Management Articles

Featured Article
Overview The small form-factor pluggable (SFP) is a compact, hot-pluggable transceiver used for both telecommunication and data communications applications. The PA-2000 Series, PA-3000 Series, PA-4000 Series, PA-5000 Series, and PA-7000 Series firewalls accept SFP module(s). This document describes how to view the currently installed SFP modules.   Details From the CLI, run the following command: > show system state filter sys.sX.pY.phy where X=slot=1 and Y=port=21 for interface 1/21 Typical SFP module output > show system state filter sys.s1.p19.phy sys.s1.p19.phy: { 'link-partner': { }, 'media': SFP-Plus-Fiber, 'sfp': { 'connector': LC, 'encoding': Reserved, 'identifier': SFP, 'transceiver': 10000B-SR, 'vendor-name': OEM , 'vendor-part-number': PAN-SFP-PLUS-SR , 'vendor-part-rev': B4 , }, 'type': Ethernet, } > show system state filter sys.s1.p21.phy sys.s1.p21.phy: { 'link-partner': { }, 'media': SFP-Plus-Fiber, 'sfp': { 'connec tor': LC, 'encoding': Reserved, 'identifier': SFP, 'transceiver': , 'vendor-name ': FINISAR CORP.   , 'vendor-part-number': FTLX8574D3BCL   , 'vendor-part-rev': A   , }, 'type': Ethernet, }   Defective SFP module output If the output appears similar to the sample below, then the SFP module may be defective: sys.s1.p21.phy: { 'link-partner': { }, 'media': SFP-Fiber, 'sfp': { 'connec tor': vendor specific, 'encoding': Reserved, 'identifier': SFP, 'transceiver': , 'vendor- name ': yyyyyyyyyyyyyyyy, 'vendor-part-number': yyyyyyyyyyyyyyyy , 'vendor-part-rev': yyyy, }, 'type': Ethernet, }   Note: To verify the above output, unplug the SFP module from the initial SFP port and plug it into another SFP port. Run the same " show system state filter " command as above. If the output is the same, then the module is defective.   owner: gcapuno
View full article
gcapuno ‎03-02-2018 03:11 AM
56,699 Views
10 Replies
4 Likes
Symptoms After performing a factory reset on a PA-200 firewall with PAN-OS 6.1.16 and later (except 7.X and 8.X), the unit is unable to boot up properly and will display a "Fatal exception" error on the console.    Fatal exception: panic in 5 seconds ..Kernel panic - not syncing: Fatal exception Please Note: When you see this message on your firewall, you will not be able to enter into maintenance mode. Diagnosis You will see the following output repeatedly via console access after running a factory reset on a PA-200 firewall with PAN-OS 6.1.16 and later (except 7.X and 8.X), and cannot boot up the device. If you see these error messages after you run a Factory Reset, then please try to recover the system by following the directions in the "Solution" section below.   NOTE: The issue does not appear on PAN-OS 7.X and 8.X. If you need to run a factory feset on a PA-200 running PAN-OS 6.1.16 and later PAN-OS 6.0 releases, we recommend upgrading to PAN-OS 7.X before the factory reset. Fatal exception: panic in 5 seconds ..Kernel panic - not syncing: Fatal exception Rebooting in 5 seconds..     Welcome to the PanOS Bootloader. : <omit> : Traceback (most recent call last):   File "/usr/local/bin/mrt", line 12, in ?     import cpldlib   File "/usr/lib/python2.4/site-packages/cpldlib.py", line 1     :52  rstory     ^ SyntaxError: invalid syntax Traceback (most recent call last):   File "/usr/local/bin/mrt", line 12, in ?     import cpldlib   File "/usr/lib/python2.4/site-packages/cpldlib.py", line 1     :52  rstory     ^ SyntaxError: invalid syntax Solution If you see the issue on your firewall, please try to the following steps to resolve it.   Step 1. Type in "other" during the count down steps. Step1. Type in "other" during the count down steps Step 2. Select "Disk image. Step2. Select "Disk image" Step 3. Select "Revert to X.X.X" , a version of PAN-OS that is not 6.1.x. Step3. Select "Revert to X.X.X" Step 4. Select "Reboot." Step4. Select "Reboot" If you cannot enter maintenance mode with using the "other" option, there is no other option to recover the system. You will need to contact support to request assistance in recovering the system, which will more than likely be an RMA of the unit.   Author: tsakurai
View full article
tsakurai ‎01-02-2018 12:08 PM
2,374 Views
0 Replies
verview When using the following CLI command, the offloaded traffic is not shown: > show system statistics session   This document describes how to check the throughput of interfaces using the show system state browser command.   Steps To see the entire statistics, run the show system state browser command: > show system state browser Press Shift+ L and click on port stats Press 'Y' and then 'U'. The information for the first 20 ports will be displayed. To see additional ports, press the space bar and change the port value under the node. system state with updates and tracking enabled owner: ukhapre
View full article
ukhapre ‎11-24-2017 03:18 AM
70,609 Views
19 Replies
3 Likes
Procedure applies for PANOS versions  8.0 and below   Scenario Standalone M-500 Panorama in Hybrid mode ( Panorama device management and local Log Collector configured )  faced a hardware issue that requires chassis replacement. The M-500 uses 8 disk pairs for storing the logs received from managed devices. Naming convention Faulty M-500 device to be replaced will be called  "Old-M-500". Newly received replacement device will be called "New-M-500". You can use any name desired in your environment. These names are used for easier understanding of operations in the procedure.   Requirements In order to replace the faulty chassis Old-M-500 we need to have the configuration saved, so that we can import it in the New-M-500. Configuration can be exported by following the procedure in this Live article:. How to Back Up Panorama or by following the administrator manual: Export Panorama and Firewall Configurations The Old-M-500 has 8 disk pairs that will be moved to the New-M-500.   Procedure details 1) Power down the failed M-500 platform - Old-M-500.   Shutdown Panorama Link 2) Configure the New-M-500 in Panorama mode. Import the configuration exported from the faulty device. Import Old-M-500 exported configuration in the New-M-500. Load the named imported configuration into the New-M-500. Modify the Hostname from Old-M-500 to New-M-500.   Commit the configuration to Panorama. 3) Take the Primary disks from Old-M-500 ( A1, B1, C1, D1, E1, F1, G1, H1) and move them to the same Primary positions in New-M-500 ( A1, B1, C1, D1, E1, F1, G1, H1) .   Check M-500 Hardware documentation for correct identification of disks. M-500 Hardware Guide   The picture below shows the physical positioning of the drives inside the M-500 devices.     On New-M-500 we are going to add the Primary Log disks to RAID using CLI commands.  We must use "force" and "no-format" option. Force option associates the disk pair that is previously associated with another Log Collector. The option “no-format” keeps the logs by not formatting the disk storage. In this step we are going to add the Primary log disks only.   Secondary Log Disks will be added towards the end of the procedure. This is done as the Secondary Log Disks are used as data backup and we do not want to use them until the Migration of logs is confirmed.   In our example we have 8 Active RAID pairs ( A, B, C, D, E, F, G, H ). The full list of commands to attach the 8 primary 8 disks is: admin@New-M-500> request system raid add A1 force no-format admin@New-M-500> request system raid add B1 force no-format admin@New-M-500> request system raid add C1 force no-format admin@New-M-500> request system raid add D1 force no-format admin@New-M-500> request system raid add E1 force no-format admin@New-M-500> request system raid add F1 force no-format admin@New-M-500> request system raid add G1 force no-format admin@New-M-500> request system raid add H1 force no-format 4) Check the disk adding status by verifying the status and RAID status:   > show system raid detail Example: Output for 8 primary disks inserted after the adding operation ends: admin@New-M-500> show system raid detail Disk Pair A                           Available    Status                       clean, degraded    Disk id A1                           Present        model        : ST91000640NS            size         : 953869 MB        status       : active sync    Disk id A2                           Missing Disk Pair B                           Available    Status                       clean, degraded    Disk id B1                           Present        model        : ST91000640NS            size         : 953869 MB        status       : active sync    Disk id B2                           Missing .... Disk Pair G                           Available    Status                       clean, degraded    Disk id G1                           Present        model        : ST91000640NS            size         : 953869 MB        status       : active sync    Disk id G2                           Missing Disk Pair H                           Available    Status                       clean, degraded    Disk id H1                           Present        model        : ST91000640NS            size         : 953869 MB        status       : active sync    Disk id H2                           Missing To follow the state of the addition you can check the Management Plane raid.log debug logs through CLI:     >  tail lines 120 mp-log raid.log   This commands shows the last 120 lines that contain all the logs necessary to check the disk operations.   Mar 20 00:01:37 DEBUG: raid_util: argv: ['GetArrayId', 'A1'] Mar 20 00:01:37 DEBUG: raid_util: argv: ['Add', 'A1', 'force', 'no-format', 'verify'] Mar 20 00:01:37 DEBUG: Verifying drive A1 to be added. Mar 20 00:01:37 DEBUG: create_md 1, sdb Mar 20 00:01:38 DEBUG: raid_util: argv: ['Add', 'A1', 'force', 'no-format'] Mar 20 00:01:38 INFO: Adding drive A1 (sdb) Mar 20 00:01:38 DEBUG: create_md 1, sdb Mar 20 00:01:38 DEBUG: create_md_paired_drive 1, sdb, no_format=True Mar 20 00:01:38 DEBUG: Mounting Disk Pair A (/dev/md1) Mar 20 00:01:38 DEBUG: set_drive_pairing_one 1 Mar 20 00:01:38 INFO: New Disk Pair A detected. Mar 20 00:01:38 DEBUG: Created Disk Pair A (/dev/md1) from A1 (/dev/sdb1) Mar 20 00:01:38 INFO: Done Adding drive A1 ... Mar 20 00:02:41 DEBUG: raid_util: argv: ['GetArrayId', 'H1'] Mar 20 00:02:41 DEBUG: raid_util: argv: ['Add', 'H1', 'force', 'no-format', 'verify'] Mar 20 00:02:41 DEBUG: Verifying drive H1 to be added. Mar 20 00:02:41 DEBUG: create_md 8, sdp Mar 20 00:02:41 DEBUG: raid_util: argv: ['Add', 'H1', 'force', 'no-format'] Mar 20 00:02:41 INFO: Adding drive H1 (sdp) Mar 20 00:02:41 DEBUG: create_md 8, sdp Mar 20 00:02:41 DEBUG: create_md_paired_drive 8, sdp, no_format=True Mar 20 00:02:42 DEBUG: Mounting Disk Pair H (/dev/md8) Mar 20 00:02:42 DEBUG: set_drive_pairing_one 8 Mar 20 00:02:42 INFO: New Disk Pair H detected. Mar 20 00:02:42 DEBUG: Created Disk Pair H (/dev/md8) from H1 (/dev/sdp1) Mar 20 00:02:42 INFO: Done Adding drive H1 5)  Next step is to regenerate the Log Disks' Metadata for each RAID disk slot. Note:  This command can take a long time to finish depending on the data size stored on the disks, because the command rebuilds all the log indexes.   > request metadata-regenerate slot 1 > request metadata-regenerate slot 2 > request metadata-regenerate slot 3 > request metadata-regenerate slot 4 > request metadata-regenerate slot 5 > request metadata-regenerate slot 6 > request metadata-regenerate slot 7 > request metadata-regenerate slot 8 Sample Output:   Bringing down vld: vld-0-0 Process 'vld-0-0' executing STOP Removing old metadata from /opt/pancfg/mgmt/vld/vld-0 Process 'vld-0-0' executing START Done generating metadata for LD:1 .... admin@New-M-500> request metadata-regenerate slot 8 Bringing down vld: vld-7-0 Process 'vld-7-0' executing STOP Removing old metadata from /opt/pancfg/mgmt/vld/vld-7 Process 'vld-7-0' executing START Done generating metadata for LD:8 You can check the status of the metadata regeneration by opening a new CLI window and running the command to follow the debug log file vldmgr.log:   > tail lines 100 follow yes mp-log vldmgr.log This commands shows the last 100 lines and then follows the logfile vldmgr.log: Sample output: 2017-03-19 23:38:42.836 -0700 sysd send 'stop LD:1 became unavailable' to 'vld-0-0' vldmgr:vldmgr 2017-03-19 23:38:43.185 -0700 Error:  _process_fd_event(pan_vld_mgr.c:2113): connection failed on fd:13 for cs:vld-0-0 2017-03-19 23:38:43.185 -0700 Sending to MS new status for slot 0, vldid 1280: not online 2017-03-19 23:38:43.185 -0700 setting LD refcount in var:runtime.ld-refcount.LD1 to 0. create:false 2017-03-19 23:38:46.186 -0700 vldmgr vldmgr diskinfo cb from sysd .... 2017-03-20 00:20:56.792 -0700 setting LD refcount in var:runtime.ld-refcount.LD7 to 2. create:false 2017-03-20 00:20:56.792 -0700 Sending to MS new status for slot 6, vldid 1286: online 2017-03-20 00:20:56.905 -0700 connection failed for err 111 with vld-7-0. Will start retry 3 in 2000 2017-03-20 00:20:58.907 -0700 connection failed for err 111 with vld-7-0. Will start retry 4 in 2000 2017-03-20 00:21:00.908 -0700 Connection to vld-7-0 established 2017-03-20 00:21:00.908 -0700 connect(2) succeeded on fd:20 for cs:vld-7-0 2017-03-20 00:21:00.908 -0700 setting LD refcount in var:runtime.ld-refcount.LD8 to 2. create:false 2017-03-20 00:21:00.908 -0700 Sending to MS new status for slot 7, vldid 1287: online 6) On the New-M-500 add a new Local Collector. Click add under Panorama > Managed Collectors to add a new Collector. Under the General tab, enter the serial number of the New-M-500 device that we are moving the disks to. ( Visual example can be found below.  ) We will add the disks to the New-M-500 Log Collector in a later step.   7) Check the status of the new Log Collector. Check for following things in the output of the command: a. Connected status should display “yes” b. Disk capacity should display the correct size c. Disk pair will display as “Disabled” but this is expected behavior at this stage in the RMA process   >  show log-collector serial-number <serial-number-of-New-M-500> Sample output:   > show log-collector serial-number 007307000539 Serial           CID      Hostname           Connected    Config Status    SW Version         IPv4 - IPv6                                                      --------------------------------------------------------------------------------------------------------- 007307000539     0        M-500_LAB          yes          Out of Sync      7.1.7              10.193.81.241 - unknown Redistribution status:       none Last commit-all: commit succeeded, >>>>>>>>current ring version 0<<<<<<<< md5sum  updated at ? Raid disks DiskPair A: Disabled,  Status: Present/Available,  Capacity: 870 GB DiskPair B: Disabled,  Status: Present/Available,  Capacity: 870 GB DiskPair C: Disabled,  Status: Present/Available,  Capacity: 870 GB DiskPair D: Disabled,  Status: Present/Available,  Capacity: 870 GB DiskPair E: Disabled,  Status: Present/Available,  Capacity: 870 GB DiskPair F: Disabled,  Status: Present/Available,  Capacity: 870 GB DiskPair G: Disabled,  Status: Present/Available,  Capacity: 870 GB DiskPair H: Disabled,  Status: Present/Available,  Capacity: 870 GB 8) Add the disks to the New-M-500 Log collector configuration: Panorama > Managed Collectors Click on the name of the Log Collector (Eg. New-M-500) Click on the tab Disks Add all the disks that were moved to the New-M-500 device.  ( Eg. A,B,C,D,E,F,G,H)       9) On New-M-500 add the new Local Log Collector that we have created to the existing Log Collector Group that the Old-M-500 was a part of,  in this example the Old-M-500 log collector was part of the "default" Collector Group. Add the New-M-500 Log collector where the Old-M-500 Log collector was present:       10) Delete the failed Log Collector from the Collector Group. On WebGUI go to Panorama > Collector Group Select the Collector Group name where the New-M-500 is configured. In the Collector Group popup select the tab "Device Log Forwarding". Delete all references of the serial number of the failed Old-M-500.   11) Issue a Panorama Commit only.   12) Issue Commit to Collector Group. 13. Check that the old logs are visible.       14. Add spare disks to RAID, so that we rebuild full RAID redundancy will log migration already confirmed. Physically move disks from Old-M-500  A2, B2, C2, D2, E2, F2, G2, H2  to the New-M-500 A2, B2, C2, D2, E2, F2, G2, H2.   Check that the disks are available to be added to RAID:   > show system raid detail The newly added disks will be in the state "Present" and status "Not in use". admin@New-M-500> show system raid detail Sample Output: Disk Pair A                           Available    Status                       clean, degraded    Disk id A1                           Present        model        : ST91000640NS            size         : 953869 MB        status       : active sync    Disk id A2                           Present        model        : ST91000640NS            size         : 953869 MB        status       : not in use .... Disk Pair H                           Available    Status                       clean, degraded    Disk id H1                           Present        model        : ST91000640NS            size         : 953869 MB        status       : active sync    Disk id H2                           Present        model        : ST91000640NS            size         : 953869 MB        status       : not in use           15. Add the secondary disks (A2,B2,C2,D2,E2,F2,G2,H2) to RAID using the command:   > request system raid add A2 force > request system raid add B2 force > request system raid add C2 force > request system raid add D2 force > request system raid add E2 force > request system raid add F2 force > request system raid add G2 force > request system raid add H2 force   Note:  Executing this command may delete all data on the drive being added. Do you want to continue? (y or n) Press the key "y" to accept. After these commands the RAID goes to "Spare Rebuild" operation.  Please note that this may be a lengthy operation and it will run in the background until it ends. During this time logging to the Log Collector Group will be on hold. Once operation is over the log forwarding to the New-M-500 will resume. You can check the status of the operation running the command: > show system raid detail Sample Output: > show system raid detail Disk Pair A                           Available    Status     clean, degraded, recovering (2% complete)    Disk id A1                           Present        model        : ST91000640NS            size         : 953869 MB        status       : active sync    Disk id A2                           Present        model        : ST91000640NS            size         : 953869 MB        status       : spare rebuilding   .... Disk Pair H                           Available    Status     clean, degraded, recovering (0% complete)    Disk id H1                           Present        model        : ST91000640NS            size         : 953869 MB        status       : active sync    Disk id H2                           Present        model        : ST91000640NS            size         : 953869 MB        status       : spare rebuilding         16. Once the Spare rebuild operation is finished the New-M-500 is in fully operational state and the RMA process is done.
View full article
bbolovan ‎08-07-2017 01:02 AM
7,686 Views
2 Replies
2 Likes
Palo Alto Networks devices offer two variations of securely wiping the internal hard drive, both of which can be found within maintenance mode.    Let's cover the options that are available for us to use.    The dod scrub sequence is compliant with the DoD 5220.22-M procedure for sanitizing removeable and non-removeable rigid disks which requires overwriting all addressable locations with a character, its complement, then a random character, and verify. Please refer to the DoD document for additional constraints.    The nnsa (default) scrub sequence is compliant with a Dec. 2005 draft of NNSA Policy Letter NAP-14.x for sanitizing removable and non-removable hard disks, which requires overwriting all locations with a pseudorandom pattern twice and then with a known pattern. Please refer to the NNSA document for additional constraints.   Scrub Information Source To enter maintenance mode, you can either...   A: Type 'maint' when prompted during the boot sequence. (Console connection) How to Enter Maintenance Mode for Factory Reset. B: Reboot the system into maintenance mode and connect via SSH. How to SSH into Maintenance Mode.   Assuming we have successfully entered maintenance mode on your Palo Alto appliance, we can proceed by selecting 'Continue,' then the 'Factory Reset' option from the main menu and choosing 'Advanced', as seen below.      At this point, you will be prompted for the 'Advanced' password, which is listed below:   MA1NT   FIPS Maintenance Mode password is:   paloalto   After submitting the 'Advanced' password, you should see a 'Factory Reset' screen, but with more options than before, as seen below:       In the above example, I have selected to 'Factory Reset' the appliance with PAN-OS version 7.0.1 with the option to scrub with dod scrub type. Please select the options that apply to you.   As mentioned in the WARNING above, the scrub process can take up to forty eight hours. Please take this into account when selecting these options. 
View full article
mmmccorkle ‎11-16-2016 05:44 AM
8,301 Views
4 Replies
1 Like
Question When replacing a PA-7000 SMC, why does the session distribution policy need to be reconfigured after the new SMC is brought online? Answer When replacing a failed SMC, the replacement SMC will have the default session distribution policy setting of ingress-slot. If the session distribution-policy is currently set to another setting, you will need to reconfigure the session distribution setting after the replacement SMC is online, if HA config sync is enabled.   This is due to the replacement SMC's config having a later timestamp than the active PA-7000 config, so the default session distribution setting of ingress-slot from the new SMC will get synced across to the active device.   To prevent this from happening, after getting the replacement SMC online, you can reconfigure the session distribution policy to another setting.   admin@7050> set session distribution-policy > fixed          select a fixed DP > hash           select DP by address hash > ingress-slot   select DP on ingressing slot > random         select random available DP > round-robin    select DP by round robin between active DPs > session-load   select DP based on session load
View full article
pmak ‎11-09-2016 12:40 PM
2,197 Views
0 Replies
Issue A rebuilt Palo Alto Networks VM-Series firewall produces an error when retrieving it's license. The new UUID and CPU ID is confirmed to be correct, and the VM-Series firewall connects successfully to updates.paloaltonetworks.com. However, the ms.log shows: error ' 'cfg.platform.serial': NO_MATCHES '   Resolution The license can be manually downloaded and then uploaded to the VM-Series firewall on the Device > Licenses page. To manually download a license: Login to the support portal (support.paloaltonetworks.com) Go to the Assets tab Find the serial number of the device and click the download icon next to the appropriate feature under the License column Upon successful license upload, the Palo Alto Networks device will reboot and show the correct license. Licenses may need to be installed manually for available options (ex. URLFiltering, GlobalProtect, etc.). Alternatively, install the VM license manually and then retrieve licenses from the server.     owner:  ukhapre
View full article
ukhapre ‎10-13-2016 04:45 PM
3,747 Views
0 Replies
Symptoms Deploying Panorama in  Panorama/Log Collector Combination in HA Mode on the Panorama Managed Log Collectors tab results in the following error: Ring version mismatch. Diagnosis Solution To resolve this mismatch, the configuration needs to be committed to both Panorama and the log collector group: Perform local commit on Panorama Perform commit on Log Collector group     To see the complete procedure on how to set an appliance for dual mode Panorama and log collector, please r efer to : How to Configure an M-100 to Function as Both a Log Collector and Panorama    
View full article
crajariyap ‎10-03-2016 04:58 PM
4,024 Views
0 Replies
There may be cases where analysis/verification is required to determine whether traffic is being sent/received via the management interface. One such example would be during authentication testing to verify whether requests are being sent from the device to the LDAP or Radius server. Another example would be to determine whether a device is being polled/reachable through a SNMP server. Starting with PAN-OS 5.0 it is possible to know PCAP traffic to/from the management interface. The option is strictly CLI based utilizing tcpdump.   Example below: As captures are strictly/implicitly utilizing the management interface, there is no need to manually specify interfaces as with a traditional tcpdump. For example: admin@myNGFW> tcpdump filter "host 10.16.0.106 and not port 22" Press Ctrl-C to stop capturing tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes   Note: Filters must be enclosed in quotes, as in: > tcpdump filter "host 10.16.0.106 and not port 22"   When a capture is complete, press Ctrl-C to stop capturing: admin@myNGFW> tcpdump filter " host 10.16.0.106 and not port 22 " Press Ctrl-C to stop capturing tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes ^C 6 packets captured 12 packets received by filter 0 packets dropped by kernel   To view the PCAP on the CLI run the view-pcap command. For example:   admin@myNGFW> view-pcap mgmt-pcap mgmt.pcap 15:42:57.834414 IP 10.16.0.106.https > 10.192.1.0.61513: P 196197148:196197179(31) ack 2821691363 win 66 <nop,nop,timestamp 9463094 700166797> 15:42:57.834477 IP 10.16.0.106.https > 10.192.1.0.61513: F 31:31(0) ack 1 win 66 <nop,nop,timestamp 9463094 700166797> 15:42:57.834910 IP 10.192.1.0.61513 > 10.16.0.106.https: . ack 31 win 4095 <nop,nop,timestamp 700231236 9463094> 15:42:57.834933 IP 10.192.1.0.61513 > 10.16.0.106.https: . ack 32 win 4095 <nop,nop,timestamp 700231236 9463094> 15:42:58.142807 IP 10.192.1.0.61513 > 10.16.0.106.https: F 1:1(0) ack 32 win 4096 <nop,nop,timestamp 700231542 9463094> 15:42:58.142831 IP 10.16.0.106.https > 10.192.1.0.61513: . ack 2 win 66 <nop,nop,timestamp 9463125 700231542>       Following are a few filter examples (though NOT limited solely to these options) which can be referenced/utilized/applied: Filter By Port > tcpdump filter "port 80" Filter By Source IP > tcpdump filter "src x.x.x.x" Filter By Destination IP > tcpdump filter "dst x.x.x.x" Filter By Host (src & dst) IP > tcpdump filter "host x.x.x.x" Filter By Host (src & dst) IP, excluding SSH traffic > tcpdump filter "host x.x.x.x and not port 22"   Additionally, you can manually export the PCAP via SCP or TFTP, i.e.: > scp export mgmt-pcap from mgmt.pcap to   <value>  Destination (username@host:path)   > tftp export mgmt-pcap from mgmt.pcap to   <value>  tftp host   Note: By default, there is a maximum limit of 68 bytes (Snap Length) per packet on PA-200, PA-500 and PA-2000. For the PA-3000, PA-4000 and PA-5000, the default limit is 96 bytes per packet. To extend this limit, use the "snaplen" option.   admin@myNGFW> tcpdump snaplen   <value>   <0-65535> Snarf snaplen bytes of data from each packet. (0 means use the required length to catch whole packets) admin@myNGFW > tcpdump snaplen 0 Press Ctrl-C to stop capturing tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes   See Also Tcpdump Packet Capture Truncated   owner: bryan
View full article
bryan ‎09-21-2016 06:48 AM
78,344 Views
9 Replies
1 Like
Issue Attempts to upgrade PA-200 devices to a maintenance release on a later major software version fail. Specifically, after successfully downloading the base software image (for example, PAN-OS 6.0.0), the download of the maintenance release fails with errors similar to the following: The required '6.0' base image must be loaded before this image can be loaded. You do not have to install or run the base image, only download it. Once the base is loaded, re-download your target image. Failed to load into software manager. Please retry. Post processing failed. Please retry. As the screenshot shows, the 6.0.0 image is present on the system. However, after closing the dialog box and refreshing the software page, the 6.0.0 image disappears.   Cause Base images can be prematurely purged from the system due to limited storage capacity on PA-200 series devices.   Resolution To upgrade PA-200 devices to maintenance releases on later major versions of PAN-OS: Delete any unused PAN-OS images present on the firewall to free some space on the device. Download base software image (for example, 6.0.0). Install base software image without rebooting. Download desired maintenance release software image (for example, 6.0.2). Install maintenance release and reboot.   owner: garrison
View full article
ggarrison ‎09-19-2016 09:09 AM
24,662 Views
8 Replies
1 Like
PAN-OS 6.1   Details PAN-OS 6.1 introduced the following command to increase the capacity of the Address Resolution Protocol (ARP) table and the MAC address table on PA-3020 and PA-3050 devices: PA> debug system arp-mac-capacity increased   On the PA-3020 the ARP table capacity can be increased from 1500 to 3000. On the PA-3050 the number of table entries can be increased from 2500 to 5000.   Note: This change requires a reboot. Once the command is run, the system will ask for confirmation and if there is HA, it must be run on both peers.   See Also What is the Maximum Number of MAC Address and ARP Addresses that the Firewall can Handle?   owner: gbogojevic
View full article
gbogojevic ‎09-14-2016 04:09 AM
8,393 Views
4 Replies
Symptoms On a newly received and unboxed PA-200 that is running PAN-OS 5.0.6 out of the box, when trying to manually upload a new PAN-OS or content image the error message 'Invalid Image' pops up. Diagnosis ,PAN-OS 5.0.6 contains a bug that was resolved in PAN-OS 5.0.7 that prevents manual uploads from completing succesfully. A number of devices have been factory prepared to run this version when first booted up which can then prevent manual uploading of a newer PAN-OS. Solution The Issue can be resolved by performing a factory reset on the device after which software can be loaded as expected and the device can be upgraded to a newer version.
View full article
‎07-07-2016 10:03 AM
2,007 Views
0 Replies
Question How to check the media type on the interface of a Palo Alto Networks device? Answer Please run the below command in the CLI of the Palo Alto Networks device.   show system state filter sys.s1.p*.phy     [Output sample] sys.s1.p*.phy p1 stands for ethernet1/1 p2 stands for ethernet1/2 p3 stands for ethernet1/3 p4 stands for ethernet1/4   'media': CAT5  stands for category ethernet5 cable 'media': SFP-Empty  stands for 1G fiber port but SFP not inserted 'media': SFP- Fiber stands for 1G fiber port and SFP inserted   'media': SFP-Plus-Empty  stands for 10G fiber port but SFP not inserted 'media': SFP-Plus-Fiber  stands for 10G fiber port and SFP inserted  
View full article
rchougale ‎06-22-2016 04:18 PM
6,491 Views
1 Reply
Details The Palo Alto Networks device deletes the oldest log data when the logdb-quota is reached. The device purges logs based upon categories seen in show system logdb-quota . Refer to When are Logs Purged on the Palo Alto Networks Devices? for behavior of purging on different platforms.   The root partition can become full, requiring manual file deletion. If the root is full, the device cannot to perform maintenance tasks such as content installs (AV, APP/Threat, URL, DB) or generate tech support files.  To check the status of the root partition, use the show system disk-space command. Core files consume large amounts of disk space: show system files . Delete large core files: delete core management-plane file <filename>.   Use these commands to view and delete core files:   > show system disk-space   Filesystem            Size  Used Avail Use% Mounted on /dev/sda3            3.8G  3.8G    0 100% / /dev/sda5            7.6G  3.4G  3.8G  48% /opt/pancfg /dev/sda6            3.8G  2.7G  940M  75% /opt/panrepo tmpfs                493M  36M  457M  8% /dev/shm /dev/sda8              51G  6.6G  42G  14% /opt/panlogs   Check the output of show system file to see core files using up a large amount of disk space. > show system files /opt/dpfs/var/cores/: total 4.0K drwxrwxrwx 2 root root 4.0K Jun 10 20:05 crashinfo /opt/dpfs/var/cores/crashinfo: total 0   /var/cores/: total 115M drwxrwxrwx 2 root root 4.0K Jun 10 20:15 crashinfo -rw-rw-rw- 1 root root 867M Jun 12 13:38 devsrvr_4.0.3-c37_1.gz -rw-rw-rw- 1 root root  51M Jun 12 13:39 core.20053   /var/cores/crashinfo: total 16K -rw-rw-rw- 1 root root 15K Jun 10 20:15 devsrvr_4.0.3-c37_0.inf o   Delete unnecessary core files: > delete core management-plane file devsrvr_4.0.3-c37_1.gz (this example deletes a device server core file from the management-plane). Report deletion can be done from the command line as well.  To delete a set of summary reports starting with 864: > delete report summary scope shared report-name predefined file-name 864* Delete rotated files and files with extention .old as follows. These files contain monitoring details and service related logs on the firewall. Hence they can be deleted safely if you don't need them. If TAC investigates an ongoing issue,  you may prefer to keep them until you upload the tech support file to the case manager.    > delete debug-log mp-log file *.1 > delete debug-log mp-log file *.2 > delete debug-log mp-log file *.3 > delete debug-log mp-log file *.old           owner: bpappas
View full article
panagent ‎06-14-2016 03:50 AM
113,414 Views
29 Replies
4 Likes
Overview This document describes how to maintain and use an On-Site-Spare (OSS) device.   Details Backing up the production configuration Regularly export/backup the existing configuration from the production unit. This can be done either the web UI or from a terminal software using scp or tftp. From the web UI: Device > Setup > Operations > Export named configuration snapshot > running-config.xml From terminal software and SCP or TFTP server: The following documents describe how to perform the backup using SCP: How to Save an Entire Configuration for Import into Another Palo Alto Networks Device How to Import/Export Running Configuration Using Secure File Copy (SCP) For TFTP, run the following command: > tftp export configuration from running-config.xml to <IP-ADDRESS> Note: The terminal software method can be scripted and run by a scheduled task.   Maintaining the OSS device The following steps will keep the OSS on the same PAN-OS release as the production device. Perform these steps each time the production device is upgraded. Download the current Apps Only database from here: https://support.paloaltonetworks.com/ and open Dynamic Updates from the Tools Menu Upload the Apps Only database to the device an install Download the appropriate PAN-OS from here: https://support.paloaltonetworks.com/  and open Software Updates from the Tools Menu Upload the downloaded PAN-OS to the device and install   Bringing the OSS device into production The following steps will configure the OSS device to be identical to the original production device. The device should be managed from the IP address of the original production device. Have the device mounted and configured with An IP on the management port, Trust and untrust interfaces Rule that allows all traffic from trust to untrust Necessary NAT rule Plug the cables from the previous production device into the OSS Transfer the licenses to the OSS (How to Transfer Licenses to a Spare Device) Download the licenses to the device: Device > Licenses > Retrieve license keys from license server Download and install the latest Applications and Threat database (Threat license is required, otherwise use Apps Only database): Device > Dynamic Updates (may have to click "Check Now") Download and install the latest Antivirus (Threat license is required): Device > Dynamic Updates (may have to click "Check Now") Download and install the latest URL filtering database (License is required). Brightcloud: Device > Dynamic Updates. PAN-DB: Device > Licenses > Re-Download under PAN-DB URL Filtering license. Import config from previous production device: Device > Setup > Operations > Import named configuration snapshot. Important: The named configuration snapshot should not be named "running-config.xml", as this will cause a conflict on the device and may require a reset to factory default settings. Load the imported configuration snapshot: Device > Setup > Operations > Load named configuration snapshot Commit   See Also On-Site Spares (OSS) FAQs How to Transfer Licenses to a Spare Device   owner: esilha
View full article
JimS2 ‎05-17-2016 04:44 AM
12,922 Views
5 Replies
On all our platforms (except the PA-7000), the interface IDs start with the following numbers: Hardware interfaces: Number 16 AE interfaces: Number 48   For the PA-7000, this is different: Hardware interfaces: Number 32 AE interfaces: Number 16   Be aware that the interface ID is used as part of the virtual MAC: How to Calculate a Virtual MAC Address
View full article
rvanderveken ‎05-06-2016 05:27 PM
971 Views
0 Replies
PAN-OS 5.0.1, 5.1, 6.0, 7.0, 7.1   Issue A platform's management server keeps crashing and restarting when it exceeds its virtual limit capacity.   Error System logs indicating the management server exceeding its virtual limits 2012/11/19 10:20:38critical general general 0 "mgmtsrvr - virtual memory limit exceeded, restarting" 2012/11/19 10:29:39critical general general 0 "mgmtsrvr - virtual memory limit exceeded, restarting" 2012/11/19 10:56:41critical general general 0 "mgmtsrvr - virtual memory limit exceeded, restarting"   masterd.log Nov 19 10:20:19 INFO: mgmtsrvr: received user restart Nov 19 10:20:19 INFO: mgmtsrvr: User restart reason - Virtual memory limit exceeded (2575744 > 2560000) Nov 19 10:20:19 INFO: mgmtsrvr: received user stop Nov 19 10:20:25 INFO: mgmtsrvr: exited, Core: False, Exit code: 0   Resolution Increase the virtual limit size of the management server. To check the virtual memory limit on the device, run the following command: > debug software virt-limit service mgmtsrvr limit < 0 - 4294967295 > To set the virtual memory limit to 4GB, run the following command:   > debug software virt-limit service mgmtsrvr limit 4000000 Note: A reboot is not required for the increased virtual memory to take effect. Verify the setting change by running the following command: > show system state | match virtLimitEnable md.apps.s0.mp.prc.mgmtsrvr.add-event: virtLimitEnable 4000000 md.apps.s0.mp.prc.mgmtsrvr.script.runtime: { 'actions': [ ], 'count': 1, 'display': , 'done-actions': [ { 'action': hb-start, }, ], 'external-restart-ok': True, 'group': { }, 'hb-enable': True, 'limits': { 'enable-fd-limit': True, 'enable-virt-limit': True, 'fd-limit': 50000000, 'virt-limit': 4000000, }, 'process': { 'last-pid': -1, 'pid': 1512, }, 'restart-enable': True, 'state-machine': { 'count': 1, 'event': virtLimitEnable 4000000, 'state': running, }, 'sysd-namespaces': [ ], 'sysd-notifiers': { }, } admin@Panorama-54> To revert changes, run the following command: > debug software no-virt-limit service mgmtsrvr Confirm the with the following command: > show system state | match virtLimitDisable md.apps.s1.mp.prc.mgmtsrvr.script.runtime: { 'actions': [ ], 'count': 1, 'display': , 'done-actions': [ { 'action': hb-start, }, ], 'external-restart-ok': True, 'group': { }, 'hb-enable': True, 'limits': { 'enable-fd-limit': False,  'enable-virt-limit': False, 'fd-limit': 1024, 'virt-limit': 4000000, }, 'process': { 'last-pid': -1, 'pid': 2259, }, 'restart-enable': True, 'state-machine': { 'count': 1, 'event': virtLimitDisable, 'state': running, }, 'sysd-namespaces': [ ],        'sysd-notifiers': { }, }   owner: kadak
View full article
kadak ‎05-03-2016 01:18 PM
12,969 Views
5 Replies
1 Like
Details The capability of auto sensing power supply is documented by specifying the input voltage range. For more information, refer to the Electrical Specifications and Hardware Specification Sheet for each product. The following electrical specifications are from a PA-5000 platform PA-5000 Series Hardware Reference Guide (English)   The following Input Voltage is from the PA-5000 series's hardware specification sheet: Hence, any voltage specified in the above ranges are acceptable.   owner: gchandrasekaran
View full article
gchandrasekaran ‎04-29-2016 12:57 AM
2,954 Views
0 Replies
Symptom After replacing the fan in a Palo Alto Networks PA-5020, PA-5050, or PA-5060 firewall, the fan LED is green for 3 seconds and then turns off.   Resolution Ensure the fan is inserted with the correct orientation. When replacing the fan, the filter should be closest to the chassis with the handle positioned to the right of center.   Here is the fan inserted in the correct orientation: Here is the fan as it is being inserted in the correct orientation: The 5000-series hardware guide includes this process as well as other part replacement steps and is available here: PA-5000 Series Hardware Reference Guide (English)   owner: gwesson
View full article
gwesson ‎04-29-2016 12:57 AM
2,533 Views
0 Replies
  The contents of this article can be found on the Technical Documentations site under Platform Documentation.   See the 'Memory Upgrade Procedure' section under PA-500.     Note: This page has been flagged for archival. Please update your bookmarks.
View full article
panagent ‎04-12-2016 06:10 PM
9,482 Views
1 Reply
Question Does PA-3060 support PAN-OS versions released prior to PAN-OS 6.1.0 ?  Answer No, The PA-3060 model in the PA-3000 series does NOT support PAN-OS versions released prior to 6.1.0.   The PA-3060 hardware includes  the new 10G SFP+ ports and only PAN-OS 6.1 and above support this hardware.  An internal check has been programmed for this device to not fetch any versions prior to PAN-OS 6.1.0 from the software update server and any attempts to manually load older versions would also fail. This behavior is by design to avoid any unforeseen issues due unsupported PAN-OS versions. The PA-3050 and PA-3020 devices CAN run older PAN-OS versions if desired. Please Note: if you manually upload and install any software prior to PAN-OS 6.1, you will get the following error while trying to install:
View full article
syadav ‎01-04-2016 12:54 PM
3,243 Views
0 Replies
1 Like
For the latest procedure to migrate (licenses, configuration, and logs) from a Panorama virtual appliance to an M-Series appliance, refer to Migrate from a Panorama Virtual Appliance to an M-Series Appliance .   The Palo Alto Networks M-100 management appliance was released with PAN-OS/Panorama 5.0. A migration path was created for customers who want to move their device management license from an existing virtualized Panorama to the M-series platform. If you would like to migrate to the M-100 appliance: Contact your sales representative and let them know you'd like to purchase the M-100 appliance and migrate an existing Panorama. Provide the serial number of the virtualized Panorama you wish to migrate, the support term or end date you'd like for the management appliance, the auth code, and the date you'd like to process the migration. The sales representative will provide you with a quote that includes a pro-rated support credit for the difference between the chosen process date and current support subscription end date, an M-100 appliance, a migration upgrade, and a new subscription that includes both software and hardware support. Prorated credits can only be given if there are more than 90 days remaining for the existing support subscription Once purchased, we'll ship the M-100 appliance and associated authorization codes on the chosen process date. You'll have 45 days to complete the migration, after which the Panorama VM support will be terminated and can no longer receive updates (such as software and Threat). The Panorama VM will remain functional and able to manage devices after the support termination occurs.   To license the management appliance: Connect to the Palo Alto Networks appliance via the WebGUI, click Panorama from the top menu. Select Licenses from the left pane and click "Activate feature using authorization code". Then enter the auth code provided in a separate email for the migration SKU. Select Support from the left pane and click "Activate feature using authorization code". Then enter the auth code provided in a separate email for the support SKU. Note: If your appliance doesn't have access to the Internet, you may activate your M-100 manually by uploading a license key to the appliance. For further details, please refer to your Palo Alto Networks Administrator's Guide.   If you have any questions, please contact Palo Alto Networks Technical Support at +1.866.898.9087 (United States) or +1.408.738.7799 (outside the United States).   owner: mschuricht
View full article
mschuricht ‎12-07-2015 02:51 PM
8,965 Views
1 Reply
1 Like
Details The following document describes how to determine failed hard drives and replace/rebuild them for RAID redundancy in Panorama M-100.   Symptoms The following are the console output logs indicating buffer I/O errors: /var/log/messages 2014-05-02 03:58:02 May 2 03:58:02 CMS kernel: Buffer I/O error on device sdf, logical block 4044865 /var/log/messages 2014-05-02 03:58:02 May 2 03:58:02 CMS kernel: Buffer I/O error on device sdf, logical block 4044866 /var/log/messages 2014-05-02 03:58:02 May 2 03:58:02 CMS kernel: Buffer I/O error on device sdf, logical block 4044867 /var/log/messages 2014-05-02 03:58:02 May 2 03:58:02 CMS kernel: mpt2sas0: log_info(0x31110630): originator(PL), code(0x11), sub_code(0x0630)   Serial numbers of failed drives and can be determined from kernel messages, as shown in the examples below: /var/log/messages 2014-05-02 04:39:03 May 2 04:39:03 mgmt kernel: scsi 7:0:3:0: serial_number (9XG4JA0A) /var/log/messages 2014-05-02 04:39:03 May 2 04:39:03 mgmt kernel: scsi 7:0:3:0: qdepth(32), tagged(1), simple(1), ordered(0), scsi_level(7), cmd_que(1) /var/log/messages 2014-05-02 04:39:03 May 2 04:39:03 mgmt kernel: sd 7:0:2:0: [sdd] Write Protect is off /var/log/messages 2014-05-02 04:39:03 May 2 04:39:03 mgmt kernel: sd 7:0:2:0: [sdd] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA /var/log/messages 2014-05-02 04:39:03 May 2 04:39:03 mgmt kernel: sd 7:0:3:0: [sde] 1953525168 512-byte logical blocks: (1.00 TB/931 GiB)   Steps To swap the RMA'ed hard drives, perform the following steps: Go to Panorama > Setup > Operations > Device Operations and click Shutdown Panorama to shut the Panorama M-100 down Remove the failed hard disk drive (HDD) pair from the bay and insert the new HDD pair Once the new HDD pair are inserted in the bay, unplug the power cable, wait for 5 seconds and plug the power cable back into the device After the auto commit is finished, verify that the disk pair is present by using the following command: > show system raid detail Considering that Bay 'A' is going to be added, add disk pair A1 and A2 consecutively: > request system raid add A1 force Wait 3 to 4 minutes for A1 to finish. To check the status, use the operational show system raid detail command. > request system raid add A2 force The operation may take a few minutes. Once A2's rebuilding starts, the show system raid detail should look similar to the following: > show system raid detail Disk Pair A                                                            Available Status                        clean,degraded, recovering (14% complete) Disk id A1                                                             Present   model                     : ST91000640NS   size                      : 953869 MB   status                    : active sync Disk id A2                                                             Present   model                     : ST91000640NS   size                      : 953869 MB   status                    : spare rebuilding Note: Depending on the size of the disk, it may take 2 to 3 hours for the disks to come in RAID. Once completed, reboot the Panorama M-100, so that system initializes with a new pair of hard disks. Once auto commit finishes, make sure that both A1 and A2 are in clean and in active sync using the following command: > show system raid detail Disk Pair A                                                            Available   Status                      clean Disk id A1                                                             Present   model                     : ST91000640NS   size                      : 953869 MB   status                    : active sync Disk id A2                                                             Present   model                     : ST91000640NS   size                      : 953869 MB   status                    : active sync   Note: The tail follow yes mp-log raid.log command can be used to follow the real time adding and rebuilding process: > tail follow yes mp-log raid.log May 28 11:31:15 DEBUG: raid_util: argv: ['Add', 'A2', 'force'] May 28 11:31:15 INFO: Adding drive A2 (sdd) May 28 11:31:15 DEBUG: create_md 1, sdd May 28 11:31:15 DEBUG: add_md_new_drive Full setup required on disk 1 sd May 28 11:31:22 DEBUG: raid_util: argv: ['RebuildStarted', '/dev/md1'] May 28 11:31:22 DEBUG: Added A2 (/dev/sdd1) to Disk Pair A (/dev/md1) May 28 11:31:22 INFO: Done Adding drive A2   See Also For information on how to recover logs after swapping RAID disks in a log collector M-100, refer to: M-100 RMA Process   owner: kadak
View full article
kadak ‎11-09-2015 09:12 AM
16,384 Views
0 Replies
1 Like
Frequently Asked Questions   Can the OSS be configured for remote management? Yes, a management IP can be configured on the OSS for remote management.   Can the software be kept up-to-date even though it has no licensing? App-only content can be updated from Panorama but PAN-OS needs to be uploaded manually using the image file. The system cannot be upgraded from the license servers since this requires license validation.   Can the OSS be configured as a third device in a HA cluster? Because the spare unit doesn't require a license, it needs to remain completely off the network until used to replace an active licensed unit. Cables from the failed device would need to be physically moved to the OSS.   Can the license transfer be done without either device being on the network? Yes, the license transfer is done on the Support Portal and neither device needs to be connected. Instead of retrieving license keys from the server, they can be downloaded to a PC and uploaded to the unit.   See also Refer to How to Transfer Licenses to a Spare Device   owner: panagent
View full article
nrice ‎11-02-2015 09:50 AM
12,292 Views
4 Replies
Details Shown below is an example output to view maximum and minimum thermal thresholds, displaying max = 60 C and min = 5 C.   Use the following CLI command: > show system state filter env.* | match thermal   env.s1.thermal.0: { 'alarm': False, 'avg': 30.800, 'desc': Temperature @ 10G Phys [U171], 'hyst': 2.750, 'max': 60.000, 'min': 5.000, 'samples': [ 30.500, 30.500, 31.000, 31.000, 31.000, ], } env.s1.thermal.1: { 'alarm': False, 'avg': 41.500, 'desc': Temperature @ Jaguar [U172], 'hyst': 2.750, 'max': 60.000, 'min': 5.000, 'samples': [ 41.500, 41.500, 41.500, 41.500, 41.500, ], } env.s1.thermal.2: { 'alarm': False, 'avg': 36.000, 'desc': Temperature @ Tiger [U173], 'hyst': 2.750, 'max': 60.000, 'min': 5.000, 'samples': [ 36.000, 36.000, 36.000, 36.000, 36.000, ], } env.s1.thermal.3: { 'alarm': False, 'avg': 34.200, 'desc': Temperature @ Dune [U174], 'hyst': 2.750, 'max': 60.000, 'min': 5.000, 'samples': [ 34.000, 34.000, 34.000, 34.500, 34.500, ], }   Note: An alarm will trigger if the temperature reaches beyond 60 C. The maximum temperature for the alarm differs between Palo Alto Networks platforms.    See Also CLI Commands to View Hardware Status   owner: saryan  
View full article
saryan ‎10-02-2015 10:12 AM
7,548 Views
2 Replies
Overview This document describes how to display interface MAC addresses.   Details The various CLI commands provided below, will display the MAC addresses of the Palo Alto Network interfaces including an HA cluster. For example to display the MACs for all interfaces on the Palo Alto Networks: > show interface all total configured hardware interfaces: 15 name                    id    speed/duplex/state        mac address ------------------------------------------------------------------------------- ethernet1/1             16    1000/full/up              00:1b:17:05:2c:10 ethernet1/2             17    1000/full/up              00:1b:17:05:2c:11 ethernet1/3             18    unknown/unknown/down      00:1b:17:00:0b:12 ethernet1/4             19    unknown/unknown/down      00:1b:17:00:0b:13 ethernet1/5             20    1000/full/up              00:1b:17:00:0b:14 ethernet1/6             21    1000/full/up              00:1b:17:00:0b:15 ethernet1/7             22    unknown/unknown/down      00:1b:17:00:0b:16 ethernet1/8             23    100/full/up               00:1b:17:00:0b:17 ethernet1/9             24    100/full/up               00:1b:17:00:0b:18 ethernet1/10            25    100/full/up               00:1b:17:00:0b:19 ethernet1/11            26    unknown/unknown/down      00:1b:17:00:0b:1a ethernet1/12            27    unknown/unknown/down      00:1b:17:00:0b:1b vlan                    1     [n/a]/[n/a]/up            00:1b:17:00:0b:01 loopback                3     [n/a]/[n/a]/up            00:1b:17:00:0b:03 tunnel                  4     [n/a]/[n/a]/up            00:1b:17:00:0b:04   total configured logical interfaces: 21   To display an individual interface indicate the specific interface in the following command: > show interface ethernet1/1   For example: > show interface ethernet1/1 ------------------------------------------------------------------------------- Name: ethernet1/1, ID: 16 Link status:   Runtime link speed/duplex/state: 1000/full/up   Configured link speed/duplex/state: auto/auto/up MAC address:   Port MAC address 00:1b:17:05:2c:10 Operation mode: ha ------------------------------------------------------------------------------- Name: ethernet1/1, ID: 16 Operation mode: ha Interface IP address: 2.2.2.2/24 Interface management profile: N/A Service configured: Zone: N/A, virtual system: N/A ------------------------------------------------------------------------------- Physical port counters read from MAC: ------------------------------------------------------------------------------- rx-broadcast                  0   The following command displays the MAC addresses of an HA cluster: > show high-availability state   For example: > show high-availability state Group 1:   Local Information:     Version: 1     State: active     Priority: 200     Preemptive: False     Platform Model: PA-4050     Version information:       Build Release: 3.0.5       URL Database: 3233       Application Content: 160-463       Threat Content: 160-463       VPN Client Software: 1.0.2     Passive Hold Interval: 10 ms     Passive Link State: auto     Hello Message Interval: 1000 ms     Management IP Address: 10.30.14.7; netmask: 255.255.255.0     HA1 IP Address: 1.1.1.2; netmask: 255.255.255.0     HA1 MAC Address: 00:30:48:5d:45:f7     HA1 encryption enabled: False     HA2 MAC Address: 00:1b:17:01:18:06     Running Configuration: synchronized     State Synchronization: synchronized     Application Content Compatibility: Match     Threat Content Compatibility: Match     VPN Client Software Compatibility: Match   Peer Information:     Connection status: up     Version: 1     State: passive     Priority: 1     Preemptive: False     Platform Model: PA-4050     Version information:       Build Release: 3.0.5       URL Database: 3233       Application Content: 160-463       Threat Content: 160-463       VPN Client Software: 1.0.2     Management IP Address: 10.30.14.6     HA1 IP Address: 1.1.1.1     HA1 MAC Address: 00:30:48:5d:0c:c1     HA2 MAC Address: 00:1b:17:01:14:06   On the L3 interfaces, the MAC address listed for an interface using the command show interface all for an HA cluster are the VMAC. The format of the virtual MAC is 00-1B-17:00: xx: yy where 00-1B-17: vendor ID 00: fixed xx: HA group ID yy: interface ID   The following CLI command displays VMAC and VIP for Active-Active HA cluster: > show high-availability virtual-address   For example: > show high-availability virtual-address Total interfaces with virtual address configured:   2 Total virtual addresses configured:                 2 -------------------------------------------------------------------------------- Interface: ethernet1/1   Virtual MAC:               00:1b:17:00:05:10   Virtual MAC from the peer: 00:1b:17:00:85:10   107.204.232.53                          Active:yes    Type:floating -------------------------------------------------------------------------------- Interface: ethernet1/6   Virtual MAC:               00:1b:17:00:05:15   Virtual MAC from the peer: 00:1b:17:00:85:15   192.168.90.1                            Active:yes    Type:floating --------------------------------------------------------------------------------   The following CLI command displays VMAC for Active-Passive HA cluster: > show interface all ethernet1/5             20    1000/full/up              00:1b:17:00:0b:14   In the above output example, HA Group ID = 0b Hex (11 Decimal) and Interface ID = 14 Hex (20 Decimal).   Note: The MAC addresses of the HA1 interfaces, which are on the control plane and synchronize the configuration of the devices are unique. The MAC addresses of the HA2 interfaces, which are on the data plane and synchronize the active sessions mirror each other.   owner: gcapuno
View full article
nrice ‎09-15-2015 11:31 PM
39,459 Views
6 Replies
Issue After reboot of a Palo Alto Networks PA-5000 Series firewall running PAN-OS 5.0.4 in an HA cluster configuration, the following error is shown: Dataplane down: brdagent exiting .   The dataplane fails to initialize, causing network traffic to stop.     After a while, the firewall can no longer be accessed on the WebGUI and the CLI has limited functionality:   Cause The roblem is likely to be caused by a power supply unit (PSU) error and can be verified with the following command: > grep mp-log controlplane-console-output.log pattern pca954x_select   The error message output should be similar to the following for PAN-OS 5.0 and later: i2c-octeon i2c-octeon.1: octeon_i2c_start: bad status (0x0) pca954x_select: Failed to select the I2C multiplexor (addr=75, val=01, err=-145)!   The output may indicate a problem caused by an assembly issue of the PSU where a chassis ground connection is partial or incomplete.   Workaround Remove power from the system for at least 10 seconds and see if the problem disappears. Contact Palo Alto Networks support.   Note: This description is based upon personal experience while troubleshooting and communicating with support. The problem may be not limited to HA setups, but is known only to certain batches of PSUs for PA-5000 Series firewalls.
View full article
istankus ‎09-13-2015 03:03 PM
7,608 Views
1 Reply
1 Like
Issue When opening the Device > Support page, the Palo Alto Networks firewall reports a "No update information available" error and support information is not displayed.   Cause Lack of internet connectivity to updates to paloaltonetworks.com.   Resolution The support page contains information that requires the firewall to access the Palo Alto Networks servers. If no internet access is available when opening the support page, the error will occur.   Make sure the management port (or the data port configured in Device > Setup > Services > Service Route Configuration) has internet access and can resolve DNS to updates.paloaltonetworks.com.   owner: acamacho
View full article
npare ‎09-10-2015 08:07 AM
5,330 Views
2 Replies
Details On the PA-7000 platforms, there is one other session type defined in addition to the ones described in Palo Alto Networks Firewall Session Overview. The added session type is Forward (FORW) and is only visible on the CLI or Web GUI: CLI: Run show session all and look for type FORW  WebGUI: Navigate to Monitor > Session Browser   Characteristics of the Forward session type: Used internally to deliver traffic Transient only Always have a destination zone "captive-portal", Note: This occurs even if Captive Portal is not enabled on the firewall and no zone with the name "captive-portal" has been  created. This does not affect the capacity or proper function of the firewall and may be ignored.   owner: aciobanu
View full article
aciobanu ‎09-09-2015 10:13 AM
3,647 Views
0 Replies
Symptoms There is a chance, when accessing the console, the following error message might be displayed:   Welcome to the Maintenance Recovery Tool Welcome to maintenance mode. For support please contact Palo Alto Networks. < Continue > Q=Quit,  Up/Down=Navigate,  ENTER=Select,  ESC=Back ===================================================================== Maintenance Entry Reason Entry Reason: Both the RAIDs are set as the Primary PANOS drive Corrective Action: Set correct primary drive. =====================================================================   Resolution Enter Maint mode, and select RAID under the Maintenance Recovery Tool   Disks:   1: Model: FTM24CT25H, size 240057409536 bytes   2: Model: FTM24CT25H, size 240057409536 bytes ----------------------------- < RAID Auto Setup (Ignore Non-Matching Models) < Set drive 1 as primary PanOS drive < Set drive 2 as primary PanOS drive Migrate options move all files from Drive X -> Y resizing to max drive Y supports. Then the old drive is removed. This generally is not required and will take long time (up to 1hr). Note: Migrating to a smaller drive will delete all logs. Export logs before igrating.  Steps Select Set drive 1 as primary PanOS drive and press enter. RAID setup complete, use main RAID page to monitor status. Select Back  Select Reboot Select 'Reboot' and then hit enter.   owner: kprakash
View full article
kprakash ‎09-09-2015 10:11 AM
2,563 Views
0 Replies
1 Like
Ask Questions Get Answers Join the Live Community