Management Articles

Featured Article
Issue A vpn tunnel goes down and comes back up. A look at the global counters shows that the flow_fwd_zonechange counter is incrementing.   > show counter global   Cause The flow_fwd_zonechange counter indicates that the egress zone of a packet does not match the egress zone of the matching session. For this reason, the packet is dropped and the flow_fwd_zonechange counter is incremented.   Scenario 1 Packets are dropped due to a route change. The flow_fwd_zonechange counter increments when a packet is to be forwarded, but the zone of egress interface does not match the egress zone in the session due to a route change because the tunnel is not up. To verify global counter increments please refer to the following knowledge base How to Check Global Counters for Specific Source and Destination IP Address   In this scenario, the initial routing table is as follows: 0.0.0.0/0 metric 10 untrust zone. A tunnel route to 10.10.10.10/24 through 1.1.1.1 metric 5 tunnel-zone. When the tunnel goes down, the tunnel route is removed from the table and the default route is used for the 10.10.10.10 network in the untrust zone. When the tunnel comes back up, it considers this a zone change and drops the packets incrementing the flow_fwd_zonechange counter.   Resolution 1 All sessions destined to the untrust zone when going to 10.10.10.10/24 need to be cleared and re-initiated. To avoid this zone change, create a dummy IP address (ex: loopback interface IP address 5.5.5.5) in the tunnel zone to make the routing table look like this: 0.0.0.0/0 metric 10 untrust zone. A tunnel route to 10.10.10.10/24 through 1.1.1.1 metric 5 tunnel-zone. Another tunnel route to 10.10.10.10/24 through 5.5.5.5 metric 10 tunnel-zone. This forces the traffic to use the route with metric 10 in the same tunnel zone when the primary tunnel route fails, and there is no zone change that occurs when the tunnel comes back up. Scenario 2 Packets designated to exit out an ingress interface is dropped by the Firewall with "flow_fwd_zonechange".     Resolution 2   In this case, the interface had a /32 (host) instead of /24 (network). Make sure that the interface is showing as a /24. For example 10.10.10.1/24.   owner: pvemuri
View full article
pvemuri ‎10-23-2018 12:33 PM
3,929 Views
0 Replies
While configuring firewalls to forward logs to the logging service based on the steps provided in the following document, you might run into an issue where the drop-down for 'Region' is empty and won't display the region on the Panorama and the firewall.   This is a mandatory step in the configuration to enable log forwarding to the logging-service [Step 4] :-   https://www.paloaltonetworks.com/documentation/10/cloud-services/logging-service-gsg/get-started-with-logging-service/configure-the-firewalls-to-forward-logs-to-the-logging-service#id177S00F0R2G       Logs :   The firewall will show the following error when you attempt to see customerinfo :     lcaas_agent.log for logging-service shows '502 Bad Gateway' error :       To fix this :   You will need to enable the 'Region' on the Panorama CLI using the following command :-   > Login to Panorama CLI > enter configure mode using the command ">configure" > run "set template <template_name> config deviceconfig setting logging logging-service-forwarding enable yes logging-service-regions <region>" > commit    <template_name> is the template the device is part of. <region> can be americas, europe, etc   > Then, push the changes to the firewall. Verify Device > Setup > Management page to make sure the Region populates correctly.    
View full article
ptarra ‎09-12-2018 08:49 AM
2,480 Views
0 Replies
Explanation   To check which version of OpenSSH the Palo Alto Networks firewall PAN-OS is running, make a telnet session to the firewall’s management interface on port 22, which will simulate a SSH session. The firewall will close the session and will reply with a connection status message that includes OpenSSH version used. Here is an example:   dragoslav@dragoslav:~$ telnet 10.193.80.51 22 Trying 10.193.80.51... Connected to 10.193.80.51. Escape character is '^]'. SSH-2.0-OpenSSH_11.1 Connection closed by foreign host.   In this example, the Palo Alto Networks firewall is using OpenSSH version 11.1.    
View full article
djoksimovic ‎08-28-2018 10:36 AM
5,641 Views
2 Replies
Issue The Palo Alto Networks firewall currently doesn't have SNMP OIDs to monitor IPSec tunnel status, so network management systems cannot rely on SNMP protocol to receive notifications when the IPSec tunnel on the Palo Alto Networks firewall changes it's status.       Workaround Perform the following workaround on the Palo Alto Networks firewall: Configure and enable IPSec Tunnel Monitor feature for the desired IPSec tunnel.(https://live.paloaltonetworks.com/docs/DOC-1323) Configure the Syslog server profile to send syslog messages to the desired Syslog server.(https://live.paloaltonetworks.com/docs/DOC-3837) Go to Device > Log Setting > System to send logs to previously created Syslog server.   When the tunnel monitor fails the firewall generates the following message in the system log:   Time Severity Subtype Object EventID ID Description =============================================================================== 2015/03/15 13:24:34 low vpn <object name> tunnel- 0 Tunnel <tunnel name> is down   The Syslog server receives a "tunnel down" message. After the IPSec tunnel is brought up, the tunnel interface also goes up and a new message "tunnel is UP" is generated in the system logs. Then, a newly generated log is sent to the Syslog server.
View full article
djoksimovic ‎08-28-2018 10:35 AM
9,119 Views
1 Reply
1 Like
This article can assist you in importing the policies of an existing Palo Alto Networks firewall into Panorama.   Assumptions You have a configuration on your Palo Alto Networks firewall. An instance of Panorama is up and running with the same version of PAN-OS (or higher). You have Web and CLI administrator access to both the firewall and Panorama. The firewall has been configured to connect Panorama in Device > Setup > Management > Panorama Settings The firewall's serial number has been added to Panorama and a Panorama commit has been completed Panorama shows that the firewall is connected in Panorama > Managed Devices Steps On the Panorama, navigate to Panorama > Setup > Operations Click "Import device configuration to Panorama." Select the appropriate device and name the template and Device Group Name accordingly. For each virtual system (vsys) on the firewall, Panorama automatically creates a device group to contain the policy and object configurations. Once you click “OK” the configuration of the firewall will be imported to the Panorama.       Commit locally to Panorama to save the new Device Group and Template created by the import. Push the imported configuration back to the firewall. On the Panorama, navigate to Panorama > Setup > Operations Click on "Export or push device config bundle" Choose either "Push & Commit" or "Export."    Push & Commit. This option will overwrite any local configuration on the firewall with the firewall configuration stored on the Panorama. This will succeed where a normal commit will generate errors associated with objects and rules existing both in Panorama and the firewall. When you choose "Push & Commit" you will see a job triggerred on the Panorama and will see Job Status details as shown below:   Export: This option will export the configuration to the firewall but not load it. You should manually load the configuration from the CLI by running the command "load device-state." Then the configuration should be committed. When you choose "Export" option you will see a job triggered on the Panorama and see details as shown below:   Note:  The above two options,  ("Push & Commit" & "Export")  are available only for firewalls running PAN-OS 6.0.4 and later releases. After this is performed, you should Push to Devices and select the options  "Merge with Device Candidate Config", "Include Device and Network Templates", and "Force Template Values”.     Caveats and important notes: -If you had previously broken a firewall off from Panorama support under Device > Setup > Panorama Settings > Disable Panorama Policy and Objects/Disable Device and Network Template and were now re-importing it into the same or another Panorama, you WILL have to ensure those options are enabled again to receive the Push and Commit or Export. The Push and Commit would delete all local information but leaving the options to Disable Panorama's config will prevent Panorama from giving it any configuration, including management IP and default gateway (so only Console access would be possible at that time.)   -If multiple devices are being imported and then moved to one device group, they MUST be imported into their own new Device Group/Template and follow steps as mentioned above. Only once they are showing properly in their own Device Groups/Templates and have received all configuration pushed from Panorama can you place them into a single Device Group/Template, after which you must Commit locally to Panorama and then Push to Devices while  selecting "Merge with Device Candidate Config", "Include Device and Network Templates", and "Force Template Values”.   -If importing a new device into Panorama via the Import Device Configuration to Panorama option, after adding it's serial number to Panorama's Managed Devices you must ensure it is NOT a part of a Device Group/Template before performing the import, as it will not show as an available device to import the configuration   -When performing the Import, ONLY the Running Config on the firewall is imported. If any changes were made and are only in the Candidate Config (not pushed to the firewall) then they will NOT be imported.
View full article
achalla ‎08-07-2018 05:36 AM
35,227 Views
6 Replies
3 Likes
To download software: Log in to Support Portal Click Software Updates link.   To receive notifications when this document is updated, see Email Notifications for Subscribed Activities.   Version Release Date 7.1.1 31-Jul-18 7.1.18 12-Jun-18 7.1.17 24-Apr-18 7.1.16 8-Mar-18 7.1.15 17-Jan-18 7.1.14 27-Nov-17 7.1.13 12-Oct-17 7.1.12 30-Aug-17 7.1.11 6-Jul-17 7.1.10 22-May-17 7.1.9 10-Apr-17 7.1.8 20-Feb-17 7.1.7 3-Jan-17 7.1.6 17-Nov-16 7.1.5 3-Oct-16 7.1.4-h2 22-Aug-16 7.1.4 15-Aug-16 7.1.3 29-Jun-16 7.1.2 16-May-16 7.1.1 18-Apr-16 7.1.0 4-Apr-16  
View full article
‎07-31-2018 02:06 PM
112,177 Views
10 Replies
How to Register and Activate Eval Panorama Software   The following procedure walks you through the steps to license, download, and install the Panorama management software.   STEP 1 | Register the Panorama Serial # Log in to the Customer Support Portal (https://support.paloaltonetworks.com) and select Assets > Devices > Register New Device.    In the Device Type window, select Register device using Serial Number or Authorization Code and click Submit To activate the Panorama software, enter the Serial Number you received in the “Request for Software Evaluation Approved” email and click Agree and Submit.   After successful registration, your Assets screen should display the newly registered and activated Eval Panorama.     STEP 2 | Download the Panorama software In the navigation menu, click Updates > Software Updates  Click the Filter By: drop down menu and select Panorama Base Images Locate the most recent base image that will be used for your environment and click the corresponding download link       STEP 3 | Install the Panorama software For detailed instructions on installing and configuring the Panorama software, go to  PANW Tech Docs: Panorama Admin Guide: Set up the Panorama Virtual Appliance   STEP 4 | Activate the support license on Panorama Open a web browser and navigate to the management IP address you set for Panorama Login using the factory default credentials of admin/admin for username and password On the Dashboard > General Information section, the Serial # field should say “Unknown”   Go to Panorama > Setup > Management > General Settings. Click the settings wheel and set the proper timezone and current system time. After clicking OK, the screen may freeze. If it does, close that browser tab and bring up a new tab to the Panorama GUI.   Go back to Panorama > Setup > Management > General Settings. Click the settings wheel again to enter the Evaluation Panorama Serial # that you registered on the support portal. Click OK   Click Commit at the top right corner and then Commit to Panorama to commit any pending changes.   Go to Panorama > Support If the Support license is not displayed here, you will need to reboot Panorama for the system to display the license info.   Go to Panorama > Licenses: this screen shouldn’t show any additional feature licenses   Go to Panorama > Dynamic Updates to download the latest Apps & Threats, WildFire, and Antivirus content updates   Go to Panorama > Software to download the latest software version if needed   STEP 5 | Complete the Panorama software configuration
View full article
bfrentz ‎07-03-2018 12:42 PM
9,343 Views
0 Replies
Question What is the Max Length of Security Rules' Description Field?   Answer In PAN-OS 8.0 and older The description field can be a maximum of 255 characters. The policy name is limited to 31 characters. In PAN-OS 8.1  The policy name has been increased to 63 characters. Description field has not changed and is still limited to 255 characters.   owner: ukhapre
View full article
ukhapre ‎05-10-2018 08:25 AM
3,967 Views
1 Reply
Steps to activate Magnifier cloud service using an Evaluation Auth Code.
View full article
bfrentz ‎05-09-2018 10:18 AM
5,639 Views
0 Replies
How To Backup of Config Files Periodically From Palo Alto Networks firewalls:   Introduction The configuration file of any firewall is extremely important since it holds all the customizations made by the user. In the event of hardware failure, if the config files aren't backed up to an external location, the configs will have to be built up from scratch. So it's a good practice to back up and export the config files regularly especially to external locations.   Panorama can do this automatically. But in case Panorama isn't managing the firewalls, this document can be very helpful to export and backup the config file to an external location for safe keeping.   Overview Access the firewall using XML API: Setup the firewall for API access by generating API Key Save the API key and then add that to HTTPs query in the next step Retrieve the running config file using a HTTPS GET: To run HTTPS GET from command prompt, use CURL for windows. For Linux hosts, it might be built-in. Then save the retrieved config to a file. Automate the log export process: Add the commands from the above steps to batch file (or a script for Linux hosts). Then run the batch file on a server which will be always-on. Create a job in Windows Scheduler (or CRON job if Linux server) to call that batch file periodically.   Access the firewall using XML API: For accessing the firewall using XML API, we need to generate the API key first. To generate, see the following: https://<firewall-ip > / api /?type=keygen&user=< username> &password=< password>   The response for that should be in form of an XML with the API Key printed as below: Save the API key somehwere safe. It is like a password.   Retrieve the running config file using a HTTPS GET: Since windows command line doesn't support HTTPS requests, we have to use CURL for windows to do a HTTPS GET to fetch the running configuration.   Note: CURL for Windows can be downloaded from: https://curl.haxx.se/download.html (OR) http://winampplugins.co.uk/curl/   Download and extract CURL to a folder. If CURL command should be accessible universally, then add the extract CURL folder to PATH under Environment variables.   The site shown below, explains how to add a folder to PATH in detail: https://java.com/en/download/help/path.xml   Now for the HTTPS request to retrieve the running config from the firewall.   The URL below, should print the config file if ran from a browser:  https://192.168.1.1/api/?type=export&category=configuration&key=<api_key> To capture the Config XML to a file, we have to retrieve the HTTPS URL using CURL. The command is as below (this should be run from the server): > curl -kG "https://192.168.1.1/api/?type=export&category=configuration&key=<api_key>" > running-config.xml   The above command, when run from command line, will create a file named running-config.xml in the folder from which the command was run.   Note: If CURL's extracted path isn't added to the PATH, then it should be run from the folder where CURL was extracted.   Automate the log export process: Now that we have the command to fetch the running config in XML format, we can create a batch file and then call that in Windows Scheduler. Scheduling it on a server which is always on would be a good idea.   Contents of the batch file:   cd\ cd curl\bin curl -kG "https://192.168.1.1/api/?type=export&category=configuration&key=<api_key>" > c:\running-config.xml To Append Date to the Config File Name: curl -kG "https://192.168.1.1/api/?type=export&category=configuration&key=<api_key>" > c:\running-config_%date%.xml   Note: This is assuming that CURL has been extracted to C drive's root. And the config file will be saved to the C drive itself. Change the <api_key> with the key obtained in the previous step. Follow the instruction in the below URL to run the batch file periodically (like everynight 1 A,M.). http://www.computerhope.com/issues/ch000785.htm#windows-   
View full article
shganesh ‎04-20-2018 02:37 PM
48,158 Views
19 Replies
3 Likes
Details Verify the logs are being written. Run the following commands from CLI: > show log traffic direction equal backward > show log threat direction equal backward > show log url direction equal backward > show log url system equal backward If logs are being written to the Palo Alto Networks device then the issue may be display related through the WebGUI.   Run the following command from CLI: > debug software restart process management-server note: restarting the management-server will reset your ssh connection. owner: bryan
View full article
panagent ‎04-04-2018 01:06 AM
45,307 Views
3 Replies
  Overview SSL decryption gives the Palo Alto Networks firewall the ability to see inside of secure HTTP traffic that would otherwise be hidden. SSL decryption can be used to monitor for any signs that a company's valuable intellectual property might be exiting through their network. Palo Alto Networks firewall is able to perform SSL decryption by opening up SSL traffic through an inspection process.   The following table provides a list of valuable resources on understanding and configuring SSL Decryption: TITLE DESCRIPTION TYPE BASIC     How to implement and test SSL decryption Describes how to implement and test SSL decryption Document Limitations and recommendations while implementing SSL decryption Limitations and recommendations while implementing SSL decryption Document How to view SSL decryption information from the CLI How to view SSL decryption information from the CLI Document List of applications excluded from SSL decryption List of applications that cannot be decrypted by the Palo Alto Networks device Document How to exclude a URL from SSL decryption Details the CLI commands for adding URLs to the SSL exclude list Document SSL decryption certificates How to manage SSL certificates for decrypting and inspecting SSL traffic Document How to temporarily disable SSL decryption How to temporarily disable SSL decryption without modifying the decryption policy Document How to enable/reset the opt-out page for SSL decryption How to enable the opt-out response page Document How to serve a URL response page over an HTTPS session without SSL decryption How to configure a device to serve a URL response page over an HTTPS session w/o SSL decryption Document Difference between SSL forward-proxy and inbound inspection decryption mode SSL forward-proxy and SSL inbound inspection modes Document How to create a report that includes only SSL decrypted traffic Create a report that includes only SSL decrypted traffic Document How to view decrypted traffic View decrypted traffic Document INTERMEDIATE     How to configure a decrypt mirror port on PAN-OS 6.0 Create a copy of decrypted traffic and send to a mirror port Document ADVANCED / TROUBLESHOOTING     Troubleshooting SSL Decryption using Dynamic Address Groups Automation example using the Palo Alto Networks firewall and Dynamic Address Groups (DAGs) Document How to identify root cause for SSL decryption failure issues How to identify decryption failures due to an unsupported cipher suite Document SSL vulnerability non-detection behavior is seen when inbound SSL decryption policy is set Detection of SSL relevant vulnerability by the security profile failed Document Troubleshooting slowness with traffic, management, or intermittent SSL decryption Troubleshooting intermittent SSL decryption Document SSL decryption not working due to unsupported cipher suites After configuration and import of required certificates the inbound SSL decryption is not working Document Unable to post pictures on Facebook after enabling SSL decryption After SSL decryption is enabled, user cannot connect to Facebook using HTTPs Document After configuring SSL decryption Mozilla Firefox presents certificate error SSL decryption on Mozilla Firefox showing certificate error Document SSL decryption policy is decrypting traffic for no-decrypt rules SSL Decryption policy is decrypting traffic for No-Decrypt Rules Document SSL decryption rules not matching FQDN SSL decryption rules not matching FQDN Document Google services do not work in Chrome with SSL decryption Google not working in Chrome with SSL Decryption Document Commit error received after configuring SSL decryption for certificate generation Configuring SSL decryption - commit fails after generating a certificate error Document Inbound SSL decryption fails when SSL compression is enabled Inbound SSL decryption fails Document SSL decryption stops working on Firefox after changing SSL decryption certificate After changing the SSL Decryption certificate, SSL decryption does not work for the Firefox browser Document SSL decryption opt-out timeout Display the opt-out page more frequently Document Wrong certificate used when SSL decryption is enabled Untrusted certificate presented when performing SSL Decryption Document   Note: If you have a suggestion for an article, video or discussion not included in this list please post a recommendation in the comments below and it will be added to the master list  
View full article
‎03-26-2018 02:53 AM
78,982 Views
0 Replies
5 Likes
Issue There can be a situation when upgrading the PAN-OS on WF-500 hardware, running PAN-OS 7.1.x or below and upgrading directly to 8.0.5 or above, that you may run into an issue which causes ssh to become inaccessible after the upgrade.      Workaround The current workaround is to install PAN-OS 8.0.4 first, then upgrade to 8.0.5 or above. This upgrade path avoids the issue which causes the loss of ssh access.   Steps to take if ssh access is lost: If after upgrading you lose ssh access, connect to the WF-500 via console cable.  Boot in maintenance mode by typing “maint” after interrupting the boot process. Select the previous disk image used prior to upgrade (7.1.x) and select reboot. This should restore ssh access to the WF-500 and allow you to continue to upgrade. Thank you for your patience and understanding as we investigate the cause of this issue.
View full article
ldemos ‎02-23-2018 09:40 AM
2,014 Views
0 Replies
1 Like
Symptom After checking Dynamic Update under Device tab after clicking on the Check Now button displays the following error: "Failed to check content upgrade info due to generic communication error. Please check network connectivity and try again."   Cause There can be several reasons that cause this message to appear and they are usually related to how the firewall is able to reach out to the internet.   Resolution   Verify the firewall has DNS servers configured to be able to resolve updates.paloaltonetworks.com: From the WebGUI, go to Device > Setup > Services: DNS servers Ensure the firewall has an appropriate Default Gateway and interface speed and duplex are set to match the switch it is connected to  Management interface properties Make sure the firewall is able to resolve FQDNs: admin@firewall> ping host www.example.com PING www.example.com (93.184.216.34) 56(84) bytes of data. 64 bytes from 93.184.216.34: icmp_seq=1 ttl=52 time=107 ms 64 bytes from 93.184.216.34: icmp_seq=2 ttl=52 time=106 ms 64 bytes from 93.184.216.34: icmp_seq=3 ttl=52 time=106 ms ^C --- www.example.com ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 106.349/106.643/107.025/0.388 ms Traceroute out to updates.paloaltonetworks.com verify the correct path is taken (the final host will not reply) admin@firewall> traceroute host updates.paloaltonetworks.com traceroute to 199.167.52.141 (199.167.52.141), 30 hops max, 40 byte packets 1   10.192.16.1 (10.192.16.1)   0.522 ms   0.507 ms   0.497 ms 2   1.111-11-1.adsl-static.isp.belgacom.be (1.11.111.1)   32.761 ms   32.753 ms   32.740 ms 3   2 .222-22-2.adsl-static.isp.belgacom.be (2.22.222.2)   81.856 ms * * 4   * * * 5   * * * 6   * * * 7   prs-bb4-link.telia.net (213.155.136.222)   82.884 ms * * 8   ash-bb4-link.telia.net (62.115.122.159)   142.306 ms   147.212 ms * 9   sjo-b21-link.telia.net (80.91.248.188)   226.073 ms   222.208 ms   214.858 ms 10   internap-ic-140172-sjo-b21.c.telia.net (213.248.81.134)   201.253 ms   198.637 ms   219.945 ms 11   66.151.144.15 (66.151.144.15)   225.185 ms   242.096 ms   178.880 ms 12   paloaltonetit-5.border3.sje011.pnap.net (66.151.155.74)   194.397 ms * paloaltonetit-5.border3.sje011.pnap.net (66.151.155.74)   206.609 ms 13   * * * 14   * * * 15   * * * 16   * * * Verify Service Routes are set as expected, some services may need to be redirected over a dataplane interface in case the management network is isolated Use Default or Custom settings Make sure the firewall is allowed to make outbound connections through the security policy:  Note there is no URL filtering or file blocking profile If ssl decryption is used, "Verify Update Server Identity" may need to be disabled if updates.paloaltonetworks.com is not excluded from decryption Verify Update Server Identity  
View full article
tgupta ‎02-20-2018 08:56 AM
41,123 Views
24 Replies
1 Like
Symptoms Currently, if you want to assign 4 CPU cores to a Palo Alto Networks VM series firewall inside VMWare ESXi version 6.5.0 build 4887370,  you are limited to 2  CPU cores, per socket. The only way that it will allow you to use 4 CPU cores is by using 2 cores per socket.  Please see image below. VM edit screen VMWare ESXi version 6.5.0 build 4887370 showing number of CPU Cores and Sockets. Diagnosis It has been discovered that this issue is specific to VMWare ESXi version 6.5.0 build 4887370.  NOTE: This is NOT a Palo Alto Networks VM issue, this is an issue withVMWare. You can apply as many CPU cores with VMWare ESXi version 6.5.0 update01 build 5969303.   Solution You have 2 options: You can upgrade the ESXi software to VMWare ESXi version 6.5.0 update01 build 5969303. As a workaround, the OVA file (Example:  PA-VM-ESX-8.0.5.ova), can be modified to alow a higher number of cores. See the following example of what was changed in the OVA file.   Old Entry:         <vmw:CoresPerSocket ovf:required="false">2</vmw:CoresPerSocket>   New Entry :         <vmw:CoresPerSocket ovf:required="false">16</vmw:CoresPerSocket>   Edit screen showing 4 CPU cores and 1 socket. NOTE: If more than two sockets are used, then you might experience performance issues because the packets may have to travel across the sockets.
View full article
hshah ‎01-11-2018 06:55 PM
3,030 Views
0 Replies
Issue Proper configuration of a PAN-OS device is required to successfully detect and prevent exploitation of vulnerabilities.   While the recommended action by Palo Alto Networks is to patch all vulnerable devices, including PAN-OS devices, to the proper version levels specified in the security advisories, emergency content releases contain signatures to help protect PAN-OS.   Solution The solution will be broken into small steps: Content installation Configuration of a vulnerability protection profile to take proper action against signature pattern match (Reset-both) Assign the configured vulnerability protection profile to a security rule  Configuration of Inbound SSL Decryption    Details Content Installation Ensure that content is updated to the latest version. Configure a Vulnerability Protection Profile This section will briefly describe how to configure a vulnerability protection profile to take preventative action against detection of the threat IDs associated with any security advisory. There are two options for this portion of the configuration: In this example, the vulnerability protection profile "strict" is configured to take a RESET-BOTH action against detection of high severity signatures; 38902, 38903, and 38904 are high severity signatures. As such, this profile can be used on the security rule that matches inbound traffic destined for the firewall. A custom vulnerability protection profile with actions for these three signatures set to RESET-BOTH. Please reference this link for assistance with this process.   Assign the Vulnerability Protection Profile to a Security Rule This section will describe how to assign the previously configured vulnerability protection profile to a security rule which matches the traffic destined for global protect, and any dataplane interface being used for management. For this exercise, let us assume that Global Protect is hosted on an interface that is homed on the "Untrust" zone and the VPN traffic will also source from the "Untrust" zone. To protect against exploitation to Global Protect, or other services published on the dataplane, the vulnerability protection profile must be assigned to a security rule that inspects "Untrust" zone to "Untrust" zone traffic.  In the above screenshot, the icon under the PROFILE column is the vulnerability protection profile "strict" referenced in our previous step. Source zone is "Untrust" and destination zone is "Untrust." The following step should be taken in the event a dataplane interface is used for device management. Configure Inbound SSL Decryption Reference the following documents to assist in configuring inbound SSL decryption:  Configure SSL Inbound Inspection  How to Implement and Test SSL Decryption
View full article
vvenkitach ‎01-06-2018 07:15 PM
2,821 Views
0 Replies
Symptoms After performing a factory reset on a PA-200 firewall with PAN-OS 6.1.16 and later (except 7.X and 8.X), the unit is unable to boot up properly and will display a "Fatal exception" error on the console.    Fatal exception: panic in 5 seconds ..Kernel panic - not syncing: Fatal exception Please Note: When you see this message on your firewall, you will not be able to enter into maintenance mode. Diagnosis You will see the following output repeatedly via console access after running a factory reset on a PA-200 firewall with PAN-OS 6.1.16 and later (except 7.X and 8.X), and cannot boot up the device. If you see these error messages after you run a Factory Reset, then please try to recover the system by following the directions in the "Solution" section below.   NOTE: The issue does not appear on PAN-OS 7.X and 8.X. If you need to run a factory feset on a PA-200 running PAN-OS 6.1.16 and later PAN-OS 6.0 releases, we recommend upgrading to PAN-OS 7.X before the factory reset. Fatal exception: panic in 5 seconds ..Kernel panic - not syncing: Fatal exception Rebooting in 5 seconds..     Welcome to the PanOS Bootloader. : <omit> : Traceback (most recent call last):   File "/usr/local/bin/mrt", line 12, in ?     import cpldlib   File "/usr/lib/python2.4/site-packages/cpldlib.py", line 1     :52  rstory     ^ SyntaxError: invalid syntax Traceback (most recent call last):   File "/usr/local/bin/mrt", line 12, in ?     import cpldlib   File "/usr/lib/python2.4/site-packages/cpldlib.py", line 1     :52  rstory     ^ SyntaxError: invalid syntax Solution If you see the issue on your firewall, please try to the following steps to resolve it.   Step 1. Type in "other" during the count down steps. Step1. Type in "other" during the count down steps Step 2. Select "Disk image. Step2. Select "Disk image" Step 3. Select "Revert to X.X.X" , a version of PAN-OS that is not 6.1.x. Step3. Select "Revert to X.X.X" Step 4. Select "Reboot." Step4. Select "Reboot" If you cannot enter maintenance mode with using the "other" option, there is no other option to recover the system. You will need to contact support to request assistance in recovering the system, which will more than likely be an RMA of the unit.   Author: tsakurai
View full article
tsakurai ‎01-02-2018 12:08 PM
2,394 Views
0 Replies
Issue   In the picture below (click to enlarge), the gateway and portal are using the same IP address but different certificates (Server1 and Server2). Because the IP is the same the firewall will continue to use Server2 as the certificate.   Resolution If the portal's certificate needs to be changed, make sure the gateway is also changed and configured to use the same certificate as the portal.   owner: dburns
View full article
npare ‎12-19-2017 04:55 AM
4,315 Views
0 Replies
Details   Generally providing files via the option in the case management system is prefered, but for instances where this is not feasible the TAC Upload service can be used.   HTTPS Upload - How to upload files to TAC server using HTTPS Visit https://tacupload.paloaltonetworks.com Enter the case number and the email address of the case contact to authenticate Choose a file to upload Once the upload completes wait about 5 minutes. A comment will be added to the case   SCP Upload - How to upload files to  scp <filename> <case_number>@tacupload.paloaltonetworks.com:/      If you prefer to suppress case comments, use the following: scp <filename> <case_number>@tacupload.paloaltonetworks.com:silent When prompted, enter the email address of the case contact for the password Once the upload completes wait about 5 minutes.  A comment will be added to the case if the silent option was not used. The uploaded files will not be visible in the file uploads section of the case, but TAC will have access to the files.    Note: For SCP, the WinSCP client and other clients that require command line shell access will not work because interactive SSH shell logins are disabled for security reasons. Only users that go straight to the SCP file transfer (most command line based SCP users) will work.   owner: jhess
View full article
Mystique ‎12-04-2017 05:36 AM
12,767 Views
1 Reply
1 Like
Explanation SNMP allows you to use network management software to poll devices on the network. Monitoring devices helps you find trends in system resource usage, which provides insight into system health and system utilization levels. This also helps with capacity planning.   There are OID's to monitor status of power supply units on the Palo Alto Networks firewall. These IODs are contained in PAN-TRAPS MIB and have the following IDs:   Example OID's attribute .1.3.6.1.4.1.25461.2.1.3.2.0.911 Power Supply inserted  .1.3.6.1.4.1.25461.2.1.3.2.0.912 Power Supply removed  .1.3.6.1.4.1.25461.2.1.3.2.0.913 Power Supply failure   See Also For more information on OID and MIB's and PAN-OS 8.0, please visit: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/monitoring/supported-mibs    
View full article
djoksimovic ‎11-30-2017 11:20 AM
9,935 Views
2 Replies
Overview To replace or repair a firewall, open a case requesting an RMA with an authorized support provider. This document discusses how to prepare the replacement firewall for the production environment.   If you are replacing a device in HA, you can use the following  How to Configure a High Availability Replacement Device   Steps Register the new firewall and transfer licenses: Upon receipt, register the new device and transfer licenses from the old unit. After Palo Alto Networks receives the failed device, the old licensing is stripped, so it is important to transfer the licenses immediately. To transfer the license, follow these instructions:  How to Transfer Licenses to a Spare Device Note : When a license is transferred to the spare device, the original device still has a 30-day evaluation license. Configure the Management Interface. Default Management Interface IP is 192.168.1.1 and default login/password is admin/admin. Configure the Management Interface to have internet access and a DNS server confgured under Device > Setup. This interface should be able to communicate with updates.paloaltonetworks.com. Alternatively, configure a service route to enable a Layer 3 interface with internet access for management. The appropriate interfaces, routing, and policies must be configured on the device. Go to Device > Setup > Service Route Configuration and choose the appropriate interface IP address for paloalto-updates and dns.  An example is provided below: Note:  Refer to How to Configure the Management Interface IP to set up the IP address for the management interface. Retrieve licenses previously transferred to the device. Go to Device > Licenses > Retrieve license keys from license server. The licenses for each feature display on the same page. Be sure to have a URL filtering license, that URL filtering is activated, and that the database has been successfully downloaded. If a link "Download Now" is displayed, the database is not downloaded. A successfully activated and downloaded PAN-DB URL filtering database looks like this: The device is now ready to be upgraded, if needed. Download and install the available Apps or Apps+Threats package from Device > Dynamic Updates > Applications and Threats > Check Now. The device lists available packages to download and install. To update the PAN-OS, go to Device > Software > Refresh. Additional information about PAN-OS upgrades: How to Upgrade PAN-OS and Panorama Enable multi-vsys or jumbo-frames same as old firewall if applicable:       > set system setting multi-vsys on       > set system setting jumbo-frame on To load a previously backed up configuration on the replacement device, follow the below use cases: Case 1: Old device is still connected to the network and firewall was not managed from panorama: Assuming that only management network on the new firewall has been connected. On old device, save Device > Setup > Save Named Configuration Snapshot and then export  Device > Setup > Export Named Configuration Snapshot. On new device go to Device > Setup > Import Named Configuration Snapshot to import the backed up configuration onto the device.  Once the configuration is imported, load the imported configuration, go to Device > Setup > Load Named Configuration Snapshot. Change the management IP and hostname so that it does not create a conflict with the existing device if connected into same management network. Later on this can be changed back if required. Resolve any commit errors and commit the configuration. Remove the old device, move the network cables to the new device. Case 2: Old device is still connected to the network and firewall is managed from panorama: Assuming only management of new device is connected, go to old device and export device state: Device > Setup > Export Device State. Go to new device: Device > Setup > Import Device State to import the backed up device state onto the device. Once you do this, the firewall will get exact same settings as old device (Same IP and hostname as well). No need to load any configuration. At this point you can remove the old firewall. On Panorama CLI, replace the old serial number with new serial number: replace device old <old SN#> new <new SN#> and commit local and push commit to firewall also to bring in sync. Case 3: Old device is no more available to take a backup and firewall was not managed from Panorama Look for an old tech support from old firewall. You can get the configuration from /opt/pancfg/mgmt/saved-config/running-config.xml If no previous tech supports are available, then we maybe able to use maintenance mode on the firewall to backup the old config:  How to Retrieve the Palo Alto Networks Firewall Configuration in Maintenance Mode Take the running-config.xml and import in the new firewall.  Device > Setup > Import Named Configuration Snapshot . Commit and make sure device is up and running. Case 4: Old device is no more available to take a backup and firewall is managed from Panorama.  From Panorama take a backup of configuration bundle:  Panorama > Setup > Operations > Export Panorama and devices config bundle . In this file, there is a .xml file with the name containing serial number of old firewall. This configuration can be used to load on the new device. However keep in mind this is only a copy of local config of the firewall and does not contain Panorama pushed configuration. Assign IP to the new firewall management port, and commit so that its connected to Panorama. On Panorama replace the old S/N with new S/N:  replace device old <old SN#> new <new SN#> and commit local. Do NOT Push the config yet to the new firewall. From the  Panorama and devices config bundle, use the config corresponding to old device S/N and import and load it on the new firewall. Do NOT Commit yet. From Panorama now push a DG and Template commit to the new firewall. This commit should merge the candidate and pushed config from Panorama.  If no commit errors, device should be up and running. If you are using any NAT IPs for source and destination NAT which are in same subnet as NAT interface (except the IP of interface itself), you will need to do a manual Gratuitous ARP from the firewall to update the peers ARP table. For example your interface IP is 198.51.100.1/24, and you are using 198.51.100.2 for NAT, you need to send GARP for 198.51.100.2.      > test arp g ratuitous ip <ip> interface <interface> Return the defective device. To restore the factory default before returning, refer to: How to Factory Reset a Palo Alto Networks Device or if running PAN-OS 6.0 and later, reviewHow to SSH into Maintenance Mode because the SSH to maintenance mode is possible.  Customers whose support subscription includes advance replacement of a failed firewall must return the defective unit to Palo Alto Networks after receiving the replacement. United States Customers  - A return shipping label will be in the carton with the replacement. Affix the label to the carton to return the defective unit.  International Customers  - Refer to return instructions and documents in the replacement shipping carton.  
View full article
nrice ‎11-15-2017 12:36 PM
49,257 Views
12 Replies
3 Likes
Yes, there is a limit on the number of Gateways that can be defined, refer to the following table:   Model Max # of External Gateways PA-200 PA-220 6 PA-500 6 PA-820 6 PA-850 12 PA-2020 PA-2050 11 PA-3020 PA-3050 PA-3060 11 PA-4020 26 PA-4050 131 PA-5020 26 PA-5050 PA-5060 131 PA-5220 PA-5250 PA-5260 131 PA-7050 PA-7080 131 VM-50 VM-100 VM-200 6 VM-300 VM-1000-HV 11 VM-500 26 VM-700 26 owner: ashaik
View full article
ashaikh ‎11-15-2017 12:31 PM
9,484 Views
6 Replies
Overview When the GlobalProtect Client configuration is performed, use this information to verify that the correct Connection Method settings have being applied to the client, and that the client has retrieved the latest configuration.   Details User-Logon The client configuration under the GlobalProtect Portal appears as follows when the Connection Method is set to user-logon: Once the client is installed and connected, the options available under the File menu are as shown below: The 'Disconnect' option is grayed out and unavailable. For user-logon mode, the GlobalProtect client automatically establishes a connection after the user logs in to the host computer.   On-Demand The client configuration under the GlobalProtect Portal appears as follows when the Connection Method is set to on-demand: Once the client is installed and connected, the options available under the File menu are as shown below: As seen above, the Disconnect option for on-demand mode, because the user is required to explicitly initiate and end the connection.   owner: pvemuri
View full article
pvemuri ‎11-15-2017 12:30 PM
16,266 Views
0 Replies
Symptom When setting service routes for DNS and NTP on different interfaces, the NTP service route does not work when NTP and DNS server is the same host like Secondary DNS/NTP server in the following example;   For example, see the following sample diagram and configuration:    Pri NTP Srv -+             .20 |                 +----------+                 | (trust zone)    |          |      (untrust zone)    +-+[Router]+-+---------+ (E1/2)+  PA-2020 +(E1/1)+------------+ Pri DNS Srv    |        .1                .2  |          | .2                .20    |         (172.16.100.0/24)    +----------+  (192.168.100.0/24)    |    |    +---- Sec DNS/NTP Srv           .20     (172.16.200.0/24)   Service routes: For DNS, source address set as "192.168.100.2/24 (Eth1/1, untrust)" For NTP, source address set as "172.16.100.2/24  (Eth1/2, trust)"   Primary DNS: 192.168.100.20 (untrust zone side) Primary NTP: 172.16.100.20 (trust zone side) Secondary DNS/NTP : 172.16.200.20 (trust zone side) - same host is used for NTP and DNS service   Service route setting: <route>    <service>      <entry name="ntp">        <source-address>172.16.100.2/24</source-address>      </entry>      <entry name="dns">        <source-address>192.168.100.2/24</source-address>      </entry>   </service> </route>   As shown above, the Palo Alto Networks firewall is configured to use Eth1/1(untrust) for DNS and Eth1/2(trust) for NTP accessing. However, the firewall used Eth1/1 (untrust) for NTP traffic towards to 172.16.200.20, and the packet could be dropped since there no security policy exists that allows NTP traffic to source from the untrust zone. > show ntp   NTP state:     NTP synched to LOCAL     NTP server 172.16.200.020 connected: False << Not connected     NTP server 172.16.100.20 connected: True   Cause Under current architecture, the Palo Alto Networks firewall initiates NTP transactions from the same interface as the DNS service route if NTP and DNS server is the same host.   owner: kkondo
View full article
kkondo ‎11-15-2017 12:28 PM
9,382 Views
2 Replies
1 Like
This article will describe multiple ways to confirm whether traffic has been decrypted or not.   CLI To confirm decrypt on the CLI, use the following command: > show session all filter ssl-decrypt yes   Decrypted sessions will have an * (asterisk) associated with them. Viewing the session ID will mark application 'app-name (proxy)', confirming that session is decrypted.   WebGUI To confirm that the traffic is decrypted inside the WebGUI > Monitor > Logs > Traffic.  Click the magnifying glass icon in the traffic log entries to confirm that the connections were decrypted.   You will see the "Decrypted " checkbox checked when the traffic is decrypted.     Another way to validate the decrypted session is by enabling the column "Decrypted" as below Traffic logs . This can be done by clicking on the arrow down next to any column title and selecting the Columns > Decrypted. Traffic logs after enabling the Decrypted column.   See also SSL decryption resource list The SSL decryption resource list has a long list of articles only dealing with SSL decryption.    owner: bryan
View full article
panagent ‎11-12-2017 02:03 PM
10,710 Views
3 Replies
Inside of this article you will learn how to verify if traffic is being offloaded and how to disable this feature.   When session traffic is processed by the dataplane of the Palo Alto Networks firewall, session stats and timers will be updated for every packet.   Most of our high-end platforms have an FPGA chip to entirely offload a session (CTS and STC flows) and bypass the cores completely.    Verification You can verify if a session has been offloaded by using the following  CLI command: > show session id <id_num>   Here's an example of an SSL session that is offloaded because it is not being decrypted. The firewall cannot do any content threat detection, so it is offloaded to hardware for faster processing: admin@PAN_firewall> show session id 96776 Session 96776 c2s flow: source: 172.20.13.132 [L3-Trust] dst: 50.17.226.145 proto: 6 sport: 61973 dport: 443 state: ACTIVE type: FLOW src user: unknown dst user: unknown s2c flow: source: 50.17.226.145 [L3-Untrust] dst: 10.46.198.13 proto: 6 sport: 443 dport: 14690 state: ACTIVE type: FLOW src user: unknown dst user: unknown start time : Thu Oct 12 09:30:35 2017 timeout : 1800 sec time to live : 1799 sec total byte count(c2s) : 54759 total byte count(s2c) : 134469 layer7 packet count(c2s) : 103 layer7 packet count(s2c) : 200 vsys : vsys1 application : ssl rule : Trust-Untrust session to be logged at end : True session in session ager : True session updated by HA peer : False address/port translation : source nat-rule : Trust-NAT(vsys1) layer7 processing : completed URL filtering enabled : True URL category : computer-and-internet-info session via syn-cookies : False session terminated on host : False session traverses tunnel : False captive portal session : False ingress interface : ethernet1/6 egress interface : ethernet1/3 session QoS rule : N/A (class 4) tracker stage l7proc : ctd decoder bypass end-reason : unknown Note:   In PAN-OS 7.1 and later, an offloaded session will have a  tracker stage l7proc  value of  ctd decoder bypass.   All session statistics and timers are maintained in software. So, it's necessary for the offload chip to send regular updates to the software. These updates cannot be sent for every packet, due to performance concerns.   Offloading details - what happens inside Depending on the platform model, different rules apply:   PA3050 - 50xx series Offload chip is sending a per-flow stat message to the dataplane after 16 packets are received on one flow (CTS or STC). The dataplane software will update session statitics and refresh the timer accordingly.   Note: On PA3050 and 50xx series devices, you can have a scenario where a low-traffic session has been aged-out due to TTL expiration. This can happen if the 16 packets condition has not been met before the end of this timer.   PA70xx series The PA7000 seies devices handle the updates differently. It will send the per-flow stat to the dataplane when one of two following conditions occur: One flow has accumulated 64 packets of stat A scan timer has expired for this particular flow Software will update session statistics and refresh the timer accordingly.   Workaround To avoid the offloading of the sessions, there are several workarounds to achieve this:   Turn off hardware offload temporarily using with the CLI command: (will reset to offloading after a reboot) > configure #  set session offload no   or permanently with: (even after a reboot, the offloading will be disabled) > configure # set deviceconfig setting session offload yes   # commit  Note: This approach can have a noticeable impact on the CPU. Create a custom application and adjust the timeout value for the custom application to accommodate the worst-case scenario. We accept a maximum timeout value of 604800 seconds (1 week). Tune the tcp keepalive timer and interval on the application servers.  
View full article
panagent ‎11-04-2017 07:44 AM
22,699 Views
6 Replies
3 Likes
DNS rewrite (DNS doctoring) is a  capability that some NAT devices offer in order to translate the DNS A-record for a particular DNS query. The Palo Alto Networks firewall as of now does not support the DNS doctoring feature, but there are a few workarounds that can be used.    Some scenarios in which DNS doctoring applies.   Scenario 1:  External DNS Server is returning the public IP of an application server to a client who is also sitting behind the same firewall.        Traffic Flow in this case: In the above case, DNS server 4.2.2.2 replies to the DNS query of the client with the public IP of the Web server, for example 198.51.100.3. The client now accesses the web server on the public IP and forwards that request to the Firewall.  The firewall tries to do route lookup for  198.51.100.3 IP and finds a route via Eth1/1 (Untrust Zone) pointing to the ISP and sends the packet out.   A firewall capable of DNS rewriting will translate the IP address in the DNS response to the private IP address of the server since it has NAT mapping for the same, which enables the client to directly access the Server through LAN to LAN routing/ policies.   Workarounds Configure the client to use the firewall as DNS proxy, and on Firewall configure a static entry for www.example.com as 10.1.1.3. For all other lookups the firewall can use 4.2.2.2 as the DNS server. How to Configure DNS Proxy on a Palo Alto Networks Firewall   OR Use U-Turn NAT, thereby forwarding the traffic from the client to the Server: How to Configure U-Turn NAT   Scenario 2: Internal DNS server is returning private IP address of application server to both Internal and external users.   The external user will not be able to access the server, since it will get the private IP address of the Web Server.    Workaround Add a secondary DNS server (preferably in a DMZ zone) to serve external clients with a public IP address to the server. Change the DNS Server’s A record to use the public IP of the Web Server, and then use the U Turn NAT solution as in Case 1 for the internal Client to be able to access the Web Server. Some DNS servers, like bind9, can serve different records depending on the source IP of the requestor    
View full article
abjain ‎10-30-2017 07:22 AM
8,732 Views
0 Replies
1 Like
Symptoms Runtime link state (speed/duplex) shows 'unknown/unknown' when you run a command 'show interface management' on VM-Series Firewalls.   > show interface management   ----------------------------------------------------- Name: Management Interface Link status:   Runtime link speed/duplex/state: unknown/unknown/up   Configured link speed/duplex/state: auto/auto/auto   Diagnosis Solution This is expected behaviour in PAN-OS 8.0 and earlier.   You can find the speed/duplex state from the message in sysdagent.log which is generated when the link negotiation is performed or the link settings are changed.   When changing speed/duplex settings of management interface to '100Mbps-full-duplex':  2017-08-01 13:19:47.826 +0900 NET: HW config: eth0: { 'mode': 2, 'setting': 5, }  2017-08-01 13:19:47.826 +0900 NET: Changing eth0 to auto 0 adv 0x80 speed 100 duplex 1 When changing speed/duplex settings of management interface to '10Mbps-half-duplex':  2017-08-01 16:51:21.261 +0900 NET: HW config: eth0: { 'mode': 2, 'setting': 2, }  2017-08-01 16:51:21.261 +0900 NET: Changing eth0 to auto 0 adv 0x80 speed 10 duplex 0 When changing speed/duplex settings of management interface to 'auto-negotiate' (10GB full) :  2017-08-01 13:25:00.407 +0900 NET: HW config: eth0: { 'mode': 1, 'setting': 1, }  2017-08-01 13:25:00.407 +0900 NET: Changing eth0 to auto 1 adv 0xbf speed 10000 duplex 1  
View full article
anishinoya ‎10-25-2017 08:56 AM
1,725 Views
0 Replies
Everything you need to know related to deploying, managing, and supporting Palo Alto Networks GlobalProtect.
View full article
ekampling ‎10-19-2017 02:58 AM
50,799 Views
1 Reply
6 Likes
The following steps describe how to perform a factory reset on a Palo Alto Networks device. Note: If running PAN-OS 6.0 and above, review the following link to perform SSH into Maintenance Mode: How to SSH into Maintenance Mode   Steps Connect the Console cable, which is provided by Palo Alto Networks, from the "Console" port to a computer, and use a terminal program (9600,8,n,1) to connect to the Palo Alto Networks device. Note: A USB-to-serial port will have to be used if the computer does not have a 9-pin serial port. Power on to reboot the device. During the boot sequence, the screen should look like this: Type maint to enter maintenance mode. PAN-OS 7.1 NOTE: When performing this on PAN-OS 7.1, you will see a "CHOOSE PANOS" screen with the following options: PANOS (maint-other), PANOS (maint) or PANOS (sysroot0). Please choose  PANOS (maint). Press enter to continue. PAN-OS 7.1 GNU GRUB boot menu. Once in maintenance mode, the following is displayed, please press enter to Continue: Arrow down to Factory Reset and press Enter to display the menu: You will see the Image that will be used to perform the factory reset. Select Factory Reset and press Enter again: The unit will reboot when complete. Please be aware that it may take several minutes before the autocommit to complete and allow the admin/admin login to work properly.   See also Admin-Admin not Working After Factory Reset   owner: rvanderveken
View full article
‎09-13-2017 12:32 PM
188,277 Views
12 Replies
4 Likes
Ask Questions Get Answers Join the Live Community