Management Articles

Featured Article
Las funciones de múltiples factores de autentificación de Palo Alto Networks a partir de PAN-OS 8.0. S e mostrará como poder hacer la integración con DUO Security, como poder hacer MFA para autentificar aplicación Web, y como poder hacer MFA en aplicación NO-Web (solicitando autentificación a través del agente de GlobalProtect).
View full article
MarceloRey ‎05-09-2018 10:24 AM
3,717 Views
0 Replies
2 Likes
La Automatización de Palo Alto Networks a partir de PAN-OS 8.0, y los Dynamic Address Group (DAG). El mismo tiene una utilidad importante para lograr generar un Data Center auto-defendido, sin necesidad de tener que aplicar políticas manualmente.
View full article
MarceloRey ‎02-06-2018 12:49 AM
3,217 Views
0 Replies
2 Likes
Overview To replace or repair a firewall, open a case requesting an RMA with an authorized support provider. This document discusses how to prepare the replacement firewall for the production environment.   If you are replacing a device in HA, you can use the following  How to Configure a High Availability Replacement Device   Steps Register the new firewall and transfer licenses: Upon receipt, register the new device and transfer licenses from the old unit. After Palo Alto Networks receives the failed device, the old licensing is stripped, so it is important to transfer the licenses immediately. To transfer the license, follow these instructions:  How to Transfer Licenses to a Spare Device Note : When a license is transferred to the spare device, the original device still has a 30-day evaluation license. Configure the Management Interface. Default Management Interface IP is 192.168.1.1 and default login/password is admin/admin. Configure the Management Interface to have internet access and a DNS server confgured under Device > Setup. This interface should be able to communicate with updates.paloaltonetworks.com. Alternatively, configure a service route to enable a Layer 3 interface with internet access for management. The appropriate interfaces, routing, and policies must be configured on the device. Go to Device > Setup > Service Route Configuration and choose the appropriate interface IP address for paloalto-updates and dns.  An example is provided below: Note:  Refer to How to Configure the Management Interface IP to set up the IP address for the management interface. Retrieve licenses previously transferred to the device. Go to Device > Licenses > Retrieve license keys from license server. The licenses for each feature display on the same page. Be sure to have a URL filtering license, that URL filtering is activated, and that the database has been successfully downloaded. If a link "Download Now" is displayed, the database is not downloaded. A successfully activated and downloaded PAN-DB URL filtering database looks like this: The device is now ready to be upgraded, if needed. Download and install the available Apps or Apps+Threats package from Device > Dynamic Updates > Applications and Threats > Check Now. The device lists available packages to download and install. To update the PAN-OS, go to Device > Software > Refresh. Additional information about PAN-OS upgrades: How to Upgrade PAN-OS and Panorama Enable multi-vsys or jumbo-frames same as old firewall if applicable:       > set system setting multi-vsys on       > set system setting jumbo-frame on To load a previously backed up configuration on the replacement device, follow the below use cases: Case 1: Old device is still connected to the network and firewall was not managed from panorama: Assuming that only management network on the new firewall has been connected. On old device, save Device > Setup > Save Named Configuration Snapshot and then export  Device > Setup > Export Named Configuration Snapshot. On new device go to Device > Setup > Import Named Configuration Snapshot to import the backed up configuration onto the device.  Once the configuration is imported, load the imported configuration, go to Device > Setup > Load Named Configuration Snapshot. Change the management IP and hostname so that it does not create a conflict with the existing device if connected into same management network. Later on this can be changed back if required. Resolve any commit errors and commit the configuration. Remove the old device, move the network cables to the new device. Case 2: Old device is still connected to the network and firewall is managed from panorama: Assuming only management of new device is connected, go to old device and export device state: Device > Setup > Export Device State. Go to new device: Device > Setup > Import Device State to import the backed up device state onto the device. Once you do this, the firewall will get exact same settings as old device (Same IP and hostname as well). No need to load any configuration. At this point you can remove the old firewall. On Panorama CLI, replace the old serial number with new serial number: replace device old <old SN#> new <new SN#> and commit local and push commit to firewall also to bring in sync. Case 3: Old device is no more available to take a backup and firewall was not managed from Panorama Look for an old tech support from old firewall. You can get the configuration from /opt/pancfg/mgmt/saved-config/running-config.xml If no previous tech supports are available, then we maybe able to use maintenance mode on the firewall to backup the old config:  How to Retrieve the Palo Alto Networks Firewall Configuration in Maintenance Mode Take the running-config.xml and import in the new firewall.  Device > Setup > Import Named Configuration Snapshot . Commit and make sure device is up and running. Case 4: Old device is no more available to take a backup and firewall is managed from Panorama.  From Panorama take a backup of configuration bundle:  Panorama > Setup > Operations > Export Panorama and devices config bundle . In this file, there is a .xml file with the name containing serial number of old firewall. This configuration can be used to load on the new device. However keep in mind this is only a copy of local config of the firewall and does not contain Panorama pushed configuration. Assign IP to the new firewall management port, and commit so that its connected to Panorama. On Panorama replace the old S/N with new S/N:  replace device old <old SN#> new <new SN#> and commit local. Do NOT Push the config yet to the new firewall. From the  Panorama and devices config bundle, use the config corresponding to old device S/N and import and load it on the new firewall. Do NOT Commit yet. From Panorama now push a DG and Template commit to the new firewall. This commit should merge the candidate and pushed config from Panorama.  If no commit errors, device should be up and running. If you are using any NAT IPs for source and destination NAT which are in same subnet as NAT interface (except the IP of interface itself), you will need to do a manual Gratuitous ARP from the firewall to update the peers ARP table. For example your interface IP is 198.51.100.1/24, and you are using 198.51.100.2 for NAT, you need to send GARP for 198.51.100.2.      > test arp g ratuitous ip <ip> interface <interface> Return the defective device. To restore the factory default before returning, refer to: How to Factory Reset a Palo Alto Networks Device or if running PAN-OS 6.0 and later, reviewHow to SSH into Maintenance Mode because the SSH to maintenance mode is possible.  Customers whose support subscription includes advance replacement of a failed firewall must return the defective unit to Palo Alto Networks after receiving the replacement. United States Customers  - A return shipping label will be in the carton with the replacement. Affix the label to the carton to return the defective unit.  International Customers  - Refer to return instructions and documents in the replacement shipping carton.  
View full article
nrice ‎11-15-2017 12:36 PM
49,087 Views
12 Replies
3 Likes
Symptoms Deploying Panorama in  Panorama/Log Collector Combination in HA Mode on the Panorama Managed Log Collectors tab results in the following error: Ring version mismatch. Diagnosis Solution To resolve this mismatch, the configuration needs to be committed to both Panorama and the log collector group: Perform local commit on Panorama Perform commit on Log Collector group     To see the complete procedure on how to set an appliance for dual mode Panorama and log collector, please r efer to : How to Configure an M-100 to Function as Both a Log Collector and Panorama    
View full article
crajariyap ‎10-03-2016 04:58 PM
4,008 Views
0 Replies
Symptoms After importing the device config to the Panorama and then doing "Export or push device config bundle" under  Panorama>Setup>Operations we see the following error.   Diagnosis We see the error when we skip the 'commit' before  doing " Export or push device config bundle ". Solution Please follow the article to import the device config to Panorama and integrate the device in new device group and template in Panorama.
View full article
rchougale ‎06-22-2016 03:31 PM
1,504 Views
0 Replies
Symptoms Is there a way to generate SNMP traps or generate some type of notification if a VPN tunnel goes down?   Diagnosis A tunnel monitor was set up to monitor IPsec VPN Tunnels on the between PA device and want to generate an alert if the tunnel goes down. At this point in time PA devices do not support VPN tunnel monitoring events through SNMP MIB's. Solution   As a workaround we can rely on Syslog server and the logs we send to it.  Steps: Configure Tunnel Monitor feature on the firewall. Configure syslog server.  Configure Device > Log Setting > System to send logs to Syslog server.  When tunnel monitor fails firewall generates the following message in the system log:  Time Severity Subtype Object EventID ID Description ============================== ============================== =================== 2015/11 /15 13:24:34 low vpn <object name> tunnel- 0 Tunnel <tunnel name> is down   Syslog server receives "tunnel down" message  After IPSec tunnel is brought up tunnel interface also goes up and a new message "tunnel is UP" is generated in system logs  Newly generated log is sent to the Syslog server.   See also: Dead Peer Detection and Tunnel Monitoring How to Verify if IPSec Tunnel Monitoring is Working How to Forward System Logs to Syslog Server
View full article
crajariyap ‎04-25-2016 07:12 PM
4,566 Views
0 Replies
Question Does PA-3060 support PAN-OS versions released prior to PAN-OS 6.1.0 ?  Answer No, The PA-3060 model in the PA-3000 series does NOT support PAN-OS versions released prior to 6.1.0.   The PA-3060 hardware includes  the new 10G SFP+ ports and only PAN-OS 6.1 and above support this hardware.  An internal check has been programmed for this device to not fetch any versions prior to PAN-OS 6.1.0 from the software update server and any attempts to manually load older versions would also fail. This behavior is by design to avoid any unforeseen issues due unsupported PAN-OS versions. The PA-3050 and PA-3020 devices CAN run older PAN-OS versions if desired. Please Note: if you manually upload and install any software prior to PAN-OS 6.1, you will get the following error while trying to install:
View full article
syadav ‎01-04-2016 12:54 PM
3,240 Views
0 Replies
1 Like
The following issues have been addressed in PAN-OS 6.0 release. Issue Description 60347 Some service route settings could not be configured when the web interface was set to a language other than English. 59772 Traffic logs from log collectors are not visible on the Panorama web interface. 59707 NTP information on the firewall was displayed in way that could lead to confusion; for example, stating that the server the device is synced with is not connected (connected: false). NTP information is now displayed more clearly. 59407 NetFlow (type 4) messages were appearing in the traffic log database and reports. 59128 After logging in to Panorama using the CLI with RADIUS credentials, the following error message was printed: Server error : show -> system -> setting -> multi-vsys is unexpected. 59031 When admin users tried to log into the CLI without previously logging into the web interface and a RADIUS authentication profile was configured, the firewall sent out a request to the RADIUS server with an invalid password different from the one submitted by the user. This resulted in valid users being unable to authenticate to the RADIUS server. 59030 Certificates generated during SSL decryption were not adhering to the ASN.1 format. This was leading to the SSL connection being dropped by some servers. 58885 The test nat-policy-match command now properly displays results for no-nat rules. 58736 WildFire email notifications did not contain a date header. 58733 The fields in the CSV report were displayed incorrectly after performing a CSV export on the Monitor > HIP Match page on the Panorama web interface. 58614 Local users discovered by WMI query were mapped as the local user of the computer, instead of Unknown as is the expected behavior. 58347 Suppressed extraneous messages (for example, disabling an interrupt request that occurs within the underlying subsystem) from displaying on the console. These messages are now logged in the system log only. 58264 Previously, the debug software virt-limit limit command showed an incorrect max value: 4294967295. The max value has been fixed to display in kilobytes. 58223 Captive portal was not presenting a complete certificate chain to the client. It presented only the end certificate and not the intermediate certificate. 58215 The output from the CLI command show routing protocol ospf area was rearranged to provide greater clarity in the values defined. 57975 It was not possible using Panorama to proxy a REST API call for retrieving report information from a firewall. 57960 When the Palo Alto Networks firewall was configured to support several virtual systems, the firewall administrator could not revert the Destination Interface in a NAT Policy Rule back to the option any after an interface had been selected. This was because the any field in the NAT to-interface configuration had an incorrect schema value. The incorrect schema was fixed by adding any as a default NAT to-interface value in the configuration. 57927 When authenticating through captive portal, there was a delay after the authentication redirect for Firefox and Chrome browsers. This has been corrected by closing the socket after the redirect. 57874 DNS resolution did not turn off when the Resolve Hostname checkbox was cleared in the Monitor tab, and the Palo Alto firewall continued to display the hostnames instead of the IP addresses. IP addresses are now displayed when the Resolve Hostname checkbox is cleared. 57768 A DHCP server did not differentiate between DHCP Clients when the DHCP Client Identifier in the DHCP request exceeded 32 bytes. The maximum size of the DHCP Client Identifier has been increased to 312 bytes. 57660 PA-2000 Series platform management ports did not link up when connected directly using a straight or cross cable. 57608 When using multiple NetFlow hosts across multiple profiles, instances of the FlowSequence number were skipped. The expected behavior is that the value is PAN-OS Release Notes, Version 6.0 [27] cumulative, and should be used by the Collector to identify whether any Export Packets have been missed. 57535 Fixed an issue where the user was not able to create a QoS profile with an egress bandwidth greater than 50 Mbps on a virtual firewall (Network > Network Profiles > QoS Profile). 57507 The option L3 Forwarding Enabled in the configuration of a VLAN has been removed. In pre-6.0 releases, enabling or disabling this option did not affect traffic forwarding. Enabling or disabling L3 forwarding on a VLAN should be performed by adding or removing an L3 VLAN interface to the VLAN configuration. 57448 The IRC checkbox in the Botnet Configuration window (Monitor > Botnet) was not displayed on the web interface when the language was set to Japanese and a Chrome browser was being used. 57360 CLI help for show session all filter destination command is showinginstead of. 57258 Both HTTP and HTTPS were available when accessed directly from the management interface; however, HTTP was unavailable when accessed using a subinterfaceS 57159 The dataplane was passing traffic even though the management plane was rebooted and could not boot. 57154 On a PA-5000 Series firewall, the QoS rate is adjusted slightly to accommodate hardware limitations. The following help message now is displayed on the configuration window on the web interface: Bandwidth limits shown include hardware adjustment factor. 57098 In some Layer 2 configurations, multicast traffic passing through the firewall was resulting in both forward and drop counters incrementing due to the packets being broadcast. Additionally, the multicast packet was included in both the transmit and drop stage dataplane packet capture. New global counters were added to clarify the actions being taken by the firewall when processing multicast packets in a Layer 2 configuration. 56905 When a PA-5000 Series firewall received more than 3000 BGP prefixes, the web interface showed an error when displaying the Local RIB for BGP: op command for client routed timed out. Additionally, when the command show routing protocol bgp loc-rib-detail was issued, the CLI returned the error: Server error : op command for client routed timed out. 56858 A cache corruption prevented the user from downloading files when clicking the Continue button in the File Blocking Continue page. 56802 In a single-vsys setup, a Log Forwarding Profile created on the web interface was not displayed after issuing the CLI command: show shared log-settings profile. 56787 After an upgrade, the captive portal custom response page shows ::ffff: before the IP address. 56703 In the web interface, global timeout values were displayed in addition to the application-level timeout values that actually took effect. This has been updated to show only application level timeout values. 56367 Fixed an issue where NetFlow data could not be exported for all subinterface types. NetFlow records were not picked up by the log-receiver. 56107 Addressed dataplane restarts that occurred intermittently on the PA-3000 Series devices deployed in an HA configuration. 56087 Log collectors were optimized in PAN-OS 6.0.0 for quicker failover and failback. 55833 GRE port information was not mapped correctly on the VM-series platforms, causing predict sessions to not match and leading to dropped packets. 55774 On the web interface, setting the value for max-rows-in-csv-export did not work when set to more than 65535. 55696 Misspellings were displayed in the output for the command set session processing-cpu. The misspellings have been corrected. 55693 Added an enhancement to reduce the routed log in order to help reduce OSPF flaps. 55407 User-ID virtual memory was exceeding its limit in a multi-VSYS environment when a large number of LDAP objects were returned to the firewall. With this fix, LDAP queries made by the firewall will filter on groups specified in the include-list. 55387 When using local user groups to assign users to particular gateways, the connection to the Global Protect server for the users in that local group failed. 55111 When traffic triggered session reuse and was offloaded, sometimes a FIN was dropped when the sequence number was out of window. This has been fixed so that the sequence number check on an offloaded re-used session is skipped, as the dataplane processor cannot track sequence numbers after offloading. 54958 Upon opening a PCAP on the firewall, escape sequences were displayed instead of the special characters in data part. A fix is provided to display the characters correctly. 54949 A commit failed when DHCPv6 relay was configured on an interface that did not have an IPv4 address. 54755 An issue was addressed where creating a static route with the next hop set to None and cloning it or going back into it was changing the next hop settings tofrom None. 54676 In the web interface, on the Device > User Identification > Group Mapping Settings > Group Mapping > Group Include List tab, the list of Available Groups to add to the Included Group list displayed approximately the first 200 groups, with the option to select more... to view more group entries. However, clicking more... failed to display more group entries, even when several more groups are defined and should be available. 54547 Fixed an issue where peer HA2 IP information was not getting updated after issuing the CLI command show high-availability all. 54486 Added support for both single quote and double quote values when entering options using the Command Line Interface (CLI). 54283 An auto commit failed during a threat database update, displaying the error Threat database handler failed. 54265 The system log message Antivirus job failed has been updated and the following will be reported in the system log instead: Antivirus update job failed. 54113 A Forwarding Information Base (FIB) table entry discrepancy caused SSH packets to be sent back. This occurred only on PA-2000 Series firewalls. 53888 On PA-5000 Series devices, the DIPP limit was causing the following system error when trying to add more NAT policies to the firewall: Error: Number of dynamic-ip-and-port rules (251) exceeds vsys capacity (250) Error: Failed to parse nat policy. The maximum number of DIPP has now been increased. 53632 Fixed a BGP aggregate policy issue where the aggregate route was no longer advertised when a more specific prefix within the aggregate range was learned. 53615 When enabling IPv6 on an interface, link local IPv6 routes were counted towards the rtm_total/connected/ipv6; however, the Link Local IPv6 routes were not installed to the Forward Information Base (FIB) on the dataplane. 53554 Disks in a Panorama VM OVF were misaligned with NetApp and caused performance degradation with some storage devices. 53514 An HA Active/Active configuration for IPv6 using FCoE Initialization Protocol (FIP) did not behave consistently when SLAAC was also configured. 53148 Output of debug dataplane packet-diag show setting command truncates the interface name to 15 characters. 53059 Role-based admin users without privileges to access logs or the Monitor tab were able to view logs using the Dashboard widgets. 52847 Link monitoring and Path monitoring were on hold when a commit started and until one minute after the commit was done. Changes are introduced to remove the hold on the Link and Path monitoring during Phase -1 of commits. 52777 Link and Path monitoring were not always working properly during the commit process. 52738 Reset was sent to Captive Portal clients when trying to load multiple pages before logging in to the portal. 52629 PAN-DB reverted back to Brightcloud due lack of management connection for first reboot. 52567 The loading icon was not shown when using the list of users to add a source user to a security policy on the web interface. 52214 Some traffic was getting dropped if the number of routes in the routing table was high. 52184 Changing the Jumbo Frame settings on the device without restarting the entire device caused the dataplane to experience an unexpected restart. This has since been fixed so that when you change Jumbo Frame settings, an entire device reboot is no longer required and a dataplane restart will work. 52128 Fixed an issue where a management profile was configured on an interface and the clients were not getting IP addresses from the DHCP server when the device was configured as a DHCP relay agent. 52050 After manually upgrading PAN-OS, no Reboot button was visible, as it was in previous releases. A message was displayed instead that the user must reboot the device by closing the current window and then rebooting. 51955 The CLI displayed two counters listed under IPv6 filter, even though they also applied to IPv4. A change was made to list them under IPv(4/6) filter. 51880 Dynamic role based device admins did not have the ability to save, export, load, and revert a configuration on the firewall or Panorama. This fix provides these capabilities to the admins. 51824 Device Groups added to multiple virtual systems were not always shown as managed devices on the web interface (Panorama > Device Groups > Device Group). 51648 In an HA Active/Passive setup, if NAT exists for outbound FTP connections and the interface IP address is used for the NAT, the ftp-data session would not synchronize to the passive device. 51597 When the XML API was used to push IP address, port range and username information to a firewall deployed in HA, the details were not synchronized with the HA peer. 51091 Two-factor authentication (where both a client certificate profile and an authentication profile are configured) was not functioning as expected. The client was not required to provide the login credentials associated with the authentication profile after successfully authenticating with the client certificate. 51089 Fixed an issue where repeat count in threat logs resulted in incorrect values. 51062 Inter-vsys sessions that traverse the firewall and terminate on a firewall interface would fail. This has been fixed. 51042 Certificates that were generated prior to master key changes could continue to be used. 51000 On a redundant Power Supply system on a PA-5000 Series device, there was no system log was visible when removing or adding redundant Power Supply. Logging for these events has been added. 50963 Panorama software deployment failed to deploy when the OK button was clicked. 50936 Crypto Cores were created when a SIGTERM signal was received while the management plane was starting. 50817 When a GlobalProtect gateway’s external facing interface is configured with dynamic PPPoE and a loopback interface is configured for the destination interface to the GlobalProtect portal, GlobalProtect users are not able to connect. Issue is due to a problem with the gateway determining the tunnel ID of the portal in this configuration causing a problem with the gateway reaching the portal. The workaround is to not use the loopback interface; the PPPoE interface should be used in this configuration. The issue occurs in 4.1.6 and later versions of 4.1.x and all versions of 5.0. This issue is was fixed to allow the use of a loopback interface when the external facing interface for the gateway is dynamic. 50606 Captive Portal authentication failed when the username contained the character &. This issue has been addressed so that & is a valid character and Captive Portal authentication is successful when a username contains the character &. 50478 The Certificate Signing Request (CSR) generated by the firewall had a Challenge Attribute set by default. If configured, the signing entity could use this attribute or ignore it. Since this attribute was not being ignored by some signing entities, the behavior has been updated so that the Challenge Attribute is not set by default. 50310 A destination-based service route for DNS prevented an FQDN query from refreshing. 50091 A possible memory leak caused management plane services to not perform optimally during peak traffic periods. 50079 Added logging enhancements in order to help identify root cause. 50048 The CLI command show session all filter from to displayed no active sessions, when there were active sessions that should have been displayed in the output. 49851 In PAN-OS 6.0, DoS enforcement is now performed in the CPU prior to session installation. 49828 In custom reports, source and destination country are now available in the Query Builder as grouping options to organize the report. 49727 Navigating to the Network > Interface > Ethernet tab took 12-15 seconds for the screen to populate the interface data. 49294 The ACC (Application Command Center) tab on the Panorama web interface failed to display complete sections and appeared to be stalled, showing the error message: 3 requests sent 1 response received. 49038 Time zones were not automatically converted for Dynamic Update package release times. 49015 Fixed a dataplane restart issue that occurred when Jumbo Frames were enabled and the packets received buffer was high. 48896 In rare cases, abrupt restarting (for example, a power outage) lead to internal system file corruption. This was related to checking OS image integrity and cannot upgrade. Preventative measures were put in place to prevent issues before and after the internal file updating. 48729 In Panorama, disabling the Share Unused Address and Service Objects with Devices feature returned an error stating that the shared address is not a valid- reference. This occurred when a non-shared address group that was assigned to a specific device group contained a shared address or an address-group was pushed. This issue has been fixed so that such a configuration is supported. 48709 Fixed an issue where setting a PCAP filter in the web interface would not work until the filter was reset by removing the automatically added 0.0.0.0. 48703 This fixes a NAT pool leak issue when a SYN packet on TCP/443 was sent to an address on an interface on which GlobalProtect was configured but which was not its primary address. A NAT port was allocated, the connection failed, and the session was freed, but the allocated NAT port is not cleared. 48584 On Panorama, there were long delays committing a policy due the option Share Unused Address and Service Objects with Devices being cleared in large configurations. The delay was introduced as the system performs a calculation of the unused objects on commit. Commit times have been improved for large configurations. 48093 Configured address objects were not displayed as resolved on the Panorama web interface. On both the ACC tab and the Monitor > Logs > Traffic tab, host names defined in the address objects were not displayed, and the IP address was shown in the Host Name columns. 47642 Addressed the inability to write logs to disk. This issue occurred because the configuration on the Managed Collector and Collector Group was set up before the Managed Collector ever established a connection to Panorama. With this fix, Panorama allows you to configure the Collector Group only after the Managed Collector has connected at least once; Panorama can verify the availability of the disk(s) and its size. This ensures that the ring file is properly calculated and logs are written properly to disk. 47616 Devices which were no longer managed devices (had been managed devices previously but were not anymore) were displayed on the Panorama > Device Deployment > Licenses page on the Panorama web interface. 47461 Fixed an issue where SIP sessions were going into offload state after a content installation, causing SIP connectivity issues. 47071 In PAN-OS 6.0.0, you can now rename and push a shared object from Panorama to a managed firewall if you used that shared object in a local policy. 47007 An enhanced mechanism to hold control session packets being sent out before predict session is now installed on the master dataplane. 46535 When using an Internet Explorer browser and a Block / Continue page appears when attempting to download a file, clicking the Continue option did not download the file. 46308 The full User-IP Mapping table is now synchronized between peers in an HA cluster. 46134 On the Panorama web interface, DHCP server settings displayed for entries on the Network > DHCP page are not displayed on the DHCP Server window that is displayed when clicking on one of the specific DHCP server entries. 45529 In some User-ID implementations, server session reads picked up capitalized special characters such as Ü. Normally all capitals are set to lower case, but this operation was not supported for special characters, causing a mismatch between group mapping and ip mapping. 44925 When a Virtual Router interface was deleted, added, or updated with a new IP/mask, all local Virtual Router interfaces on the management plane were uninstalled and then re-installed. With this fix, the management plan will assess if all Virtual Router interfaces change before automatically uninstalling and reinstalling them all; the management plane will not continue to uninstall and reinstall all Virtual Router interfaces unless they have all been changed. 43280 Before PAN-OS 6.0.0, NetFlow data could not be exported on a per-subinterface basis. Starting in PAN-OS 6.0.0, NetFlow data can be exported on a per-subinterface basis. 41472 When a DNS Proxy object was configured with static entries, hostnames assigned to the DNS Proxy were resolved as expected to the IP addresses listed on the Static Entries tab (Network > DNS Proxy) . However, when setting the DNS Proxy Object as the DNS Service on the Device > Setup > Services dialog, all DNS queries from the management interface ignored the defined static entries. 40648 Validation logic has been added to PAN-OS software image files to prevent upgrade failures due to file corruption. 39368 Enhancements have been made to the web interface so that High Availability link status is displayed with green or red indicators on the High Availability widget on the Dashboard tab. A green indicator signifies that the link is up on the HA port and heartbeats or keepalives are being sent and received. A red indicator signifies that the link on the HA port is down or that heartbeats or keepalives are not being received at all (for HA3 interfaces, the green and red indicators signify only if the link is up or down). owner: panagent
View full article
panagent ‎01-22-2014 09:42 AM
46,169 Views
0 Replies
Issue Unable to use SSHv2 to any Layer 3 interfaces on a Palo Alto Networks device even if Management Profile is configured to allow SSH access. Cause The issue may be caused by having Vulnerability Protection enabled with the "Block" action in a Security Policy. To confirm, go to Monitor > Logs > Threat. Look for "SSH2 Login Attempt" in the Threat log. The Threat ID is 31914. Resolution To resolve the issue, add an exception for Threat 31914. Navigate to Objects > Security Profiles > Vulnerability Protection Add an exception to the Vulnerability Protection Profile by clicking on the Exceptions tab and  entering "( id eq '31914' )". Click the checkbox for "Show all signatures". Once the threat is displayed, check the checkbox to enable. Commit the changes. owner: ymiyashita
View full article
ymiyashita ‎06-18-2013 12:05 AM
10,015 Views
3 Replies