says one of the physical ports assigned to a given Aggregate Ethernet (AE) interface was taken out of the AE group and then brought back after a minute.   2015/03/08 19:55:44 critical lacp    ethern nego-fa 0  LACP interface ethernet1/2 moved out of AE-group ae1. Selection state Selected 2015/03/08 19:55:45 critical lacp    ethern lacp-up 0  LACP interface ethernet1/2 moved into AE-group ae1.   Cause The aggregate interface has auto LACP enabled, which means that LACPDU messages are exchanged with a peer to dynamically negotiate LACP parameters and establish and maintain the AE interface status. LACPDU messages are sent out of every physical interface member of any given AE group.   LACP feature has 3 main state machines: Selection, MUX, and RX machine.   The RX machine examines data in the received LACPDUs and updates the peer’s state. If no LACPDU messages have been received by the peer device during the past 3 intervals the RX state machine for the given interface goes from CURRENT (operational) to EXPIRED (non-operational) status. This activity appears in the System log as an interface taken out of the AE group.   The firewall has a dedicated daemon on MP plane for LACP protocol called “l2ctrld.” Logs generated are stored in l2ctrld.log file in the var/log/pan folder. In the var/log/pan/ l2ctrld.log file you can see the following entries:   2015-03-08 19:55:44.766 -0400 ethernet1/2 idx 17, current_while expired. 2015-03-08 19:55:44.766 -0400 ethernet1/2 idx 17, rx state change CURRENT=>EXPIRED 2015-03-08 19:55:44.767 -0400 ethernet1/2 idx 17, mux state change RX_TX=>ATTACHED 2015-03-08 19:55:44.767 -0400 post LACP event to DP: if_idx 17, up 0 2015-03-08 19:55:44.767 -0400 log ethernet1/2 idx 17 leaves lag. sel state Selected 2015-03-08 19:55:45.017 -0400 ethernet1/2 idx 17, mux state change ATTACHED=>RX_TX 2015-03-08 19:55:45.017 -0400 ethernet1/2 idx 17, mux state in RX_TX 2015-03-08 19:55:45.017 -0400 post LACP event to DP: if_idx 17, up 1 2015-03-08 19:55:45.017 -0400 log ethernet1/2 idx 17 join lag
View full article
djoksimovic ‎08-28-2018 08:38 AM
26,151 Views
19 Replies
2 Likes
Issue The WebGUI is sluggish or unresponsive Admins are showing logged in who have already logged out An authorization code has been entered but not activated or updated for a license Logs not showing up inside of the WebGUI The CLI command: >  show system resources shows the mgmtsrvr process using excessive memory Resolution To resolve these issues, it is recommended that you restart the Management server process. Use the following steps to restart the Management server process: Enter the CLI command: PAN-OS 6.1 > debug software restart management -server   PAN-OS 7.0 and above > debug software restart  process  management -server Note: This restarts the 'mgmtsrvr' process, if there are any logged in admins when this happens, they will be kicked from the WebGUI as well as the CLI.  After a couple of minutes, please log into the WebGUI or CLI again. To check on the Management server process, Run the CLI command: > s how system resources | match mgmtsrvr This should show it using far less memory now than before.  The WebGUI should now function correctly. > show system resources | match mgmt 2140       20   0  708m 484m 9828 S    2 12.9   8:13.06 mgmtsrvr   owner: jdavis
View full article
panagent ‎08-22-2018 03:35 AM
69,445 Views
10 Replies
3 Likes
Requirements VM Panorama running on ESXi Panorama running in 'system-mode: panorama'. Check the system mode using either of the following methods: From the CLI, issue the '> show system info' command. From the GUI, check the 'General Information' widget on the Dashboard. PAN-OS 8.0.0 or later   Add interface to VM in Vsphere Log into Vsphere. Right-click the VM Panorama guest and select 'Edit Settings'. In the settings window add a new network device and select the appropriate port group. Click 'OK'. Wait until Vsphere reports that reconfiguring the virtual machine is complete. Reboot Panorama (may be done now, or at the end of the procedure).    Configure interface in Panorama Choose an IP address that is not in use. This example will use 10.8.56.6:   Log into Panorama and click on the Panorama tab. Configure ethernet1/1 under Panorama->Setup->Interfaces:    NOTE: The interfaces will show up in Panorama in the order in which they are added to the VM in ESXi. For example, the second interface added to VM will be presented in Panorama as ethernet1/1. Subsequent interfaces will be presented as ethernet 1/2, ethernet 1/3, etc,             4. Click 'OK'.           5. Ensure the local Panorama is configured as a log collector and is a member of a collector group. It doesn't need to actually be collecting logs but does need to be a member of a collector group. For instructions on configuring a log collector and log collector group, see the Panorama admin guide.             6. Commit to Panorama.           7. Perform a collector group commit.           8. Reboot Panorama if you haven't earlier.    At this point, the interface should respond to the configured services:  
View full article
cstancill ‎08-21-2018 07:54 AM
1,014 Views
0 Replies
To download software: Log in to Support Portal Click Software Updates link.   To receive notifications when this document is updated, see Email Notifications for Subscribed Activities.   Version Release Date 8.0.12 10-Aug-18 8.0.11 27-Jun-18 8.0.10 15-May-18 8.0.9 4-Mar-18 8.0.8 12-Feb-18 8.0.7 28-Dec-17 8.0.6 14-Nov-17 8.0.5 21-Sep-17 8.0.4 27-Jul-17 8.0.3 19-Jun-17 8.0.2 1-May-17 8.0.1 15-Mar-17   8.0.0   7-Feb-17
View full article
‎08-09-2018 11:16 PM
27,747 Views
2 Replies
6 Likes
This article can assist you in importing the policies of an existing Palo Alto Networks firewall into Panorama.   Assumptions You have a configuration on your Palo Alto Networks firewall. An instance of Panorama is up and running with the same version of PAN-OS (or higher). You have Web and CLI administrator access to both the firewall and Panorama. The firewall has been configured to connect Panorama in Device > Setup > Management > Panorama Settings The firewall's serial number has been added to Panorama and a Panorama commit has been completed Panorama shows that the firewall is connected in Panorama > Managed Devices Steps On the Panorama, navigate to Panorama > Setup > Operations Click "Import device configuration to Panorama." Select the appropriate device and name the template and Device Group Name accordingly. For each virtual system (vsys) on the firewall, Panorama automatically creates a device group to contain the policy and object configurations. Once you click “OK” the configuration of the firewall will be imported to the Panorama.       Commit locally to Panorama to save the new Device Group and Template created by the import. Push the imported configuration back to the firewall. On the Panorama, navigate to Panorama > Setup > Operations Click on "Export or push device config bundle" Choose either "Push & Commit" or "Export."    Push & Commit. This option will overwrite any local configuration on the firewall with the firewall configuration stored on the Panorama. This will succeed where a normal commit will generate errors associated with objects and rules existing both in Panorama and the firewall. When you choose "Push & Commit" you will see a job triggerred on the Panorama and will see Job Status details as shown below:   Export: This option will export the configuration to the firewall but not load it. You should manually load the configuration from the CLI by running the command "load device-state." Then the configuration should be committed. When you choose "Export" option you will see a job triggered on the Panorama and see details as shown below:   Note:  The above two options,  ("Push & Commit" & "Export")  are available only for firewalls running PAN-OS 6.0.4 and later releases. After this is performed, you should Push to Devices and select the options  "Merge with Device Candidate Config", "Include Device and Network Templates", and "Force Template Values”.     Caveats and important notes: -If you had previously broken a firewall off from Panorama support under Device > Setup > Panorama Settings > Disable Panorama Policy and Objects/Disable Device and Network Template and were now re-importing it into the same or another Panorama, you WILL have to ensure those options are enabled again to receive the Push and Commit or Export. The Push and Commit would delete all local information but leaving the options to Disable Panorama's config will prevent Panorama from giving it any configuration, including management IP and default gateway (so only Console access would be possible at that time.)   -If multiple devices are being imported and then moved to one device group, they MUST be imported into their own new Device Group/Template and follow steps as mentioned above. Only once they are showing properly in their own Device Groups/Templates and have received all configuration pushed from Panorama can you place them into a single Device Group/Template, after which you must Commit locally to Panorama and then Push to Devices while  selecting "Merge with Device Candidate Config", "Include Device and Network Templates", and "Force Template Values”.   -If importing a new device into Panorama via the Import Device Configuration to Panorama option, after adding it's serial number to Panorama's Managed Devices you must ensure it is NOT a part of a Device Group/Template before performing the import, as it will not show as an available device to import the configuration   -When performing the Import, ONLY the Running Config on the firewall is imported. If any changes were made and are only in the Candidate Config (not pushed to the firewall) then they will NOT be imported.
View full article
achalla ‎08-07-2018 05:36 AM
35,221 Views
6 Replies
3 Likes
https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Check-the-NAT-Buffer-Pool/ta-p/57039
View full article
Farman ‎08-02-2018 01:27 PM
1,466 Views
0 Replies
To download software: Log in to Support Portal Click Software Updates link.   To receive notifications when this document is updated, see Email Notifications for Subscribed Activities.   Version Release Date 7.1.1 31-Jul-18 7.1.18 12-Jun-18 7.1.17 24-Apr-18 7.1.16 8-Mar-18 7.1.15 17-Jan-18 7.1.14 27-Nov-17 7.1.13 12-Oct-17 7.1.12 30-Aug-17 7.1.11 6-Jul-17 7.1.10 22-May-17 7.1.9 10-Apr-17 7.1.8 20-Feb-17 7.1.7 3-Jan-17 7.1.6 17-Nov-16 7.1.5 3-Oct-16 7.1.4-h2 22-Aug-16 7.1.4 15-Aug-16 7.1.3 29-Jun-16 7.1.2 16-May-16 7.1.1 18-Apr-16 7.1.0 4-Apr-16  
View full article
‎07-31-2018 02:06 PM
112,172 Views
10 Replies
Ask Questions Get Answers Join the Live Community