Management Articles

Featured Article
Issue There can be a situation when upgrading the PAN-OS on WF-500 hardware, running PAN-OS 7.1.x or below and upgrading directly to 8.0.5 or above, that you may run into an issue which causes ssh to become inaccessible after the upgrade.      Workaround The current workaround is to install PAN-OS 8.0.4 first, then upgrade to 8.0.5 or above. This upgrade path avoids the issue which causes the loss of ssh access.   Steps to take if ssh access is lost: If after upgrading you lose ssh access, connect to the WF-500 via console cable.  Boot in maintenance mode by typing “maint” after interrupting the boot process. Select the previous disk image used prior to upgrade (7.1.x) and select reboot. This should restore ssh access to the WF-500 and allow you to continue to upgrade. Thank you for your patience and understanding as we investigate the cause of this issue.
View full article
ldemos ‎02-23-2018 09:40 AM
1,999 Views
0 Replies
1 Like
To upgrade the User-ID agent:   Navigate to services and stop the service User-ID Agent. Navigate to Program Files > Paloalto Networks > User-id agent.  Zip the user-id agent folder and back it up to a different location. Log into support.paloaltonetworks.com and download the latest User-Id Agent. Perform the install. Once the install is done, the latest agent should start running with all the configs retrieved from the previous agent.   owner: mvenkatesan
View full article
mvenkatesan ‎02-12-2018 01:09 AM
16,521 Views
4 Replies
5 Likes
Issue: SSL inbound policies worked ok when configured on 7.1 but after upgrading to 8.0, the sessions would fail and the logs show decrypt errors. This is seen when the server uses a certificate with an intermediate certificate in the chain.   Cause: Prior to PAN-OS 8.0, inbound inspection was completely passive. In 8.0, with ECC and DHE support it takes a more active role.   Confirmation: A packet capture on the firewall will confirm if the firewall is sending the full certificate chain or only the server certificate to the client. Check the Server hello packet which includes the certificates and if only the server certificate is sent, this may be the cause.   Fix: Re-import of the certificate from your web server to the firewall, make sure you're combining the server cert with the intermediate CA (not the root CA though).   Here are the steps to do so: https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Install-a-Chained-Certificate-Signed-by-a-Public-CA/ta-p/55523   Additional information: https://live.paloaltonetworks.com/t5/General-Topics/Panos-8-inbound-ssl-inspection/m-p/183289
View full article
jarena ‎02-08-2018 05:18 AM
8,713 Views
0 Replies
La Automatización de Palo Alto Networks a partir de PAN-OS 8.0, y los Dynamic Address Group (DAG). El mismo tiene una utilidad importante para lograr generar un Data Center auto-defendido, sin necesidad de tener que aplicar políticas manualmente.
View full article
MarceloRey ‎02-06-2018 12:49 AM
3,257 Views
0 Replies
2 Likes
Symptoms During certificate/CSR creation, one can change the number of bits used in the RSA and SHA algorithms to something higher than the default. One should also be able to change the algorithms to Elliptic Curve DSA and MD5 for hashing. The available values for RSA and SHA (as of 8.0) are:   RSA: 512 1024 2048 (default) 3072 4096   SHA: SHA1 SHA256 (default) SHA384 SHA512   However, in some cases an admin might not be seeing any options in the drop-down for either algorithm.   Diagnosis The PHP debugs will show the following errors:   [2017/12/29 17:43:04] user=1282626187103044 Call to [PanDirect.run] /Certificate.completeCertificateNbits from router.php [2017/12/29 17:43:04] user=1282626187103044 ========= RemoteCall: Certificate.completeCertificateNbits ========= [2017/12/29 17:43:05] user=1282626187103044 <request cmd="op" complete="operations/request/certificate/generate/algorithm/RSA/rsa-nbits" cookie="1282626187103044"/> [2017/12/29 17:43:05] user=1282626187103044 <response status="error"><msg><line>You need superuser privileges to do that</line></msg></response> [2017/12/29 17:43:05] user=1282626187103044 Call to [PanDirect.run] /Certificate.completeCertificateNbits from router.php took 0.179s [2017/12/29 17:43:06] user=1282626187103044 Call to [PanDirect.run] /Certificate.completeCertificateDigest from router.php [2017/12/29 17:43:06] user=1282626187103044 ========= RemoteCall: Certificate.completeCertificateDigest ========= [2017/12/29 17:43:06] user=1282626187103044 <request cmd="op" complete="operations/request/certificate/generate/digest" cookie="1282626187103044"> <algorithm>rsa</algorithm> </request> [2017/12/29 17:43:06] user=1282626187103044 <response status="error"><msg><line>You need superuser privileges to do that</line></msg></response> [2017/12/29 17:43:06] user=1282626187103044 Call to [PanDirect.run] /Certificate.completeCertificateDigest from router.php took 0.167s   Solution Log in with any 'superuser' account and you should be able to change the bits and algorithms to any of the available options.
View full article
ansharma ‎01-03-2018 08:25 AM
1,985 Views
0 Replies
This article introduces the steps to make sure that the command-and-control category is recognized by PAN-DB URL Filtering feature using the ' test url' command.
View full article
kkawachi ‎10-13-2017 06:25 AM
14,054 Views
9 Replies
Procedure applies for PANOS versions  8.0 and below   Scenario Standalone M-500 Panorama in Hybrid mode ( Panorama device management and local Log Collector configured )  faced a hardware issue that requires chassis replacement. The M-500 uses 8 disk pairs for storing the logs received from managed devices. Naming convention Faulty M-500 device to be replaced will be called  "Old-M-500". Newly received replacement device will be called "New-M-500". You can use any name desired in your environment. These names are used for easier understanding of operations in the procedure.   Requirements In order to replace the faulty chassis Old-M-500 we need to have the configuration saved, so that we can import it in the New-M-500. Configuration can be exported by following the procedure in this Live article:. How to Back Up Panorama or by following the administrator manual: Export Panorama and Firewall Configurations The Old-M-500 has 8 disk pairs that will be moved to the New-M-500.   Procedure details 1) Power down the failed M-500 platform - Old-M-500.   Shutdown Panorama Link 2) Configure the New-M-500 in Panorama mode. Import the configuration exported from the faulty device. Import Old-M-500 exported configuration in the New-M-500. Load the named imported configuration into the New-M-500. Modify the Hostname from Old-M-500 to New-M-500.   Commit the configuration to Panorama. 3) Take the Primary disks from Old-M-500 ( A1, B1, C1, D1, E1, F1, G1, H1) and move them to the same Primary positions in New-M-500 ( A1, B1, C1, D1, E1, F1, G1, H1) .   Check M-500 Hardware documentation for correct identification of disks. M-500 Hardware Guide   The picture below shows the physical positioning of the drives inside the M-500 devices.     On New-M-500 we are going to add the Primary Log disks to RAID using CLI commands.  We must use "force" and "no-format" option. Force option associates the disk pair that is previously associated with another Log Collector. The option “no-format” keeps the logs by not formatting the disk storage. In this step we are going to add the Primary log disks only.   Secondary Log Disks will be added towards the end of the procedure. This is done as the Secondary Log Disks are used as data backup and we do not want to use them until the Migration of logs is confirmed.   In our example we have 8 Active RAID pairs ( A, B, C, D, E, F, G, H ). The full list of commands to attach the 8 primary 8 disks is: admin@New-M-500> request system raid add A1 force no-format admin@New-M-500> request system raid add B1 force no-format admin@New-M-500> request system raid add C1 force no-format admin@New-M-500> request system raid add D1 force no-format admin@New-M-500> request system raid add E1 force no-format admin@New-M-500> request system raid add F1 force no-format admin@New-M-500> request system raid add G1 force no-format admin@New-M-500> request system raid add H1 force no-format 4) Check the disk adding status by verifying the status and RAID status:   > show system raid detail Example: Output for 8 primary disks inserted after the adding operation ends: admin@New-M-500> show system raid detail Disk Pair A                           Available    Status                       clean, degraded    Disk id A1                           Present        model        : ST91000640NS            size         : 953869 MB        status       : active sync    Disk id A2                           Missing Disk Pair B                           Available    Status                       clean, degraded    Disk id B1                           Present        model        : ST91000640NS            size         : 953869 MB        status       : active sync    Disk id B2                           Missing .... Disk Pair G                           Available    Status                       clean, degraded    Disk id G1                           Present        model        : ST91000640NS            size         : 953869 MB        status       : active sync    Disk id G2                           Missing Disk Pair H                           Available    Status                       clean, degraded    Disk id H1                           Present        model        : ST91000640NS            size         : 953869 MB        status       : active sync    Disk id H2                           Missing To follow the state of the addition you can check the Management Plane raid.log debug logs through CLI:     >  tail lines 120 mp-log raid.log   This commands shows the last 120 lines that contain all the logs necessary to check the disk operations.   Mar 20 00:01:37 DEBUG: raid_util: argv: ['GetArrayId', 'A1'] Mar 20 00:01:37 DEBUG: raid_util: argv: ['Add', 'A1', 'force', 'no-format', 'verify'] Mar 20 00:01:37 DEBUG: Verifying drive A1 to be added. Mar 20 00:01:37 DEBUG: create_md 1, sdb Mar 20 00:01:38 DEBUG: raid_util: argv: ['Add', 'A1', 'force', 'no-format'] Mar 20 00:01:38 INFO: Adding drive A1 (sdb) Mar 20 00:01:38 DEBUG: create_md 1, sdb Mar 20 00:01:38 DEBUG: create_md_paired_drive 1, sdb, no_format=True Mar 20 00:01:38 DEBUG: Mounting Disk Pair A (/dev/md1) Mar 20 00:01:38 DEBUG: set_drive_pairing_one 1 Mar 20 00:01:38 INFO: New Disk Pair A detected. Mar 20 00:01:38 DEBUG: Created Disk Pair A (/dev/md1) from A1 (/dev/sdb1) Mar 20 00:01:38 INFO: Done Adding drive A1 ... Mar 20 00:02:41 DEBUG: raid_util: argv: ['GetArrayId', 'H1'] Mar 20 00:02:41 DEBUG: raid_util: argv: ['Add', 'H1', 'force', 'no-format', 'verify'] Mar 20 00:02:41 DEBUG: Verifying drive H1 to be added. Mar 20 00:02:41 DEBUG: create_md 8, sdp Mar 20 00:02:41 DEBUG: raid_util: argv: ['Add', 'H1', 'force', 'no-format'] Mar 20 00:02:41 INFO: Adding drive H1 (sdp) Mar 20 00:02:41 DEBUG: create_md 8, sdp Mar 20 00:02:41 DEBUG: create_md_paired_drive 8, sdp, no_format=True Mar 20 00:02:42 DEBUG: Mounting Disk Pair H (/dev/md8) Mar 20 00:02:42 DEBUG: set_drive_pairing_one 8 Mar 20 00:02:42 INFO: New Disk Pair H detected. Mar 20 00:02:42 DEBUG: Created Disk Pair H (/dev/md8) from H1 (/dev/sdp1) Mar 20 00:02:42 INFO: Done Adding drive H1 5)  Next step is to regenerate the Log Disks' Metadata for each RAID disk slot. Note:  This command can take a long time to finish depending on the data size stored on the disks, because the command rebuilds all the log indexes.   > request metadata-regenerate slot 1 > request metadata-regenerate slot 2 > request metadata-regenerate slot 3 > request metadata-regenerate slot 4 > request metadata-regenerate slot 5 > request metadata-regenerate slot 6 > request metadata-regenerate slot 7 > request metadata-regenerate slot 8 Sample Output:   Bringing down vld: vld-0-0 Process 'vld-0-0' executing STOP Removing old metadata from /opt/pancfg/mgmt/vld/vld-0 Process 'vld-0-0' executing START Done generating metadata for LD:1 .... admin@New-M-500> request metadata-regenerate slot 8 Bringing down vld: vld-7-0 Process 'vld-7-0' executing STOP Removing old metadata from /opt/pancfg/mgmt/vld/vld-7 Process 'vld-7-0' executing START Done generating metadata for LD:8 You can check the status of the metadata regeneration by opening a new CLI window and running the command to follow the debug log file vldmgr.log:   > tail lines 100 follow yes mp-log vldmgr.log This commands shows the last 100 lines and then follows the logfile vldmgr.log: Sample output: 2017-03-19 23:38:42.836 -0700 sysd send 'stop LD:1 became unavailable' to 'vld-0-0' vldmgr:vldmgr 2017-03-19 23:38:43.185 -0700 Error:  _process_fd_event(pan_vld_mgr.c:2113): connection failed on fd:13 for cs:vld-0-0 2017-03-19 23:38:43.185 -0700 Sending to MS new status for slot 0, vldid 1280: not online 2017-03-19 23:38:43.185 -0700 setting LD refcount in var:runtime.ld-refcount.LD1 to 0. create:false 2017-03-19 23:38:46.186 -0700 vldmgr vldmgr diskinfo cb from sysd .... 2017-03-20 00:20:56.792 -0700 setting LD refcount in var:runtime.ld-refcount.LD7 to 2. create:false 2017-03-20 00:20:56.792 -0700 Sending to MS new status for slot 6, vldid 1286: online 2017-03-20 00:20:56.905 -0700 connection failed for err 111 with vld-7-0. Will start retry 3 in 2000 2017-03-20 00:20:58.907 -0700 connection failed for err 111 with vld-7-0. Will start retry 4 in 2000 2017-03-20 00:21:00.908 -0700 Connection to vld-7-0 established 2017-03-20 00:21:00.908 -0700 connect(2) succeeded on fd:20 for cs:vld-7-0 2017-03-20 00:21:00.908 -0700 setting LD refcount in var:runtime.ld-refcount.LD8 to 2. create:false 2017-03-20 00:21:00.908 -0700 Sending to MS new status for slot 7, vldid 1287: online 6) On the New-M-500 add a new Local Collector. Click add under Panorama > Managed Collectors to add a new Collector. Under the General tab, enter the serial number of the New-M-500 device that we are moving the disks to. ( Visual example can be found below.  ) We will add the disks to the New-M-500 Log Collector in a later step.   7) Check the status of the new Log Collector. Check for following things in the output of the command: a. Connected status should display “yes” b. Disk capacity should display the correct size c. Disk pair will display as “Disabled” but this is expected behavior at this stage in the RMA process   >  show log-collector serial-number <serial-number-of-New-M-500> Sample output:   > show log-collector serial-number 007307000539 Serial           CID      Hostname           Connected    Config Status    SW Version         IPv4 - IPv6                                                      --------------------------------------------------------------------------------------------------------- 007307000539     0        M-500_LAB          yes          Out of Sync      7.1.7              10.193.81.241 - unknown Redistribution status:       none Last commit-all: commit succeeded, >>>>>>>>current ring version 0<<<<<<<< md5sum  updated at ? Raid disks DiskPair A: Disabled,  Status: Present/Available,  Capacity: 870 GB DiskPair B: Disabled,  Status: Present/Available,  Capacity: 870 GB DiskPair C: Disabled,  Status: Present/Available,  Capacity: 870 GB DiskPair D: Disabled,  Status: Present/Available,  Capacity: 870 GB DiskPair E: Disabled,  Status: Present/Available,  Capacity: 870 GB DiskPair F: Disabled,  Status: Present/Available,  Capacity: 870 GB DiskPair G: Disabled,  Status: Present/Available,  Capacity: 870 GB DiskPair H: Disabled,  Status: Present/Available,  Capacity: 870 GB 8) Add the disks to the New-M-500 Log collector configuration: Panorama > Managed Collectors Click on the name of the Log Collector (Eg. New-M-500) Click on the tab Disks Add all the disks that were moved to the New-M-500 device.  ( Eg. A,B,C,D,E,F,G,H)       9) On New-M-500 add the new Local Log Collector that we have created to the existing Log Collector Group that the Old-M-500 was a part of,  in this example the Old-M-500 log collector was part of the "default" Collector Group. Add the New-M-500 Log collector where the Old-M-500 Log collector was present:       10) Delete the failed Log Collector from the Collector Group. On WebGUI go to Panorama > Collector Group Select the Collector Group name where the New-M-500 is configured. In the Collector Group popup select the tab "Device Log Forwarding". Delete all references of the serial number of the failed Old-M-500.   11) Issue a Panorama Commit only.   12) Issue Commit to Collector Group. 13. Check that the old logs are visible.       14. Add spare disks to RAID, so that we rebuild full RAID redundancy will log migration already confirmed. Physically move disks from Old-M-500  A2, B2, C2, D2, E2, F2, G2, H2  to the New-M-500 A2, B2, C2, D2, E2, F2, G2, H2.   Check that the disks are available to be added to RAID:   > show system raid detail The newly added disks will be in the state "Present" and status "Not in use". admin@New-M-500> show system raid detail Sample Output: Disk Pair A                           Available    Status                       clean, degraded    Disk id A1                           Present        model        : ST91000640NS            size         : 953869 MB        status       : active sync    Disk id A2                           Present        model        : ST91000640NS            size         : 953869 MB        status       : not in use .... Disk Pair H                           Available    Status                       clean, degraded    Disk id H1                           Present        model        : ST91000640NS            size         : 953869 MB        status       : active sync    Disk id H2                           Present        model        : ST91000640NS            size         : 953869 MB        status       : not in use           15. Add the secondary disks (A2,B2,C2,D2,E2,F2,G2,H2) to RAID using the command:   > request system raid add A2 force > request system raid add B2 force > request system raid add C2 force > request system raid add D2 force > request system raid add E2 force > request system raid add F2 force > request system raid add G2 force > request system raid add H2 force   Note:  Executing this command may delete all data on the drive being added. Do you want to continue? (y or n) Press the key "y" to accept. After these commands the RAID goes to "Spare Rebuild" operation.  Please note that this may be a lengthy operation and it will run in the background until it ends. During this time logging to the Log Collector Group will be on hold. Once operation is over the log forwarding to the New-M-500 will resume. You can check the status of the operation running the command: > show system raid detail Sample Output: > show system raid detail Disk Pair A                           Available    Status     clean, degraded, recovering (2% complete)    Disk id A1                           Present        model        : ST91000640NS            size         : 953869 MB        status       : active sync    Disk id A2                           Present        model        : ST91000640NS            size         : 953869 MB        status       : spare rebuilding   .... Disk Pair H                           Available    Status     clean, degraded, recovering (0% complete)    Disk id H1                           Present        model        : ST91000640NS            size         : 953869 MB        status       : active sync    Disk id H2                           Present        model        : ST91000640NS            size         : 953869 MB        status       : spare rebuilding         16. Once the Spare rebuild operation is finished the New-M-500 is in fully operational state and the RMA process is done.
View full article
bbolovan ‎08-07-2017 01:02 AM
7,716 Views
2 Replies
2 Likes
Starting from PAN-OS 8.0, we can enable IPSec VPN specific debugs per peer.
View full article
mdumitriu ‎08-02-2017 09:29 AM
14,100 Views
0 Replies
2 Likes
The behaviors of Device Administrator roles have changed in PAN-OS 8.0 to have different expected behaviors when it comes to users' access under the Device tab. The Save functionality has now been specifically added separately to where the control of allowing Device Administrators to only Save (instead of allowing all features under the Operations tab) has been isolated.   Previously in PAN-OS 7.1 and earlier, for a Device Administrator (non-Superuser) to be able to Save Configuration via the Save icon in the top-right corner of the WebGUI, the Device tab had to be allowed and the functionality of Device > Setup > Operations had to be Enabled for the user                                                       The above configuration shows the bare minimum requirements for the Save icon in PAN-OS 7.1 and earlier to be present, but it also means that any Device Admins would also have the right to Load configs, import/export, etc. as allowed in Operations.   If attempting to save as a Device Administrator in PAN-OS 7.1 without the Device tab enabled (or, specifically, Device > Setup > Operations enabled) as shown above, users would notice the Save icon had completely disappeared from their available icons entirely       In PAN-OS 8.0 the process has changed to where users can be denied access to the Device tab entirely and still retain functionality of the Save/Revert feature under the Config icon in the top right.       The functionality of the Save feature in PAN-OS 8.0 has been completely isolated from the previously-dependent Operations section under Device. The option for Save For Other Admins can be denied as well and only allow user to Partial Save for the options they themselves have made. If a Device Administrator in PAN-OS 8.0 has had the Save feature Disabled, the Config icon still remains in the top right corner unlike PAN-OS 7.1 and earlier, however functionality is denied and the below error message is presented to the user:  
View full article
cperratore ‎05-04-2017 12:41 PM
2,664 Views
0 Replies
Ask Questions Get Answers Join the Live Community