Management Articles

Featured Article
Issue When running “show routing route” command routing table of Palo Alto firewall displays multiple entries for the same route (prefix and mask).   Details This is expected behavior because Palo Alto Networks firewall routing scheme is designed to take the best route from each protocol and put them all into the routing table. The best route is then selected among them based on Administrative Distance (AD) value of routing protocols which routes came from and that route is marked with flag A, stating that it is the Active route.   For example:   > show routing route flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp, Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2 VIRTUAL ROUTER: default (id 1) ========== destination nexthop metric flags age interface next-AS ... 10.175.0.0/16 10.175.59.1 10 A S ethernet1/2 10.175.0.0/16 192.168.200.99 ?B 92699 0   The route marked with the A flag is further installed into the RIB and FIB table and used for traffic forwarding.   See Also Understanding Route Redistribution and Filtering
View full article
djoksimovic ‎08-28-2018 10:38 AM
8,120 Views
0 Replies
Details A question mark next to the route in the routing table symbolizes a  “loose” flag.   This flag is often used for routes coming from BGP protocol because the next-hop attribute is not being changed among iBGP neighbors, so routed process should do reverse routing lookup to determine the real next-hop IP of given route.   See this example:   > show routing route flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp, Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2 VIRTUAL ROUTER: default (id 1) ========== destination nexthop metric flags age interface next-AS ... 10.10.0.0/16 192.168.200.99 ?B 92699 0 10.150.0.0/17 10.150.59.1 10 A S ethernet1/2   owner: djoksimovic
View full article
djoksimovic ‎08-28-2018 10:35 AM
4,280 Views
3 Replies
Issue The WebGUI is sluggish or unresponsive Admins are showing logged in who have already logged out An authorization code has been entered but not activated or updated for a license Logs not showing up inside of the WebGUI The CLI command: >  show system resources shows the mgmtsrvr process using excessive memory Resolution To resolve these issues, it is recommended that you restart the Management server process. Use the following steps to restart the Management server process: Enter the CLI command: PAN-OS 6.1 > debug software restart management -server   PAN-OS 7.0 and above > debug software restart  process  management -server Note: This restarts the 'mgmtsrvr' process, if there are any logged in admins when this happens, they will be kicked from the WebGUI as well as the CLI.  After a couple of minutes, please log into the WebGUI or CLI again. To check on the Management server process, Run the CLI command: > s how system resources | match mgmtsrvr This should show it using far less memory now than before.  The WebGUI should now function correctly. > show system resources | match mgmt 2140       20   0  708m 484m 9828 S    2 12.9   8:13.06 mgmtsrvr   owner: jdavis
View full article
panagent ‎08-22-2018 03:35 AM
68,530 Views
10 Replies
3 Likes
To download software: Log in to Support Portal Click Software Updates link.   To receive notifications when this document is updated, see Email Notifications for Subscribed Activities.   Version Release Date 8.0.12 10-Aug-18 8.0.11 27-Jun-18 8.0.10 15-May-18 8.0.9 4-Mar-18 8.0.8 12-Feb-18 8.0.7 28-Dec-17 8.0.6 14-Nov-17 8.0.5 21-Sep-17 8.0.4 27-Jul-17 8.0.3 19-Jun-17 8.0.2 1-May-17 8.0.1 15-Mar-17   8.0.0   7-Feb-17
View full article
‎08-09-2018 11:16 PM
27,634 Views
2 Replies
6 Likes
https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Check-the-NAT-Buffer-Pool/ta-p/57039
View full article
Farman ‎08-02-2018 01:27 PM
1,439 Views
0 Replies
To download software: Log in to Support Portal Click Software Updates link.   To receive notifications when this document is updated, see Email Notifications for Subscribed Activities.   Version Release Date 7.1.1 31-Jul-18 7.1.18 12-Jun-18 7.1.17 24-Apr-18 7.1.16 8-Mar-18 7.1.15 17-Jan-18 7.1.14 27-Nov-17 7.1.13 12-Oct-17 7.1.12 30-Aug-17 7.1.11 6-Jul-17 7.1.10 22-May-17 7.1.9 10-Apr-17 7.1.8 20-Feb-17 7.1.7 3-Jan-17 7.1.6 17-Nov-16 7.1.5 3-Oct-16 7.1.4-h2 22-Aug-16 7.1.4 15-Aug-16 7.1.3 29-Jun-16 7.1.2 16-May-16 7.1.1 18-Apr-16 7.1.0 4-Apr-16  
View full article
‎07-31-2018 02:06 PM
111,992 Views
10 Replies
Symptoms Accepting cookie for authentication override fails and users must enter login credentials on the GlobalProtect gateway. This scenario is valid if you are generating an authentication cookie on the portal and  accepting it on the gateway, so users are not prompted to enter the gateway credentials until the cookie lifetime expires.   Diagnosis System logs +++++++++ (description contains 'GlobalProtect gateway user authentication failed. Login from: X.X.X.X, Source region: 192.168.0.0-192.168.255.255, User name: , Client OS version: Microsoft Windows 7 Enterprise Edition Service Pack 1, 64-bit, Reason: Cannot decrypt cookie, Auth type: cookie.' ) Cookie is  encrypted by the certificate key used on the portal and if we use different certificate on gateway to decrypt the cookie it will fail. Solution Make sure the same certificate that was used to encrypt the cookie on the portal is used on the gateway to decrypt the cookie file.
View full article
bdubey ‎07-31-2018 11:28 AM
2,350 Views
1 Reply
Overview The Include/Exclude list is applied to networks and hosts identified through the User-ID Agent.  The User-ID Agent tries to identify users for the IP range designated as Include.  Likewise, the User-ID Agent does not identify users for the network address range designated as Exclude.  Note that this is different from the user and group ignore lists, and is only concerned with which networks to include or exclude for the purposes of mapping users.   Details If the Include/Exclude list is empty, users on any network can be identified and mapped by the User-ID Agent.  When an entry is added to the Include list, there is an implicit deny for any other IP address.  The order of entries in the Include/Exclude list is important, as the list is processed top to bottom.   For example, to configure the exclusion of subnet (192.168.1.0/24) in the larger subnet (192.168.0.0/16): Add a specific subnet 192.168.1.0/24 and designate as Exclude. Add the larger, encompassing subnet 192.168.0.0/16 and designate as Include. Note: If the rules in the above example were reversed with the Include rule on top, then the User-ID Agent would allow the mapping on 192.168.0.0/16 then disregard the Exclude rule for 192.168.1.0/24.   See Also How to Change the Include and Exclude Lists with User-ID Agent 4.1   owner: mbutt
View full article
mbutt ‎07-20-2018 11:07 AM
13,494 Views
3 Replies
2 Likes
Overview When using the User-ID Agent to identify users on the network, there is a way to ignore certain users. Generally, this is used for service accounts, but any desired username can be entered.   Steps Stop the User-ID service Modify/create a file ignore_user_list.txt in the directory where User-ID Agent is installed. This file will contain all the users to be ignored. The format of the file needs to be one username on each line. Note: It is sometimes required to have two entries for each username, the normal username and the username with netbios name. user1 mydomain\user1 Start the User-ID service.   Starting from PAN-OS 7.1 the ignore user list can also be configured for the Agentless User-ID through the WebUI   See also   How to Add/Delete Users from Ignore User List using Agentless User-ID   owner: sspringer
View full article
sspringer ‎07-20-2018 09:45 AM
42,594 Views
21 Replies
3 Likes
To download software: Log in to Support Portal Click Software Updates link.   To receive notifications when this document is updated, see Email Notifications for Subscribed Activities.   Version Release Date   8.1.2  13 -June-18   8.1.1  2 -May-18   8.1.0   6-Mar-18  
View full article
‎06-13-2018 04:52 PM
9,683 Views
0 Replies
2 Likes
How to collect logs from the different GlobalProtect clients (Windows and Mac).
View full article
sraghunandan ‎05-30-2018 03:39 PM
31,214 Views
5 Replies
1 Like
As shown in the following screenshot, the ethernet protocol type is:0x7261        owner: rvanderveken
View full article
rvanderveken ‎05-28-2018 04:35 AM
5,766 Views
0 Replies
Details Here are some checks that should be made when Panorama is out of sync with one of many managed firewalls, or simply cannot connect to a firewall. Check IP connectivity between the devices. Make sure port 3978 is open and available from the device to Panorama. Make sure that a certificate has been generated or installed on Panorama. Confirm the serial number configured in Panorama (case sensitive). If a permitted IP list is configured for the management interface, make sure that Panorama IP is allowed in the list. By default, it will allow all IPs if a list is not specified. Make sure Panorama is on a version greater than or equal to that of the managed devices. Panorama can manage devices running supported PAN-OS versions of the same or a lower release. Check MTU settings on the managed device, as the value may need to be reduced. If a device on the path is fragmenting packets, communication from Managed Device to Panorama will not succeed. Verify that there is not a large time difference between the clock (Date/Time) on Panorama and the clock (Date/Time) on the managed device.   owner: swhyte
View full article
swhyte ‎05-09-2018 10:26 AM
34,280 Views
8 Replies
2 Likes
Las funciones de múltiples factores de autentificación de Palo Alto Networks a partir de PAN-OS 8.0. S e mostrará como poder hacer la integración con DUO Security, como poder hacer MFA para autentificar aplicación Web, y como poder hacer MFA en aplicación NO-Web (solicitando autentificación a través del agente de GlobalProtect).
View full article
MarceloRey ‎05-09-2018 10:24 AM
3,717 Views
0 Replies
2 Likes
Overview The small form-factor pluggable (SFP) is a compact, hot-pluggable transceiver used for both telecommunication and data communications applications. The PA-2000 Series, PA-3000 Series, PA-4000 Series, PA-5000 Series, and PA-7000 Series firewalls accept SFP module(s). This document describes how to view the currently installed SFP modules.   Details From the CLI, run the following command: > show system state filter sys.sX.pY.phy where X=slot=1 and Y=port=21 for interface 1/21 Typical SFP module output > show system state filter sys.s1.p19.phy sys.s1.p19.phy: { 'link-partner': { }, 'media': SFP-Plus-Fiber, 'sfp': { 'connector': LC, 'encoding': Reserved, 'identifier': SFP, 'transceiver': 10000B-SR, 'vendor-name': OEM , 'vendor-part-number': PAN-SFP-PLUS-SR , 'vendor-part-rev': B4 , }, 'type': Ethernet, } > show system state filter sys.s1.p21.phy sys.s1.p21.phy: { 'link-partner': { }, 'media': SFP-Plus-Fiber, 'sfp': { 'connec tor': LC, 'encoding': Reserved, 'identifier': SFP, 'transceiver': , 'vendor-name ': FINISAR CORP.   , 'vendor-part-number': FTLX8574D3BCL   , 'vendor-part-rev': A   , }, 'type': Ethernet, }   Defective SFP module output If the output appears similar to the sample below, then the SFP module may be defective: sys.s1.p21.phy: { 'link-partner': { }, 'media': SFP-Fiber, 'sfp': { 'connec tor': vendor specific, 'encoding': Reserved, 'identifier': SFP, 'transceiver': , 'vendor- name ': yyyyyyyyyyyyyyyy, 'vendor-part-number': yyyyyyyyyyyyyyyy , 'vendor-part-rev': yyyy, }, 'type': Ethernet, }   Note: To verify the above output, unplug the SFP module from the initial SFP port and plug it into another SFP port. Run the same " show system state filter " command as above. If the output is the same, then the module is defective.   owner: gcapuno
View full article
gcapuno ‎03-02-2018 03:11 AM
56,695 Views
10 Replies
4 Likes
The Maximum Transmission Units (MTU) are actually only enforced when packets leave the Palo Alto Networks firewall, with the MTU of the egress interface being applied.   When receiving frames, the MRU (Maximum Receiving Units) is applied, which is higher than the average MTU (or even higher if jumbo frames are enabled).   The MRU for all interfaces can be viewed by executing the following command: show system state filter-pretty sw.dev.runtime.ifmon.port-states | match mru  
View full article
kikumar ‎02-22-2018 08:47 AM
2,598 Views
0 Replies
To upgrade the User-ID agent:   Navigate to services and stop the service User-ID Agent. Navigate to Program Files > Paloalto Networks > User-id agent.  Zip the user-id agent folder and back it up to a different location. Log into support.paloaltonetworks.com and download the latest User-Id Agent. Perform the install. Once the install is done, the latest agent should start running with all the configs retrieved from the previous agent.   owner: mvenkatesan
View full article
mvenkatesan ‎02-12-2018 01:09 AM
16,411 Views
4 Replies
5 Likes
La Automatización de Palo Alto Networks a partir de PAN-OS 8.0, y los Dynamic Address Group (DAG). El mismo tiene una utilidad importante para lograr generar un Data Center auto-defendido, sin necesidad de tener que aplicar políticas manualmente.
View full article
MarceloRey ‎02-06-2018 12:49 AM
3,230 Views
0 Replies
2 Likes
Question Why is it that when I use the command >scp export log traffic query start-time equal <time stamp> end-time equal <time stamp> to <location> on a firewall, I can get a CSV file that has more than 1 million lines, but when the command is ran on a Panorama I only get a maximum amount of 65535 lines? Answer The distributed nature of Panorama and PA-7000 platforms makes that a log query will cause several sources to be accessed and potentially terrabytes of data needed to be sifted through to accommodate for the export which could cause performance degradation, as the management plane will be taxed, and network congestion in distributed collector environments. This is why the log export capability is set to a 65535 lines limitation by default for these platforms. The total number of exported lines can be increased to 1 million by setting the max-log-count parameter.   This limitation is not imposed on firewall platforms as they store their logs on a single disk with limited storage capacity, making a large query less resource intensive. Log export on a firewall system is limited to 4 billion lines.   If log needs to be routinely exported off of Panorama, consider Configure Log Forwarding from Panorama to External Destinations
View full article
zsanem ‎12-14-2017 06:45 AM
2,306 Views
0 Replies
Issue Inside of the WebGUI > Network> IPSec Tunnels, the IKE Gateway Status (Phase 1) light is red, whereas the IPSec Tunnel (Phase 2) light is green.  However, traffic still continues to flow through the tunnel properly.  After some time, the IKE Gateway Status light returns to green.  Is this normal? VPN Status showing Phase 1 down (Red) but Phase 2 up (Green)   Resolution This is normal behavior. The purpose of Phase 1 (IKE Gateway Status) is to set up a secure channel for subsequent Phase 2 (IPSEC Tunnel) security associations (SA). Once the Phase 2 security associations have been set up, traffic travels on Phase 2 SA. Hence, it is possible that Phase 1 might be down, but traffic across the tunnel still works (because Phase 2 is up). The IKE light will turn red when Phase 1 times out. After a certain period, when Phase 2 is about to timeout, Phase 1 will re-negotiate the encryption key for subsequent Phase 2 negotiations. After these fresh negotiations, the IKE light will turn back to green and this process continues.   This behavior can be seen in the system logs: System logs showing Phase 2 and Phase 1 renegotiating. Description of above events: 21:44:04:  Phase-1 SA timed out.  At this point the IKE Gateway Status light will become red.  Notice the Phase-1 renegotiations have not started right away. 21:45:38:  At this point, Phase-2 SA is about to timeout.  Hence, Phase-1 SA renegotiations started.  IKE Gateway Status light turns back to green. 21:45:38:  Subsequent Phase-2 renegotiations. 21:45:38:  Previous Phase-2 SA expires and is deleted.   See Also For more information on this situation, with more pics and a different explanation, please see: DotW: VPN IPSec Tunnel Status is Red   owner: akhan
View full article
nrice ‎11-17-2017 03:40 PM
27,439 Views
4 Replies
4 Likes
Overview The CLI command show system statistics displays packet rate, throughput, and session count information. The command can also be used to show the statistics for the top 20 applications.      For session statistics:   > show system statistics session System Statistics: ('q' to quit, 'h' for help)                                                                                                                                       Device is up           : 52 days 5 hours 0 min 37 sec Packet rate           : 174/s Throughput             : 113 Kbps Total active sessions : 17 Active TCP sessions   : 4 Active UDP sessions   : 13 Active ICMP sessions   : 0   For application statistics: > show system statistics application (vsys vsysX) Top 20 Application Statistics: ('q' to quit, 'h' for help)     Virtual System: vsys1 application                       sessions   packets bytes -------------------------------- ---------- ------------ ------------ ipsec-esp-udp                     92         25336686     18944787469 ssl                               169699     2041979 1005926367 dns                               3194281     6090888 801709401 ms-product-activation             13821       412855 292067481 freegate                         7           173002 150999881 kerberos                         235555     468176 128824746 dhcp                             75849       319988 109928453 google-base                       4011       221217 65967821 rtp-base                         1           39188         47817228 google-update                     2           13568         17571452 windows-azure-base               1079       27976         13138354 windows-push-notifications 492       66341         11988679 rtp-audio                         2           20148         4512504 dropbox-base                     1293       17326         3025776 ntp                               16971       33164         2984760 spotify                           15892       31069         2671934 stun                             188         12255         1811545 snmp-base                         3541       17221         1549591 ping                             11826       16049         1477782   When running either of the commands above, the following keys will trigger the corresponding options:   Help: ('q' to quit, 'h' for help)                             You can type the following key to switch what to display -------------------------------------------------------- 'a' - Display application statistics 'h' - Display this help page 'q' - Quit this program 's' - Display system statistics  Note: it is possible to switch between views   A snapshot with additional details can be obtained by issueing the show session info command that reflects dataplane usage and additional session parameters:   > show session info target-dp:                                       *.dp0 -------------------------------------------------------------------------------- Number of sessions supported:                     262142 Number of allocated sessions:                     21 Number of active TCP sessions:                   2 Number of active UDP sessions:                   19 Number of active ICMP sessions:                   0 Number of active GTPc sessions:                   0 Number of active GTPu sessions:                   0 Number of pending GTPu sessions:                 0 Number of active BCAST sessions:                 0 Number of active MCAST sessions:                 0 Number of active predict sessions:               0 Session table utilization:                       0% Number of sessions created since bootup:         4406165 Packet rate:                                     70/s Throughput:                                       37 kbps New connection establish rate:                   0 cps -------------------------------------------------------------------------------- Session timeout   TCP default timeout:                           3600 secs   TCP session timeout before SYN-ACK received:       5 secs   TCP session timeout before 3-way handshaking:     10 secs   TCP half-closed session timeout:                 120 secs   TCP session timeout in TIME_WAIT:                 15 secs   TCP session delayed ack timeout:                 250 millisecs   TCP session timeout for unverified RST:           30 secs   UDP default timeout:                             30 secs   ICMP default timeout:                             6 secs   other IP default timeout:                         30 secs   Captive Portal session timeout:                   30 secs   Session timeout in discard state:     TCP: 90 secs, UDP: 60 secs, other IP protocols: 60 secs -------------------------------------------------------------------------------- Session accelerated aging:                       True   Accelerated aging threshold:                   80% of utilization   Scaling factor:                                 2 X -------------------------------------------------------------------------------- Session setup   TCP - reject non-SYN first packet:             True   Hardware session offloading:                   True   IPv6 firewalling:                               True   Strict TCP/IP checksum:                         True   ICMP Unreachable Packet Rate:                   200 pps -------------------------------------------------------------------------------- Application trickling scan parameters:   Timeout to determine application trickling:     10 secs   Resource utilization threshold to start scan:   80%   Scan scaling factor over regular aging:         8 -------------------------------------------------------------------------------- Session behavior when resource limit is reached: drop -------------------------------------------------------------------------------- Pcap token bucket rate                         : 10485760 -------------------------------------------------------------------------------- Max pending queued mcast packets per session   : 0 --------------------------------------------------------------------------------  
View full article
nrice ‎10-23-2017 07:32 AM
18,967 Views
4 Replies
This Quick Reference Guide provides helpful information on setting up your account and engaging Support. See also: How to Open a Case with Technical Support and How to Open a Support Case for VM-Series Purchased from Amazon Web Services
View full article
panagent ‎10-17-2017 11:41 AM
71,953 Views
3 Replies
1 Like
This article is outdated, for updated information please refer to:  Best Practices for PAN-OS Upgrade    
View full article
djipp ‎07-27-2017 02:20 PM
239,327 Views
27 Replies
6 Likes
The Palo Alto Networks network security platform requires access to a few specific services in order to perform Dynamic Updates and WildFire functions.  When deployed behind existing firewalls or proxy servers, these external resources and services must be accessible from the management interface of the Palo Alto Networks platform.  If traffic flows are traversing a Palo Alto Networks platform, the following applications may need to be included in the security rulebase:  paloalto-updates, pan-db-cloud, paloalto-wildfire-cloud, and brightcloud.   Application, Threat and Anti-Virus database updates updates.paloaltonetworks.com:443 staticupdates.paloaltonetworks.com:443   PAN-DB URL filtering seed updates and cloud lookups *.urlcloud.paloaltonetworks.com:443   Brightcloud URL filtering database updates database.brightcloud.com:80,443 service.brightcloud.com:80   WildFire wildfire.paloaltonetworks.com:443 *.wildfire.paloaltonetworks.com:443 jp.wildfire.paloaltonetworks.com :443 (Japan) *. jp.wildfire.paloaltonetworks.com: 443 (Japan) sg.wildfire.paloaltonetworks.com :443 (Singapore) *.sg .wildfire.paloaltonetworks.com: 443 (Singapore) eu.wildfire.paloaltonetworks.com :443 (Europe) *.eu .wildfire.paloaltonetworks.com: 443 (Europe)   GlobalProtect database updates c733.r33.cf1.rackcdn.com :80     Note: The updates.paloaltonetworks.com FQDN resolve to CDN-based IP addresses. If static IP addresses are required, staticupdates.paloaltonetworks.com may be used instead.   owner: rhagen
View full article
rhagen ‎06-13-2017 03:35 PM
16,950 Views
9 Replies
1 Like
Overview This document provides resources for obtaining support from Palo Alto Networks, and includes how to use the customer support portal, how to manage support cases online, and tips on utilizing the online community.   Customer Support Portal and Case Management Quick Reference Guide: Welcome to Support This PDF document includes: How to create your user account on the Customer Support Portal How to register your Palo Alto Networks assets, including products and licenses Links to Online tools, and helpful resources How to escalate your case Global support numbers How to Open a Case with Technical Support Details how to open a support case by Web or phone.   Support Portal: User Documents Contains links to articles and videos on how to navigate and utilize the features on the Customer Support Portal Related: Support Portal FAQs Supported Browsers Lists the supported web browsers for the Customer Support Portal and the online Palo Alto Networks Community     Palo Alto Networks Community Community Disclaimer This is the community disclaimer. If you are a first-time user of the community, please read this brief document. Related:  Palo Alto Networks Terms of Use Tour the New Live Community (video) Video overview of the Live Community, how to navigate, search and subscribe to areas inside of the Live Community. Getting Around in the Live Community  Getting started article about the Live Community, where things are in the community and how to navigate and search. How to Change Your Community Display Name Describes how to change your display name, or username, on the community How to Keep Your Personal Content Private Shows how to select the proper options to control visibility of your private content How to Receive Email Notification for Community Announcements Describes how to configure your settings to receive email notifications on community announcements Supported Browsers Lists the supported web browsers for the Customer Support Portal and the online Palo Alto Networks Community  
View full article
panagent ‎06-01-2017 08:52 AM
9,434 Views
0 Replies
1 Like
Overview This document explains how an IP address is assigned to a GlobalProtect client when two or more IP address pools are configured.   Details Palo Alto Networks firewall keeps a pointer to the pool from which the last successful IP address assignment was taken. The next client will get the next available IP from the pointer's pool.   For example: GlobalProtect pools: 192.168.10.0/24 > pool-1 172.16.10.0/24  > pool-2   *pointer > pool-1 The first GlobalProtect client comes in and requests an IP The Palo Alto Networks firewall checks its pointer, and reads that it has to offer it an IP from pool-1 (192.168.10.0/24) Client ACKs the IP and installs it in its GlobalPointer virtual adapter A new GlobalProtect client comes in (at their local LAN they have the following IP assigned on NIC - 192.168.10.100) The client authenticates successfully and requests an IP The firewall checks its memory pointer, and it is pointing to pool-1. It grabs the next available IP from pool-1 and offers it to the client The GlobalProtect client reads the IP, but it overlaps with the address on its physical NIC, so it declines the IP address The firewall receives the decline and moves its memory pointer to pool-2. The firewall offers the client a new IP from pool-2 A third client comes in. Its physical IP is 192.168.1.15 The firewall checks its pointer which is pointing to pool-2 The firewall gets the next available IP on pool-2 and offers it to the client This third client receives the IP, checks it, it does not overlap, the client installs it on its virtual adapter and ACKs the IP to the firewall   See Also How can IP Overlaps be Prevented with GlobalProtect   owner: parmas
View full article
parmas ‎05-10-2017 06:27 AM
10,035 Views
5 Replies
2 Likes
The behaviors of Device Administrator roles have changed in PAN-OS 8.0 to have different expected behaviors when it comes to users' access under the Device tab. The Save functionality has now been specifically added separately to where the control of allowing Device Administrators to only Save (instead of allowing all features under the Operations tab) has been isolated.   Previously in PAN-OS 7.1 and earlier, for a Device Administrator (non-Superuser) to be able to Save Configuration via the Save icon in the top-right corner of the WebGUI, the Device tab had to be allowed and the functionality of Device > Setup > Operations had to be Enabled for the user                                                       The above configuration shows the bare minimum requirements for the Save icon in PAN-OS 7.1 and earlier to be present, but it also means that any Device Admins would also have the right to Load configs, import/export, etc. as allowed in Operations.   If attempting to save as a Device Administrator in PAN-OS 7.1 without the Device tab enabled (or, specifically, Device > Setup > Operations enabled) as shown above, users would notice the Save icon had completely disappeared from their available icons entirely       In PAN-OS 8.0 the process has changed to where users can be denied access to the Device tab entirely and still retain functionality of the Save/Revert feature under the Config icon in the top right.       The functionality of the Save feature in PAN-OS 8.0 has been completely isolated from the previously-dependent Operations section under Device. The option for Save For Other Admins can be denied as well and only allow user to Partial Save for the options they themselves have made. If a Device Administrator in PAN-OS 8.0 has had the Save feature Disabled, the Config icon still remains in the top right corner unlike PAN-OS 7.1 and earlier, however functionality is denied and the below error message is presented to the user:  
View full article
cperratore ‎05-04-2017 12:41 PM
2,656 Views
0 Replies
Issue In the WebGUI under Device > Software, when the 'Check Now' button is pressed only the next PAN-OS version is shown, no other versions appear, even if available.      Details In the following example, if the Palo Alto Networks device is running PAN-OS 6.1.10 software code and the 'check now' button is pressed, only the PAN 7.0.x software versions appear, but PAN-OS 7.1.x do not show up. This behavior excludes communication issues between Palo Alto Networks device and update server, otherwise 7.0.x would not be visible. Software screen showing the current and next version of PAN-OS   Resolution In order to have latest software versions fetched from the update server and visible for download, the previous major software version base/maintenance release image has to be installed. As shown in the following example, on a device running PAN-OS 6.1.10, then PAN-OS 7.0.x has to be downloaded and installed for PAN-OS 7.1.x images to be available. Only the next available PAN-OS version will show up. This is by design, as you can only upgrade 1 version at a time.  PAN-OS 6.1 to PAN-OS 7.0, or 7.0 to 7.1, or 7.1 to 8.0.   owner: gbogojevic
View full article
gbogojevic ‎04-25-2017 02:54 PM
5,891 Views
4 Replies
1 Like
This article provides a step-by-step procedure for migrating from PA2000 series firewalls to the new PA3000 or 5000 series firewalls.   Export a configuration snapshot from the old firewall. Go to Device > Setup > Operations > Export named configuration snapshot. Export device state (if the firewall is managed by Panorama). Go to Device > Setup > Operations > Export device state.     Otional step: Set the Master key on the new firewall to be identical to the master key of the old firewall     Import configuration snapshot/device state on the new firewall. Go to Device > Setup > Operations > Import named configuration snapshot OR Import device state.     Load the config on the new firewall. (This step is not required if device state is imported). Go to Device > Setup > Operations > Load named configuration snapshot.      Change management interface settings (if required). Go to Device > Setup > Management > Management Interface Settings.     Make sure that the interfaces are physically connected exactly the same as they were on the old firewall and the PAN-OS versions of the old and new firewalls are the same. Commit.    On Panorama: Delete the old firewall from the device group, template and managed devices. Add the new firewall in the managed devices and add it to a template and device group. Perform a device group and template commit to push the device group and template config to the firewall to have it in sync. The above can also be done in the CLI on the Panorma appliance using the following command:        > replace device old <value> new <value>   Physically disconnect the cable from the old firewall and connect it to the new firewall to complete the cutover.  
View full article
aali ‎03-28-2017 05:33 AM
11,678 Views
16 Replies
1 Like
Symptoms On a daily basis, the firewall reports the following error: opaque: Failed to check Content content upgrade info due to generic communication error   Connectivity to the update server has been verified and no issues were found.   Issue This error message occurs if two or more content updates are scheduled at the same time (example: anti-virus and Apps-Threats).   Resolution From the Device > Dynamic Updates page, change the schedule for every content database so the update times are not equal or close together, add a shift in minutes if two update schedules do come close together.       owner: rvanderveken
View full article
npare ‎03-17-2017 03:20 AM
24,796 Views
9 Replies
Ask Questions Get Answers Join the Live Community