Management Articles

Featured Article
Issue A vpn tunnel goes down and comes back up. A look at the global counters shows that the flow_fwd_zonechange counter is incrementing.   > show counter global   Cause The flow_fwd_zonechange counter indicates that the egress zone of a packet does not match the egress zone of the matching session. For this reason, the packet is dropped and the flow_fwd_zonechange counter is incremented.   Scenario 1 Packets are dropped due to a route change. The flow_fwd_zonechange counter increments when a packet is to be forwarded, but the zone of egress interface does not match the egress zone in the session due to a route change because the tunnel is not up. To verify global counter increments please refer to the following knowledge base How to Check Global Counters for Specific Source and Destination IP Address   In this scenario, the initial routing table is as follows: 0.0.0.0/0 metric 10 untrust zone. A tunnel route to 10.10.10.10/24 through 1.1.1.1 metric 5 tunnel-zone. When the tunnel goes down, the tunnel route is removed from the table and the default route is used for the 10.10.10.10 network in the untrust zone. When the tunnel comes back up, it considers this a zone change and drops the packets incrementing the flow_fwd_zonechange counter.   Resolution 1 All sessions destined to the untrust zone when going to 10.10.10.10/24 need to be cleared and re-initiated. To avoid this zone change, create a dummy IP address (ex: loopback interface IP address 5.5.5.5) in the tunnel zone to make the routing table look like this: 0.0.0.0/0 metric 10 untrust zone. A tunnel route to 10.10.10.10/24 through 1.1.1.1 metric 5 tunnel-zone. Another tunnel route to 10.10.10.10/24 through 5.5.5.5 metric 10 tunnel-zone. This forces the traffic to use the route with metric 10 in the same tunnel zone when the primary tunnel route fails, and there is no zone change that occurs when the tunnel comes back up. Scenario 2 Packets designated to exit out an ingress interface is dropped by the Firewall with "flow_fwd_zonechange".     Resolution 2   In this case, the interface had a /32 (host) instead of /24 (network). Make sure that the interface is showing as a /24. For example 10.10.10.1/24.   owner: pvemuri
View full article
pvemuri ‎10-23-2018 12:33 PM
3,929 Views
0 Replies
Details   Commit warning message The following warning displays during a commit if a block or allow list contains an entry using multiple wildcards: Warning: Nested wildcard(*) in URLs may severely impact performance. It is recommended to use a single wildcard to cover multiple tokens or a caret(^) to target a single token.       Reason of warning message   The asterisk (*) character is used as a wildcard token in the FQDN and path for custom URL filtering. The Palo Alto Networks firewall accepts multiple wildcard tokens in the field (ex. *.*.domain.com) and processes them appropriately.   However, as the number of wildcard tokens increases, the load on the system CPU increases exponentially (for example, *.*.*.domain.com, or just *.*.domain.com). Therefore, we recommend to avoid Nested asterisk(*)  for practical usage.     Below is Wildcard usage and its example   Wildcard character Usage Example "*" asterisk match with one or more subdomains The asterisk (*) wildcard does not respect the period (.) as a delimiter and will continue as a wildcard until a subdomain, domain or top level domain is matched.   sub1.*.*.com will match sub1.sub2.sub3.com and *.*.sub3.com will match sub1.sub2.sub3.com.  However, this should be avoided as a best practice as nested asterisks can create a performance impact on the device.     Instead, as a best practice you can use:  sub1.*.com or *.sub3.com.  This will match sub1.sub2.sub3.com    "^" caret match with only one subdomains. The caret (^) wildcard does respect the period (.) as a delimliter and will stop matching as a wildcard once a match has occurred.   sub1.^.^.com and  ^.^.sub3.com are able to match with sub1.sub2.sub3.com   Hence, ^.sub3.com and sub1.^.com are not able to match with sub1.sub2.sub3.com,   since "^" caret only matches with one subdomain.   If you'd like to replace "*" with "^", the following replacements are required:    x.*.net is partically covered by the following: x.^.net x.^.^.net x.^.^.^.net (continued...)   Nested carets has a practical limit of 9 carets for the same DP resource usage reason above.      Same limitation for Path This limitation is applied to the pattern matching on path after FQDN. (i.e. http://<FQDN>/<path>), though we don't throw the commit warning message above for path. Practical limit for nested asterisk in path is 2. But we highly recommend to use minimun number of asterisk for better DP utilization (CPU load/ Memory usage).   Side note: Currently we have limitation that asterisk and caret should not be used in the same configuration. As mentioned above, caret cannot be fully replaced with asterisk.  Therefore replacing nested asterisks to single asterisk is considered best solution for most of customers practically.  "1" for  nested asterisk in path and "9" for nested caret are practical number we suggest. Please consider to use lowest number as possible for better DP load (i.e. lower platform).    
View full article
sunright ‎10-23-2018 12:32 PM
15,364 Views
0 Replies
5 Likes
Overview The Palo Alto Networks device needs to be booted into maintenance mode. However, a console cable is not available. This document describes how to use SSH to connect to a Palo Alto Networks device that has been booted into maintenance mode.   Steps Prior to rebooting, run show system info and write down the management IP address and the device serial number (case sensitive) : Reboot your Palo Alto Networks device into maintenance mode with debug system maintenance-mode : Now open a terminal window (MAC) or other SSH client (ex. Putty) and connect to the management IP. User: maint Password: device serial number (case sensitive, any letters should be upper case) The screenshot below shows an established SSH connection in maintenance mode :   owner: rvanderveken
View full article
rvanderveken ‎10-23-2018 12:32 PM
42,517 Views
1 Reply
6 Likes
Issue Sometimes when PAN-OS 7.0 or above is downloaded on a Palo Alto Networks firewall, the download may fail and display the following error: "Failed to download due to server error. Please try again later. Failed to download file".   Detail Use the following CLI command to review the ms.log: > less mp-log ms.log   Look for a similar error message: "2014-07-18 16:20:15.701 -0600 Error: _pan_mgmtop_system_upgrade_download_version(pan_ops_common.c:9107): Failed to purge old uploaded files grep: /tmp/pan/downloadprogress.10999: No such file or directory"    The following is the output for the CLI command, > less mp-log ms.log   Resolution To resolve, follow the steps below: In the WebGUI, go to the Device > Software To check for the latest software version, Click 'Check Now' in the lower left corner. Go to the software version to download and click Download:
View full article
achalla ‎09-17-2018 09:31 AM
33,985 Views
3 Replies
5 Likes
Overview GlobalProtect clients installed on Windows 7/8 machines. Following the install, there are multiple login tiles for the same user account. Issues are present regardless as to whether the screen is locked, account is logged off or if the workstation is rebooted.   Issue Issues were isolated to the workstation in question which utilizes a Fingerprint Logon CP (Credential Provider).  End result in certain scenarios is duplicate SSO Logon tiles as seen above.   Resolution Workarounds in this case would be as follows:   Option 1 DISABLE the Fingerprint Logon CP as the GP client will utilize it's own built-in CP. Conflict would be removed & issues should no longer be present (though obviously customers may wish to utilize this functionality).   Option 2 DISABLE Our Logon CP which should still allow full functionality of the GP client, while allowing the use of the 3rd Party Fingerprint CP. Workaround requires issuing the following commands via CLI: Via command prompt, run the following: "c:\program files\Palo alto networks\globalprotect\PanGPUpdater.exe" -u Restart PC & verify whether duplicate login options are still present. If duplicate tiles are no longer present, proceed with step 3. Via command prompt, run the following: "c:\program files\Palo alto networks\globalprotect\PanGPUpdater.exe" –c Logoff (or restart) & verify whether duplicate login options have returned.   Desktop should now be restored to expected functionlity without duplicate users:   Note: As of GP Client v1.2.x the previous utility (PanGPUpdater.exe) has now been merged into the service process, hence the removal off this executable altogether. Workaround still stands though now referencing 'PanGPS.exe', i.e.: Via command prompt, run the following: "c:\program files\Palo alto networks\globalprotect\PanGPS.exe" -u Restart PC & verify whether duplicate login options are still present. If duplicate tiles are no longer present, proceed with step 3. Via command prompt, run the following: "c:\program files\Palo alto networks\globalprotect\PanGPS.exe" –c Logoff (or restart) & verify whether duplicate login options have returned.   owner: bryan
View full article
bryan ‎09-14-2018 12:21 PM
5,010 Views
1 Reply
Overview When configuring a Palo Alto Networks Next Generation Firewall, a certificate signed by a trusted public Certificate Authority (CA) may be desired on:   Captive Portal ("CP") pages Response Pages GlobalProtect ("GP") Portal Many public CAs use chained certificates, that is, certificates not signed by the Root CA itself, but one or more Intermediate CAs. These are usually owned and operated by the same CA but gives that CA flexibility and ease of revocation if a problem arises.   Steps 1. Requesting the certificate Depending on which PAN-OS version is installed on the firewall, a private key and CSR may need to be generated on a third-party program such as OpenSSL. If using PAN-OS 5.0, refer to How to Generate a CSR(Certificate Signing Request) and Import the Signed Certificate   2. Creating the combination certificate When a certificate is not signed by the Root CA, the intermediate CAs should be sent to clients in case those clients do not have the intermediate CAs in their trusted key store already. To do that, a combination certificate that consists of the signed certificate (CP, GP, and so on), followed by the intermediate CAs. The image below shows two, but the same process is valid for only one intermediate CA or several.   To get each of these certificates: Open the "Server Cert" file sent by the CA. In Windows, the certificate dialog box has three tabs: General, Details, and Certification Path. Click the Certification Path and click the certificate one step above the bottom. Open that certificate and click the Details tab, then Copy To File. Save the file as a Base-64 encoded X.509 (.CER) formatted certificate. Do the same for all certificates in the chain except the top (Root). Open each certificate .CER file in a plain-text editor (such as Notepad). Paste each certificate end-to-end, with the Server Cert on top and each signer below that. Save the file as a .TXT or .CER file Note: The name of the file cannot contain spaces, as this may cause the import to fail. 3. Importing the Certificate Take the combined certificate and import it on the firewall. In PAN-OS 5.0 and above, the private key is on the firewall already. Follow these steps to import the certificate: How to Generate a CSR and Import the Signed CA Certificate   Workaround In the event that you can not generate a new CSR , but still need to export a certificate, please try these Steps: Export the current Certificate on the Firewall , PEM format and with Private key exported. Open the cert in a Text editor. Separate the public key from the private key in two separate text files (being careful not to add any spaces). Save the private key text file and keep it aside. Edit the file where the public key is and have the public key at the top and add the intermediate CA below it as in the url shared, and save the file. Delete the certificate already on the firewall. Import the private key with the edited certificate.   owner: gwesson
View full article
gwesson ‎08-30-2018 07:00 AM
84,074 Views
6 Replies
3 Likes
Issue When running “show routing route” command routing table of Palo Alto firewall displays multiple entries for the same route (prefix and mask).   Details This is expected behavior because Palo Alto Networks firewall routing scheme is designed to take the best route from each protocol and put them all into the routing table. The best route is then selected among them based on Administrative Distance (AD) value of routing protocols which routes came from and that route is marked with flag A, stating that it is the Active route.   For example:   > show routing route flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp, Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2 VIRTUAL ROUTER: default (id 1) ========== destination nexthop metric flags age interface next-AS ... 10.175.0.0/16 10.175.59.1 10 A S ethernet1/2 10.175.0.0/16 192.168.200.99 ?B 92699 0   The route marked with the A flag is further installed into the RIB and FIB table and used for traffic forwarding.   See Also Understanding Route Redistribution and Filtering
View full article
djoksimovic ‎08-28-2018 10:38 AM
8,120 Views
0 Replies
Explanation   To check which version of OpenSSH the Palo Alto Networks firewall PAN-OS is running, make a telnet session to the firewall’s management interface on port 22, which will simulate a SSH session. The firewall will close the session and will reply with a connection status message that includes OpenSSH version used. Here is an example:   dragoslav@dragoslav:~$ telnet 10.193.80.51 22 Trying 10.193.80.51... Connected to 10.193.80.51. Escape character is '^]'. SSH-2.0-OpenSSH_11.1 Connection closed by foreign host.   In this example, the Palo Alto Networks firewall is using OpenSSH version 11.1.    
View full article
djoksimovic ‎08-28-2018 10:36 AM
5,493 Views
2 Replies
Issue The Palo Alto Networks firewall currently doesn't have SNMP OIDs to monitor IPSec tunnel status, so network management systems cannot rely on SNMP protocol to receive notifications when the IPSec tunnel on the Palo Alto Networks firewall changes it's status.       Workaround Perform the following workaround on the Palo Alto Networks firewall: Configure and enable IPSec Tunnel Monitor feature for the desired IPSec tunnel.(https://live.paloaltonetworks.com/docs/DOC-1323) Configure the Syslog server profile to send syslog messages to the desired Syslog server.(https://live.paloaltonetworks.com/docs/DOC-3837) Go to Device > Log Setting > System to send logs to previously created Syslog server.   When the tunnel monitor fails the firewall generates the following message in the system log:   Time Severity Subtype Object EventID ID Description =============================================================================== 2015/03/15 13:24:34 low vpn <object name> tunnel- 0 Tunnel <tunnel name> is down   The Syslog server receives a "tunnel down" message. After the IPSec tunnel is brought up, the tunnel interface also goes up and a new message "tunnel is UP" is generated in the system logs. Then, a newly generated log is sent to the Syslog server.
View full article
djoksimovic ‎08-28-2018 10:35 AM
9,011 Views
1 Reply
1 Like
Details A question mark next to the route in the routing table symbolizes a  “loose” flag.   This flag is often used for routes coming from BGP protocol because the next-hop attribute is not being changed among iBGP neighbors, so routed process should do reverse routing lookup to determine the real next-hop IP of given route.   See this example:   > show routing route flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp, Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2 VIRTUAL ROUTER: default (id 1) ========== destination nexthop metric flags age interface next-AS ... 10.10.0.0/16 192.168.200.99 ?B 92699 0 10.150.0.0/17 10.150.59.1 10 A S ethernet1/2   owner: djoksimovic
View full article
djoksimovic ‎08-28-2018 10:35 AM
4,272 Views
3 Replies
Issue The WebGUI is sluggish or unresponsive Admins are showing logged in who have already logged out An authorization code has been entered but not activated or updated for a license Logs not showing up inside of the WebGUI The CLI command: >  show system resources shows the mgmtsrvr process using excessive memory Resolution To resolve these issues, it is recommended that you restart the Management server process. Use the following steps to restart the Management server process: Enter the CLI command: PAN-OS 6.1 > debug software restart management -server   PAN-OS 7.0 and above > debug software restart  process  management -server Note: This restarts the 'mgmtsrvr' process, if there are any logged in admins when this happens, they will be kicked from the WebGUI as well as the CLI.  After a couple of minutes, please log into the WebGUI or CLI again. To check on the Management server process, Run the CLI command: > s how system resources | match mgmtsrvr This should show it using far less memory now than before.  The WebGUI should now function correctly. > show system resources | match mgmt 2140       20   0  708m 484m 9828 S    2 12.9   8:13.06 mgmtsrvr   owner: jdavis
View full article
panagent ‎08-22-2018 03:35 AM
68,509 Views
10 Replies
3 Likes
To download software: Log in to Support Portal Click Software Updates link.   To receive notifications when this document is updated, see Email Notifications for Subscribed Activities.   Version Release Date 7.1.1 31-Jul-18 7.1.18 12-Jun-18 7.1.17 24-Apr-18 7.1.16 8-Mar-18 7.1.15 17-Jan-18 7.1.14 27-Nov-17 7.1.13 12-Oct-17 7.1.12 30-Aug-17 7.1.11 6-Jul-17 7.1.10 22-May-17 7.1.9 10-Apr-17 7.1.8 20-Feb-17 7.1.7 3-Jan-17 7.1.6 17-Nov-16 7.1.5 3-Oct-16 7.1.4-h2 22-Aug-16 7.1.4 15-Aug-16 7.1.3 29-Jun-16 7.1.2 16-May-16 7.1.1 18-Apr-16 7.1.0 4-Apr-16  
View full article
‎07-31-2018 02:06 PM
111,988 Views
10 Replies
Where does the space go? A log collector is deployed with 4 1TB disk pairs. The GUI reports 3.23 TB of total space that can be allocated via quota. Various CLI commands show different values from the GUI. What is going on here? How much space do you actually have for logs?
View full article
cstancill ‎07-30-2018 12:14 PM
2,370 Views
1 Reply
3 Likes
This article is to assist anyone who would like to restrict access to Palo Alto Networks OID only with SNMP V3.   Please see the below link and refer to "panSys" for information on Palo Alto Networks OID info here: http://www.oidview.com/mibs/25461/PAN-COMMON-MIB.html   Below is the steps and how we calculate the mask value for the OID:   Inside the WebUI > Device > Setup > Operations > Misc > SNMP Setup, under Views click Add.   screenshot of options.   Inside of the Views window,  you can add one or more Views to define what portion of the MIB tree is accessible. Click Add at the bottom to define new view name, the OID that should be accessible and mask. Each entry will define a portion of the MIB to include or exclude from the user. Click OK when done.   How the mask was calculated The mask is a bitwise mask defining which node of the OID to match. For example, if the OID is 1.3.6.1 and the mask is 0xf0, then the first 4 nodes (f = 1111) must match and the remaining nodes do not need to match. So 1.3.6.1.2 would match the mask and 1.4.6.1.2 would not. If you would like to have all OIDs (full MIB tree .1) you can configure OID as .1 and mask as 0x80 (which is 1000 0000 - which means that only first node must match which is .1).   In our case we are trying calculate mask the value for the OID 1.3.6.1.4.1.25461.2.1.2.1   So considering this the mask should be 0xFFE.   How we arrive at this value is given below: 1.3.6.1.4.1.25461.2.1.2.1 =====>>>MIB 1 1 1 1 1 1 1 1 1 1 1 ====>>> Binary FFE =====>> HEX   Which is 1111 1111 1110 = 0xFFE in HEX
View full article
‎07-30-2018 12:09 PM
1,823 Views
0 Replies
Overview When using the User-ID Agent to identify users on the network, there is a way to ignore certain users. Generally, this is used for service accounts, but any desired username can be entered.   Steps Stop the User-ID service Modify/create a file ignore_user_list.txt in the directory where User-ID Agent is installed. This file will contain all the users to be ignored. The format of the file needs to be one username on each line. Note: It is sometimes required to have two entries for each username, the normal username and the username with netbios name. user1 mydomain\user1 Start the User-ID service.   Starting from PAN-OS 7.1 the ignore user list can also be configured for the Agentless User-ID through the WebUI   See also   How to Add/Delete Users from Ignore User List using Agentless User-ID   owner: sspringer
View full article
sspringer ‎07-20-2018 09:45 AM
42,574 Views
21 Replies
3 Likes
Issue In WF-500 version 7.1.x or earlier deployments, the Palo Alto Networks device will first establish TCP port 443 connection to WF-500. The WildFire will provide "<WF500-IP>:10443" as a server list and then Palo Alto Networks firewall will connect to the WildFire on TCP port 10443. TCP port 10443 is used to forward files and fetch report. When the WildFire appliance is configured with the host name, it then sends <WF_Hostname:10443> to the firewall. If the firewall’s DNS cannot resolve this hostname, registration will fail and no files are forwarded to the WF-500 appliance.   Starting from PAN-OS 8.0 TCP 443 will be used for all connections (10443 will no longer be commmunicated as a 'go-to'). Firewalls will still use 10443 to fetch signatures.   Resolution Configure host name, such that it is resolved with firewall’s DNS Delete the host name by using the following CLI command: admin@WF-500# delete deviceconfig system hostname admin@WF-500# commit   owner: ssharma
View full article
ssharma ‎07-13-2018 12:09 AM
6,579 Views
1 Reply
1 Like
Panorama Management and Logging Overview           The Panorama solution is comprised of two overall functions: Device Management and Log Collection/Reporting. A brief overview of these two main functions follow:   Device Management: This includes activities such as configuration management and deployment, deployment of PAN-OS and content updates. Log Collection: This includes collecting logs from one or multiple firewalls, either to a single Panorama or to a distributed log collection infrastructure. In addition to collecting logs from deployed firewalls, reports can be generated based on that log data whether it resides locally to the Panorama (e.g single M-series or VM appliance) for on a distributed logging infrastructure.   The Panorama solution allows for flexibility in design by assigning these functions to different physical pieces of the management infrastructure. For example: Device management may be performed from a VM Panorama, while the firewalls forward their logs to colocated dedicated log collectors:         In the example above, device management function and reporting are performed on a VM Panorama appliance. There are three log collector groups. Group A, contains two log collectors and receives logs from three standalone firewalls. Group B, consists of a single collector and receives logs from a pair of firewalls in an Active/Passive high availability (HA) configuration. Group C contains two log collectors as well, and receives logs from two HA pairs of firewalls. The number of log collectors in any given location is dependent on a number of factors. The design considerations are covered below. Note: any platform can be a dedicated manager, but only M-Series can be a dedicated log collector.     Log Collection   Managed Devices   While all current Panorama platforms have an upper limit of 1000 devices for management purposes, it is important for Panorama sizing to understand what the incoming log rate will be from all managed devices. To start with, take an inventory of the total firewall appliances that will be managed by Panorama.   Use the following spreadsheet to take an inventory of your devices that need to store logs: MODEL PAN-OS (Major Branch #)  Location Measured Average Log Rate   Ex: 5060    Ex: 6.1.0 Ex: Main Data Center   Ex. 2500 logs/s                                      Logging Requirements   This section will cover the information needed to properly size and deploy Panorama logging infrastructure to support customer requirements. There are three main factors when determining the amount of total storage required and how to allocate that storage via Distributed Log Collectors. These factors are: Log Ingestion Requirements: This is the total number of logs that will be sent per second to the Panorama infrastructure. Log Storage Requirements: This is the timeframe for which the customer needs to retain logs on the management platform. There are different driving factors for this including both policy based and regulatory compliance motivators. Device Location: The physical location of the firewalls can drive the decision to place DLC appliances at remote locations based on WAN bandwidth etc.   Each of these factors are discussed in the sections below:   Log Ingestion Requirements   The aggregate log forwarding rate for managed devices needs to be understood in order to avo id a design where more logs are regularly being sent to Panorama than it can receive, process, and write to disk. The table below outlines the maximum number of logs per second that each hardware platform can forward to Panorama and can be used when designing a soluti on to calculate the maximum number of logs that can be forwarded to Panorama in the customer environment.            Device Log Forwarding Platform  Supported Logs per Second (LPS)  PA-200 250 PA-220 1,200 PA-500 625 PA-820/850 10,000 PA-3000 series 10,000 PA-3220 7,000 PA-3250 15,000 PA-3260 24,000 PA-5050/60 10,000 PA-5220 30,000 PA-5250 55,000 PA-5260 To Be Tested PA-7050/7080 70,000 VM-50 1,250 VM-100/200 2,500 VM-300/1000-HV 8,000 VM-500 8,000 VM-700 10,000                                                             The log ingestion rate on Panorama is influenced by the platform and mode in use (mixed mode verses logger mode). The table below shows the ingestion rates for Panorama on the different available platforms and modes of operation.  The numbers in parenthesis next to VM denote the number of CPUs and Gigabytes of RAM assigned to the VM.              Panorama Log Ingestion Platform  Mixed Dedicated  VM (8/16) 10,000 18,000 M-200 10,000 28,000 M-500 15,000 30,000 M-600 25,000 50,000   The above numbers are all maximum values. In live deployments, the actual log rate is generally some fraction of the supported maximum. Determining actual log rate is heavily dependent on the customer's traffic mix and isn't necessarily tied to throughput. For example, a single offloaded SMB session will show high throughput but only generate one traffic log. Conversely, you can have a smaller throughput comprised of thousands of UDP DNS queries that each generate a separate traffic log. For sizing, a rough correlation can be drawn between connections per second and logs per second.     Methods for Determining Log Rate New Customer: Leverage information from existing customer sources. Many customers have a third party logging solution in place such as Splunk, ArcSight, Qradar, etc. The number of logs sent from their existing firewall solution can pulled from those systems. When using this method, get a log count from the third party solution for a full day and divide by 86,400 (number of seconds in a day). Do this for several days to get an average. Be sure to include both business and non-business days as there is usually a large variance in log rate between the two. Use data from evaluation device. This information can provide a very useful starting point for sizing purposes and, with input from the customer, data can be extrapolated for other sites in the same design.  This method has the advantage of yielding an average over several days. A script (with instructions) to assist with calculating this information can be found is attached to this document. To use, download the file named "ts_lps.zip". Unpack the zip file and reference the README.txt for instructions. If no information is available, use the Device Log Forwarding table above as reference point. This will be the least accurate method for any particular customer. Existing Customer:     For existing customers, we can leverage data gathered from their existing firewalls and log collectors: To check the log rate of a single firewall, download the attached file named "Device.zip", unpack the zip file and reference the README.txt file for instructions. This package will query a single firewall over a specified period of time (you can choose how many samples) and give an average number of logs per second for that period. At minimum this script should be run for 24 consecutive hours on a business day. Running the script for a full week will help capture the cyclical ebb and flow of the network. If the customer does not have a log collector, this process will need to be run against each firewall in the environment. If the customer has a log collector (or log collectors), download the attached file named "lc_lps.zip", unpack the zip file and reference the README.txt file for instructions This package will query the log collector MIB to take a sample of the incoming log rate over a specified period.   Log Storage Requirements   Factors Affecting Log Storage Requirements There are several factors that drive log storage requirements. Most of these requirements are regulatory in nature. Customers may need to meet compliance requirements for HIPAA, PCI, or Sarbanes-Oxely.     PCI DSS requirement 10.7 Sarbanes-Oxley Act, Section 802 HIPAA - § 164.316(b)(2)(i)   There are other governmental and industry standards that may need to be considered. Additionally, some companies have internal requirements. For example: that a certain number of days worth of logs be maintained on the original management platform. Ensure that all of these requirements are addressed with the customer when designing a log storage solution.   Focus is on the minumum number of days worth of logs that needs to be stored. If there is a maximum number of days required (due to regulation or policy), you can set the maximum number of days to keep logs in the quota configuration.   Calculating Required Storage Calculating required storage space based on a given customer's requirements is fairly straight forward process but can be labor intensive when achieving higher degrees of accuracy. With PAN-OS 8.0, the aggregated size of all log types is 500 Bytes. This number accounts for both the logs themselves as well as the associated indices. The Threat database is the data source for Threat logs as well as URL, Wildfire Submissions, and Data Filtering logs.     Note that we may not be the logging solution for long term archival.  In these cases suggest Syslog forwarding for archival purposes.        The equation to determine the storage requirements for particular log type is:   Example: Customer wants to be able to keep 30 days worth of traffic logs with a log rate of 1500 logs per second:             The result of the above calculation accounts for detailed logs only. With default quota settings reserve 60% of the available storage for detailed logs. This means that the calculated number represents 60% of the total storage that will need to be purchased. To calculate the total storage required, devide this number by .60:       Default log quotas for Panorama 8.0 and later are as follows:   Log Type % Storage Detailed Firewall Logs 60 Summary Firewall Logs 30 Infrastructure and Audit Logs 5 Palo Alto Networks Platform Logs .1 3rd Party External Logs .1      The attached worksheet will take into account the default quota on Panorama and provide a total amount of storage required.       Calculating Required Storage For Logging Service   There are three different cases for sizing log collection using the Logging Service. For in depth sizing guidance, refer to Sizing Storage For The Logging Service.   Log collection for Palo Alto Networks Next Generation Firewalls Log collection for GlobalProtect Cloud Service Mobile User Log collection for GlobalProtect Cloud Service Remote Office     Log Collection for Palo Alto Next Generation Firewalls The log sizing methodology for firewalls logging to the Logging Service is the same when sizing for on premise log collectors. The only difference is the size of the log on disk. In the Logging Service, both threat and traffic logs can be calculated using a size of 1500 bytes.    Log Collection for GlobalProtect Cloud Service Mobile User Per user log generation depends heavily on both the type of user as well as the workloads being executed in that environment. On average, 1TB of storage on the Logging Service will provide 30 days retention for 5000 users. An advantage of the logging service is that adding storage is much simpler to do than in a traditional on premise distributed collection environment. This means that if your environment is significantly busier than the average, it is a simple matter to add whatever storage is necessary to meet your retention requirements.   Log Collection for GlobalProtect Cloud Service Remote Office GlobalProtect Cloud Service (GPCS) for remote offices is sold based on bandwidth. While log rate is largely driven by connection rate and traffic mix, in sample enterprise environments log generation occurs at a rate of approximately 1.5 logs per second per megabit of throughput. The attached sizing work sheet uses this rate and takes into account busy/off hours in order to provide an estimated average log rate.           LogDB Storage Quotas   Storage quotas were simplified starting in PAN-OS version 8.0. Detail and summary logs each have their own quota,  regardless of type (traffic/threat):   Log Type Quota (%) Detailed Firewall Logs 60 Summary Firewall Logs 30 Infrastructure and Audit Logs 5 Palo Alto Networks Platform Logs .1 3rd Party External Logs .1 Total 95.2       Device Location The last design consideration for logging infrastructure is location of the firewalls relative to the Panorama platform they are logging to. If the device is separated from Panorama by a low speed network segment (e.g. T1/E1), it is recommended to place a Dedicated Log Collector (DLC) on site with the firewall. This allows log forwarding to be confined to the higher speed LAN segment while allowing Panorama to query the log collector when needed. For reference, the following tables shows bandwidth usage for log forwarding at different log rates. This includes both logs sent to Panorama and the acknowledgement from Panorama to the firewall. Note that for both the 7000 series and 5200 series, logs are compressed during transmission.           Log Forwarding Bandwidth Log Rate (LPS)  Bandwidth Used 1300 8 Mbps 8000 56 Mbps 10000 64 Mbps 16000 52.8 - 140.8 Mbps (96.8)      Log Forwarding Bandwidth - 7000 and 5200 Series Log Rate (LPS)  Bandwidth Used 1300 .6 Mbps 8000 4 Mbps 10000 4.5 Mbps 16000 5 - 10 Mbps           Device Management There are several factors to consider when choosing a platform for a Panorama deployment. Initial factors include: Number of concurrent administrators need to be supported? Does the Customer have VMWare virtualization infrastructure that the security team has access to? Does the customer require dual power supplies? What is the estimated configuration size? Will the device handle log collection as well?   Panorama Virtual Appliance This platform operates as a virtual M-100 and shares the same log ingestion rate. Adding additional resources will allow the virtual Panorama appliance to scale both it's ingestion rate as well as management capabilities. The minimum requirements for a Panorama virtual appliance running 8.0 is 8 vCPUs and 16GB vRAM.           When to choose Virtual Appliance? The customer has large VMWare Infrastructure that the security has access to Customer is using dedicated log collectors and are not in mixed mode When not to choose Virtual Appliance? Server team and Security team are separate and do not want to share Customer has no virtual infrastructure   M-100 Hardware Platform This platform has dedicated hardware and can handle up to concurrent 15 administrators. When in mixed mode, is capable of ingesting 10,000 - 15,000 logs per second. When to choose M-100? The customer needs a dedicated platform, but is very price sensitive Customer is using dedicated log collectors and are not in mixed mode but do not have VM infrastructure When not to choose M-100? If dual power supplies are required Mixed mode with more than 10k log/s or more than 8TB required for log retention Has more than 15 concurrent admins   M-500 Hardware Platform This platform has the highest log ingestion rate, even when in mixed mode. The higher resource availability will handle larger configurations and more concurrent administrators (15-30). Offers dual power supplies, and has a strong growth roadmap. When to choose M-500? The customer needs a dedicated platform, and has a large or growing deployment Customer is using dual mode with more than 10k log/s Customer want to future proof their investments Customer needs a dedicated appliance but has more than 15 concurrent admins Requires dual power supplies When not to choose M-500? If the customer has VM first environment and does not need more than 48 TB of log storage The customer is very price sensitive   High Availability This section will address design considerations when planning for a high availability deployment. Panorama high availability is Active/Passive only and both appliances need to be fully licensed. There are two aspects to high availability when deploying the Panorama solution. These aspects are Device Management and Logging. The two aspects are closely related, but each has specific design and configuration requirements.   Device Management HA: The ability to retain device management capabilities upon the loss of a Panorama device (either an M-series or virtual appliance). Logging HA or Log Redundancy: The ability to retain firewall logs upon the loss of a Panorama device (M-series only).   Device Management HA When deploying the Panorama solution in a high availability design, many customers choose to place HA peers in separate physical locations. From a design perspective, there are two factors to consider when deploying a pair of Panorama appliances in a High Availability configuration. These concerns are network latency and throughput.   Network Latency The latency of intervening network segments affects the control traffic between the HA members. HA related timers can be adjusted to the need of the customer deployment. The maximum recommended value is 1000 ms. Preemption Hold Time: If the Preemptive option is enabled, the Preemption Hold Time is the amount of time the passive device will wait before taking the active role. In this case, both devices are up, and the timer applies to the device with the "Primary" priority. Promotion Hold Time: The promotion hold timer specifies the interval that the Secondary device will wait before assuming the active rote. In this case, there has been a failure of the primary device and this timer applies to the Secondary device. Hello Interval: This timer defines the number of milliseconds between Hello packets to the peer device. Hello packets are used to verify that the peer device is operational. Heartbeat Interval: This timer defines the number of milliseconds between ICMP messages sent to the peer. Heartbeat packets are used to verify that the peer device is reachable. Relation between network latency and Heartbeat interval Because the heartbeat is used to determine reachability of the HA peer, the Heartbeat interval should be set higher than the latency of the link between the HA members.   HA Timer Presets While customers can set their HA timers specifically to suit their environment, Panorama also has two sets of preconfigured timers that the customer can use. These presets cover a majority of customer deployments   Recommended: Timer Setting Preemption Hold TIme 1 Hello Interval 8000 Heartbeat Interval 2000 Monitor Fail Hold Up Time 0 Additional Master Hold Up Time 7000   Aggressive: Timer Setting      Preemption Hold TIme 500 Hello Interval 8000 Heartbeat Interval 1000 Monitor Fail Hold Up Time 0 Additional Master Hold Up Time  5000     Configuration Sync                                                                              HA Sync Process     The HA sync process occurs on Panorama when a change is made to the configuration on one of the members in the HA pair. When a change is made and committed on the Active-Primary, it will send a send a message to the Active-Secondary that the configuration needs to be synchronized. The Active-Secondary will send back an acknowledgement that it is ready. The Active-Primary will then send the configuration to the Active-Secondary. The Active-Secondary will merge the configuration sent by the Active-Primary and enqueue a job to commit the changes. This process must complete within three minutes of the HA-Sync message being sent from the Active-Primary Panorama. The main concern is size of the configuration being sent and the effective throughput of the network segment(s) that separate the HA members.     Log Availability The other piece of the Panorama High Availability solution is providing availability of logs in the event of a hardware failure. There are two methods for achieving this when using a log collector infrastructure (either dedicated or in mixed mode).   Log Redundancy PAN-OS 7.0 and later include an explicit option to write each log to 2 log collectors in the log collector group. By enabling this option, a device sends it's log to it's primary log collector, which then replicates the log to another collector in the same group:     Log duplication ensures that there are two copies of any given log in the log collector group. This is a good option for customers who need to guarantee log availability at all times. Things to consider:   1. The replication only takes place within a log collector group. 2. The overall available storage space is halved (because each log is written twice). 3. Overall Log ingestion rate will be reduced by up to 50%.    Log Buffering Firewalls require an acknowledgement from the Panorama platform that they are forwarding logs to. This means that in the event that the firewall's primary log collector becomes unavailable, the logs will be buffered and sent when the collector comes back online. There are two methods to buffer logs. The first method is to configure separate log collector groups for each log collector:         In this situation, if Log Collector 1 goes down, Firewall A & Firewall B will each store their logs on their own local log partition until the collector is brought back up. The local log partition for current firewall models are:   Model Log Partition Size (GB)  PA-200 2.4 PA-220 32 PA-800 Series 172 PA-3000 Series    90 PA-3200 Series 125 PA-5000 Series 88 PA-5200 Series 1800   The second method is to place multiple log collectors into a group. In this scenario, the firewall can be configured with a priority list so if the primary log collector goes down, the second collector on the list will buffer the logs until all of the collectors in the group know that the primary collector is down at which time, new logs will stop being assigned to the down collector.   In the architecture shown below, Firewall A & Firewall B are configured to send their logs to Log Collector 1 primarily, with Log Collector 2 as a backup. If Log Collector 1 becomes unreachable, the devices will send their logs to Log Collector 2. Collector 2 will buffer logs that are to be stored on Collector 1 until it can pull Collector 1 out of the rotation.     Considerations for Log Collector Group design   There are three primary reasons for configuring log collectors in a group:   Greater log retention is required for a specific firewall (or set of firewalls) than can be provided by a single log collector (to scale retention). Greater ingestion capacity is required for a specific firewall than can be provided by a single log collector (to scale ingestion). Requirement for log redundancy.   When considering the use of log collector groups there are a couple of considerations that need to be addressed at the design stage:   Spread ingestion accross the available collectors: Multiple device forwarding preference lists can be created. This allows ingestion to be handled by multiple collectors in the collector group. For example, preference list 1 will have half of the firewalls and list collector 1 as the primary and collector 2 as the secondary. Preference list 2 will have the remainder of the firewalls and list collector 2 as the primary and collector 1 as the secondary. Latency matters: Network latency between collectors in a log collector group is an important factor in performance. A general design guideline is to keep all collectors that are members of the same group close together. The following table provides an idea of what you can expect at different latancy measurements with redundancy enabled and disabled. In this case, 'Log Delay' is the undesired result of high latency - logs don't show up in the UI until well after they are sent to Panorama.     Inter LC Latency (ms) Log Rate Redundancy enabled Log Delay 50 10K No No 100 5K No No 100 10K No Yes 50 5K Yes No 50 10K Yes Yes 100 5K Yes No 150 3K Yes No 150 5K Yes Yes        Using The Sizing Worksheet      The information that you will need includes desired retention period and average log rate.     Retention Period: Number of days that logs need to be kept. Average Log Rate: The measured or estimated aggregate log rate. Redundancy Required: Check this box if the log redundancy is required. Storage for Detailed Logs: The amount of storage (in Gigabytes) required to meet the retention period for detailed logs. Total Storage Required: The storage (in Gigabytes) to be purchased. This accounts for all logs types at the defualt quota settings.     Example Use Cases                                                        
View full article
cstancill ‎07-12-2018 03:14 PM
93,122 Views
9 Replies
10 Likes
How to Register and Activate Eval Panorama Software   The following procedure walks you through the steps to license, download, and install the Panorama management software.   STEP 1 | Register the Panorama Serial # Log in to the Customer Support Portal (https://support.paloaltonetworks.com) and select Assets > Devices > Register New Device.    In the Device Type window, select Register device using Serial Number or Authorization Code and click Submit To activate the Panorama software, enter the Serial Number you received in the “Request for Software Evaluation Approved” email and click Agree and Submit.   After successful registration, your Assets screen should display the newly registered and activated Eval Panorama.     STEP 2 | Download the Panorama software In the navigation menu, click Updates > Software Updates  Click the Filter By: drop down menu and select Panorama Base Images Locate the most recent base image that will be used for your environment and click the corresponding download link       STEP 3 | Install the Panorama software For detailed instructions on installing and configuring the Panorama software, go to  PANW Tech Docs: Panorama Admin Guide: Set up the Panorama Virtual Appliance   STEP 4 | Activate the support license on Panorama Open a web browser and navigate to the management IP address you set for Panorama Login using the factory default credentials of admin/admin for username and password On the Dashboard > General Information section, the Serial # field should say “Unknown”   Go to Panorama > Setup > Management > General Settings. Click the settings wheel and set the proper timezone and current system time. After clicking OK, the screen may freeze. If it does, close that browser tab and bring up a new tab to the Panorama GUI.   Go back to Panorama > Setup > Management > General Settings. Click the settings wheel again to enter the Evaluation Panorama Serial # that you registered on the support portal. Click OK   Click Commit at the top right corner and then Commit to Panorama to commit any pending changes.   Go to Panorama > Support If the Support license is not displayed here, you will need to reboot Panorama for the system to display the license info.   Go to Panorama > Licenses: this screen shouldn’t show any additional feature licenses   Go to Panorama > Dynamic Updates to download the latest Apps & Threats, WildFire, and Antivirus content updates   Go to Panorama > Software to download the latest software version if needed   STEP 5 | Complete the Panorama software configuration
View full article
bfrentz ‎07-03-2018 12:42 PM
9,316 Views
0 Replies
To download software: Log in to Support Portal Click Software Updates link.   To receive notifications when this document is updated, see  Email Notifications for Subscribed Activities .   Version Release Date 6.1.21 29-Jun-18 6.1.20 8-Mar-18 6.1.19 5-Dec-17 6.1.18 20-Jul-17 6.1.17 28-Apr-17 6.1.16 30-Jan-17 6.1.15 31-Oct-16 6.1.14 1-Sep-16 6.1.13 21-Jul-16 6.1.12 9-Jun-16 6.1.11 14-Apr-16 6.1.10 24-Feb-16 6.1.9 13-Jan-16 6.1.8 23-Nov-15 6.1.7 23-Sep-15 6.1.6 29-Jul-15 6.1.5 30-Jun-15 6.1.4 13-May-15 6.1.3 19-Mar-15 6.1.2 2-Feb-15 6.1.1 18-Dec-14 6.1.0 27-Oct-14
View full article
panagent ‎06-29-2018 12:56 AM
86,014 Views
7 Replies
1 Like
Overview When using nested user groups, the Palo Alto Networks firewall will be able to return all users within the main group, along with all users within the nested group(s). For example, if the "top_level_group" contains two nested groups: "nested_group_1", and "nested_group2". All queries to the  top_level_group from the firewall will be able to pull back users in the nested groups as well. A security policy can be configured with the "top_level_group", and users from the "nested_group_1" and "nested_group_2" will also be included.   Verification The CLI command: show user group name xxx can be used to display the users within the the group.   The output shows that the "top_level_group" contains users from the "nested_group_1" and "nested_group_2".   > show user group name "cn=top_level_group,cn=users,dc=pantac2012,dc=gcs,dc=paloaltonetworks,dc=com" short name:  pantac2012\top_level_group source type: service source:      panlab2012   [1] pantac2012\panuser1 [2] pantac2012\panuser2 [3] pantac2012\panuser3 [4] pantac2012\panuser10 [5] pantac2012\panuser11 [6] pantac2012\panuser12   > show user group name "cn=nested_group_1,cn=users,dc=pantac2012,dc=gcs,dc=paloaltonetworks,dc=com" short name:  pantac2012\nested_group_1 source type: service source: panlab2012   [1] pantac2012\panuser1 [2] pantac2012\panuser2 [3] pantac2012\panuser3   > show user group name "cn=nested_group_2,cn=users,dc=pantac2012,dc=gcs,dc=paloaltonetworks,dc=com" short name:  pantac2012\nested_group_2 source type: service source: panlab2012   [1] pantac2012\panuser10 [2] pantac2012\panuser11 [3] pantac2012\panuser12     See also Retrieving AD groups fails - nested-group-level exceeds limit   owner: pmak
View full article
pmak ‎06-27-2018 01:58 PM
18,182 Views
5 Replies
To download software: Log in to Support Portal Click Software Download link.   To receive notifications when this document is updated, see  Email Notifications for Subscribed Activities . Version Release Date 4.1.2 14-Jun-18 4.1.1 26-Apr-18 4.1.0 6-Mar-18 4.0.8 12-Apr-18 4.0.7 22-Feb-18 4.0.6 16-Jan-18 4.0.5 4-Dec-17 4.0.4 12-Oct-17 4.0.3 5-Sep-17 4.0.2 25-May-17  
View full article
panagent ‎06-14-2018 01:43 PM
140,868 Views
3 Replies
4 Likes
Introduction: This document describes the recommended update interval and timings for Dynamic Updates. The network load on the update server varies depending on the timing, and it's recommended to avoid relatively busy times to receive stable updates.    Recommendation: 1. Update Interval (Recurrence) A shorter recurrence setting is recommended, as it will trigger the next update sooner.   For example, if Recurrence is set to "Daily" and if  Dynamic Update failed, the scheduled update won't happen until the next day. If it's set to "Hourly", the scheduled update will be triggered in our hour.   2. Update Timings (Minutes Past Hour / Minutes Past Half-Hour / Time) The following timings are the ones that are recommended to be avoided: 00/01/02/03/05/10/15/16/20/25/30/31/35/40/45/46/50/55 min     PAN-OS 6.1                                        Time value can be selected from the pull down menu, and also can be modified manually.   PAN-OS 7.0                                         Time value can be selected from the pull down menu, and also can be modified manually.   PAN-OS 8.0                     PAN-OS 8.1   These recommendation settings can be applied to Antivirus, WildFire and "Application and Threats" signature updates. (Except for the case where WildFire update is configured as "Every Minute").   Please set a threshold that determines the amount of time the firewall waits before installing the latest content if necessary. For more detail, please refer to the Administrator's Guide ("Best Practices for Application and Threat Content Updates" section) and the article below.     See Also: https://www.paloaltonetworks.com/documentation/document-search?q=Best+Practices+for+Application+and+Threat+Content+Updates https://live.paloaltonetworks.com/t5/Management-Articles/Dynamic-updates-scheduled-with-a-threshold-set-but-are-never-or/ta-p/65952                                    
View full article
ymiyashita ‎06-04-2018 01:19 AM
5,248 Views
0 Replies
How to collect logs from the different GlobalProtect clients (Windows and Mac).
View full article
sraghunandan ‎05-30-2018 03:39 PM
31,208 Views
5 Replies
1 Like
SCTP (Stream Controlled Transmission Protocol) is a reliable, message-based transport protocol used widely by mobile networks. See how Palo Alto Networks plans to manage all SCTP-related App-IDs, beginning in May 2018, and how the SCTP Security feature in PAN-OS 8.1 still has you covered!
View full article
saverma ‎05-15-2018 04:48 PM
15,734 Views
0 Replies
How to configure PAN to advertise static/connected routes to its BGP peers except for one of them. This holds good for  connected/OSPF/RIP routes.   Steps  1. Example showing 2 BGP peers.     2. The following static routes are configured on the box If only 100.1.1.0/24 and 50.0.0.0/24 static routes has to redistributed to Peer3 and all static routes to Peer2 then.   4.  Create a redistribution profile to allow all static routes.   5. Use the same redistribution profile in the redist profile of the BGP.   6.  Now this will redistribute all the static routes to peers Peer2 and Peer3. In order to restrict the redistribution , we need to use the export policy and allow the 2 routes.   7. If you check the neighbor/Local-rib/Rib-out , you can see the desired result.   Via the CLI Use the following command to show the bgp loc-rib info: admin@Lab> show routing protocol bgp loc-rib   VIRTUAL ROUTER: default (id 1) ========== Prefix             Nexthop           Peer       Weight   LocPrf Org       MED flap AS-Path *50.0.0.0/24                         Local           0       100 i/c         0     0 *100.1.1.0/24                         Local           0       100 i/c         0     0 *172.17.0.0/16       172.17.0.0       Local           0       100 i/c         0     0 *192.168.254.0/24                     Local           0       100 i/c         0     0   total routes shown: 4     8. Now check the rib-out , only routes 100.1.1.0/24 and 50.0.0.0/24 are redistributed to Peer3 and all routes to Peer2.   Via the CLI Use the following command to show the bgp rib-out info: admin@Lab> show routing protocol bgp rib-out   VIRTUAL ROUTER: default (id 1)   ==========   Prefix             Nexthop           Peer       Originator       Adv Status   Aggr     Status     AS-Path 50.0.0.0/24         172.19.1.1       peer1.1     0.0.0.0           advertised   no aggregation   64713 100.1.1.0/24         172.19.1.1       peer1.1     0.0.0.0           advertised   no aggregation   64713 172.17.0.0/16       172.19.1.1       peer1.1     0.0.0.0           advertised   no aggregation   64713 192.168.254.0/24     172.19.1.1       peer1.1     0.0.0.0           advertised   no aggregation   64713 50.0.0.0/24         172.19.1.1       Peer1.3     0.0.0.0           advertised   no aggregation   64713===>Peer3 100.1.1.0/24         172.19.1.1       Peer1.3     0.0.0.0           advertised   no aggregation   64713===>Peer3   total routes shown: 6   Important Note ------------------- If you have redistribute OSPF,Connected,static route in BGP use the redistribution profile and redist tab on the BGP for the same and use the export rule only when you have to restrict the redistribution to peers as shown in the above example.   If you want to restrict the BGP routes sent out from the box , Use only the export tab and restrict it.  Do not use export and redist tab for exporting BGP routes in BGP.
View full article
panagent ‎05-14-2018 05:27 PM
10,812 Views
1 Reply
If there is a specific site that you would like to determine the URL category, please visit the test site in the article to test the URL. This article is a complete list of PAN-DB URL filtering categories.
View full article
‎05-10-2018 11:25 AM
194,374 Views
21 Replies
5 Likes
Question What is the Max Length of Security Rules' Description Field?   Answer In PAN-OS 8.0 and older The description field can be a maximum of 255 characters. The policy name is limited to 31 characters. In PAN-OS 8.1  The policy name has been increased to 63 characters. Description field has not changed and is still limited to 255 characters.   owner: ukhapre
View full article
ukhapre ‎05-10-2018 08:25 AM
3,907 Views
1 Reply
Details Here are some checks that should be made when Panorama is out of sync with one of many managed firewalls, or simply cannot connect to a firewall. Check IP connectivity between the devices. Make sure port 3978 is open and available from the device to Panorama. Make sure that a certificate has been generated or installed on Panorama. Confirm the serial number configured in Panorama (case sensitive). If a permitted IP list is configured for the management interface, make sure that Panorama IP is allowed in the list. By default, it will allow all IPs if a list is not specified. Make sure Panorama is on a version greater than or equal to that of the managed devices. Panorama can manage devices running supported PAN-OS versions of the same or a lower release. Check MTU settings on the managed device, as the value may need to be reduced. If a device on the path is fragmenting packets, communication from Managed Device to Panorama will not succeed. Verify that there is not a large time difference between the clock (Date/Time) on Panorama and the clock (Date/Time) on the managed device.   owner: swhyte
View full article
swhyte ‎05-09-2018 10:26 AM
34,273 Views
8 Replies
2 Likes
Updated May 2018 kiwi   Issue Active Directory servers configured for Agentless User-ID frequently disconnects from the firewall. Connection status for those servers, under the server Monitoring section for User Mapping, keep flapping between connected and not connected. The User-ID logs have the following error message for each configured AD server : Error: pan_user_id_win_sess_query(pan_user_id_win.c:1241): session query for <server name>  failed: [wmi/wmic.c:216:main()] ERROR: Retrieve result data.   Shown in the screenshot below, see the "not connected" status in the Server Monitoring under Device > User Identification > User Mapping> Server Monitoring:   Cause Agentless User-ID is configured to monitor user session information from the servers in the Server Monitoring list. Session query attempts from the firewall to those AD servers are failing due to permission issues. The domain account, used to access the session information, does not have privileges to read the user session information from the servers. The server operators group and Domain Admin groups will include the session query read permissions.   As shown in the example below, go to Device > User Identification > User Mapping > Palo Alto Networks User-ID Agent Setup and click on the setting to find the User Name, which is used to connect the Agentless User-ID to the AD server (172.30.30.15):   As shown in the example below, in the AD Server (172.30.30.15) see the permissions for the user cr7:   Resolution: Option 1: Grant server operators or domain admin privileges to the service account used under WMI Authentication. In the example below, is shows how to add the Server Operator permission to the user cr7: After adding the Server Operator permission to user cr7, from the example below see that the Agentless User-ID is now connected to the AD server: Option 2: If it is not being used, disable the server session read option: owner: knarra
View full article
knarra1 ‎04-27-2018 08:52 AM
38,584 Views
6 Replies
1 Like
Updated 23 April 2018   The latest Palo Alto Networks Visio stencils are attached to this article below.   The attachment is a .ZIP file that contains: Palo Alto Networks.vss   Please let us know if there are any issues with this attachment.
View full article
nrice ‎04-23-2018 01:34 AM
209,493 Views
38 Replies
3 Likes