Management Articles

Featured Article
Can policies be exported from the Palo Alto Networks firewall to make them easier to view? While there is no export function for policies, use the CLI to view the rules in "set" format. From the CLI, run the command: > set cli config-output-format set From the configure mode: # show rulebase security rules  # show rulebase (to view other policies). owner: odaos
View full article
panagent ‎02-29-2012 04:01 PM
14,783 Views
7 Replies
1 Like
Issue: In a HA Active/Active VWire topology it is not possible to send a redirection for a URL block page when the session is going through the device that is not the session owner. Resolution: In an Active/Active VWire environment, where the session owner is set to "primary device" the continue/override page is not shown on the client node. This is because the active primary device sends the HTTP redirect message  to the client side zone with the destination MAC address of the neighboring Layer 3 interface on the secondary device side and the neighboring device drops it. Select "first packet" as the session owner in the configuration, and the redirect message will reach the client as expected.  The session owner is assigned to a device and the communication continues to flow. Owner:  yogihara
View full article
panagent ‎02-28-2012 08:14 AM
3,143 Views
0 Replies
Overview This can happen if there are security rules for tap zone traffic with a deny action. For Tap mode, rules should always have allow as the action. Normally, with non-tap transit traffic the firewall would see TCP SYN and pass the traffic through first-packet processing to create a session. First-packet processing tends to be somewhat CPU intensive. All subsequent packets for that session will match the session and hence do not need to go through first-packet processing again. Therefore this is less load on CPU. Also, for transit traffic, if the policy is set to deny then the session would not be created and the end client/server would drop that session and not continue sending anymore data. Tap mode is different because it will not drop traffic and terminate the TCP sessions. TCP session traffic will continue to be seen despite the deny rule. The result is the Palo Alto device will perform first-packet processing on the SYN packet of a session and deny the session meaning no session would be created. Every subsequent TCP packet for that session will be processed as first-packet again but will be  dropped due to the tcp-reject-non-syn option. This is what puts more load on the CPU.  For tap mode, the tap interface will always drop the packet so it is recommended to configure rules to allow for any TAP interface. owner: rkim
View full article
rkim ‎11-14-2011 04:35 PM
4,809 Views
0 Replies
1 Like
Symptoms Custom URL categories are used to allow people to browse certain web sites and block all the rest. Two custom URL categories were created, and the other sites were put in a block list (identified by *.*). The result is that the sites that are allowed to access are still blocked. Issue The firewall looks at the profile block list first, then the allow list, then custom categories. If two custom categories are triggered for a specific URL, the most severe action is performed. So if one is set to allow and the other block, the firewall will block it. Resolution Put allowed sites in the profile allow list, then add blocked sites in a custom category. owner: panagent
View full article
nrice ‎11-09-2010 03:25 PM
13,974 Views
3 Replies
Overview This document describes the steps to delete certificates on the Palo Alto Networks firewall via the WebGUI and CLI. Note: Please make sure the certificate to be deleted is not currently in use, as it will not allow you to delete a certificate that is currently being used inside of the config. Steps On the WebGUI Go to Device > Certificate Management > Certificates Select the certificate to be deleted Click Delete at the bottom of the page, and then click Yes in the confirmation dialog Commit the configuration On the CLI Run the following CLI commands to delete the web server certificate: > configure # delete deviceconfig system web-server-certificate # commit # exit To delete the shared ssl-decrypt certificates: > configure # delete shared ssl-decrypt <value> forward-trust-certificate                                        CA certificate for trusted sites forward-untrust-certificate                                 CA certificate for untrusted sites root-ca-exclude-list                                                  List of predefined root CAs to not trust ssl-exclude-cert                                                          ssl-exclude-cert trusted-root-CA                                                            trusted-root-CA owner: schaganti
View full article
nrice ‎07-15-2010 03:54 PM
10,987 Views
0 Replies
Overview This document describes the CLI commands that can be used to verify a successful connection to the BrightCloud server. Details Command to test BrightCloud connectivity >debug device-server test url-update-server This command will return either “success” or “failure to connect to url update server”. Command to manually load the BrightCloud URL DB into the Palo Alto Networks device: > request url-filtering upgrade brightcloud Command to delete the BrightCloud database from the Palo Alto Networks device: > debug device-server reset brightcloud-database cfg.latest-url-version: 0 cfg.url-version: 0 Command to capture the initial download of the URL DB into the file, test_bc_download.pcap: > request url-filtering upgrade brightcloud test Command to view the progress of the download and packet capture: > tail follow yes mp-log pan_bc_download.log Command to view the test pcap: > view-pcap filter-pcap test_bc_download.pcap 14:58:07.518025 IP 64.87.3.54.http > 172.17.128.39.57304: P 3727295829:3727297233(1404) ack 1969658105 win 64895 <nop,nop,timestamp 61965404 17298843> 14:58:07.518041 IP 172.17.128.39.57304 > 64.87.3.54.http: . ack 1404 win 136 <nop,nop,timestamp 17298870 61965404> The pcap file may also be exported to an external host by scp or tftp: > tftp export filter-pcap from test_bc_download.pcap to <tftp host> > scp export filter-pcap from test_bc_download.pcap to username@host:path To verify the Status of the BrightCloud Servers and cross-check any service disruptions, visit: www.brightcloud.com/status. owner: apasupulati
View full article
nrice ‎05-26-2010 04:58 PM
9,006 Views
2 Replies
1 Like
The Spyware Infected Host Report shows the top PCs hit by spyware during the indicated period. This is a high level report identifying the victims irrespective of the source or even specific spyware type. The IPs listed are the destinations (i.e. they are on the receiving end of the spyware). This is not the list of IPs generating spyware traffic. The information can be correlated with corresponding threat logs. onwer: panagent
View full article
nrice ‎05-06-2010 08:07 PM
2,651 Views
1 Reply
Details To revert to a previous configuration from GUI: For PAN-OS 5.0 and above:   Open the Device > Setup > Operations Click on a command from the Load or Revert section on the page. Commit To load a previously saved configuration from the CLI: > configure # load config + key          key > from         Filename > last-saved   Last saved configuration > partial      partial config loading > version      Version # commit owner: panagent
View full article
nrice ‎02-11-2010 04:26 PM
40,151 Views
0 Replies
3 Likes
Ask Questions Get Answers Join the Live Community