Management Articles

Featured Article
Symptoms Accepting cookie for authentication override fails and users must enter login credentials on the GlobalProtect gateway. This scenario is valid if you are generating an authentication cookie on the portal and  accepting it on the gateway, so users are not prompted to enter the gateway credentials until the cookie lifetime expires.   Diagnosis System logs +++++++++ (description contains 'GlobalProtect gateway user authentication failed. Login from: X.X.X.X, Source region: 192.168.0.0-192.168.255.255, User name: , Client OS version: Microsoft Windows 7 Enterprise Edition Service Pack 1, 64-bit, Reason: Cannot decrypt cookie, Auth type: cookie.' ) Cookie is  encrypted by the certificate key used on the portal and if we use different certificate on gateway to decrypt the cookie it will fail. Solution Make sure the same certificate that was used to encrypt the cookie on the portal is used on the gateway to decrypt the cookie file.
View full article
bdubey ‎07-31-2018 11:28 AM
2,370 Views
1 Reply
Where does the space go? A log collector is deployed with 4 1TB disk pairs. The GUI reports 3.23 TB of total space that can be allocated via quota. Various CLI commands show different values from the GUI. What is going on here? How much space do you actually have for logs?
View full article
cstancill ‎07-30-2018 12:14 PM
2,409 Views
1 Reply
3 Likes
This article is to assist anyone who would like to restrict access to Palo Alto Networks OID only with SNMP V3.   Please see the below link and refer to "panSys" for information on Palo Alto Networks OID info here: http://www.oidview.com/mibs/25461/PAN-COMMON-MIB.html   Below is the steps and how we calculate the mask value for the OID:   Inside the WebUI > Device > Setup > Operations > Misc > SNMP Setup, under Views click Add.   screenshot of options.   Inside of the Views window,  you can add one or more Views to define what portion of the MIB tree is accessible. Click Add at the bottom to define new view name, the OID that should be accessible and mask. Each entry will define a portion of the MIB to include or exclude from the user. Click OK when done.   How the mask was calculated The mask is a bitwise mask defining which node of the OID to match. For example, if the OID is 1.3.6.1 and the mask is 0xf0, then the first 4 nodes (f = 1111) must match and the remaining nodes do not need to match. So 1.3.6.1.2 would match the mask and 1.4.6.1.2 would not. If you would like to have all OIDs (full MIB tree .1) you can configure OID as .1 and mask as 0x80 (which is 1000 0000 - which means that only first node must match which is .1).   In our case we are trying calculate mask the value for the OID 1.3.6.1.4.1.25461.2.1.2.1   So considering this the mask should be 0xFFE.   How we arrive at this value is given below: 1.3.6.1.4.1.25461.2.1.2.1 =====>>>MIB 1 1 1 1 1 1 1 1 1 1 1 ====>>> Binary FFE =====>> HEX   Which is 1111 1111 1110 = 0xFFE in HEX
View full article
‎07-30-2018 12:09 PM
1,829 Views
0 Replies
Symptoms After deploying GlobalProtect with pre-logon enabled, clients running a bluecoat user agent (bcua) experience intermittent connectivity issues. A continous ping from the client to internal resources shows successful replies but after 40 - 50 seconds, the pings begin to time out. Connection will then get reestablished after a few minutes and the behavior will loop. Diagnosis The bcua creates a tunnel to Symantec Web Security Service (WSS) which means GP traffic is also tunneled. This causes intermittent connectivity.   This can be verified by running a packet capture on the client machine.   A few other ways to verify this is the case: Check the client's public IP address; you can do this by doing a google search of "whats my ip address" Verify if this is the IP address from the client's ISP or whether it belongs to Symantec. I used arin[dot]net to verify. If you get a Symantec IP address that would be an indication that a tunnel has been created to Symantec. On the firewall, run the following commands as shown in the screenshot:   Solution Symantec is aware of this issue and has provided a workaround in this link.  Once the changes have been made, verify the IP seen by the firewall. This should be a non-symantec IP and connectivity should now be stable.  
View full article
zmacharia_PA ‎07-30-2018 11:11 AM
1,705 Views
0 Replies
Overview The Include/Exclude list is applied to networks and hosts identified through the User-ID Agent.  The User-ID Agent tries to identify users for the IP range designated as Include.  Likewise, the User-ID Agent does not identify users for the network address range designated as Exclude.  Note that this is different from the user and group ignore lists, and is only concerned with which networks to include or exclude for the purposes of mapping users.   Details If the Include/Exclude list is empty, users on any network can be identified and mapped by the User-ID Agent.  When an entry is added to the Include list, there is an implicit deny for any other IP address.  The order of entries in the Include/Exclude list is important, as the list is processed top to bottom.   For example, to configure the exclusion of subnet (192.168.1.0/24) in the larger subnet (192.168.0.0/16): Add a specific subnet 192.168.1.0/24 and designate as Exclude. Add the larger, encompassing subnet 192.168.0.0/16 and designate as Include. Note: If the rules in the above example were reversed with the Include rule on top, then the User-ID Agent would allow the mapping on 192.168.0.0/16 then disregard the Exclude rule for 192.168.1.0/24.   See Also How to Change the Include and Exclude Lists with User-ID Agent 4.1   owner: mbutt
View full article
mbutt ‎07-20-2018 11:07 AM
13,657 Views
3 Replies
2 Likes
Overview When using the User-ID Agent to identify users on the network, there is a way to ignore certain users. Generally, this is used for service accounts, but any desired username can be entered.   Steps Stop the User-ID service Modify/create a file ignore_user_list.txt in the directory where User-ID Agent is installed. This file will contain all the users to be ignored. The format of the file needs to be one username on each line. Note: It is sometimes required to have two entries for each username, the normal username and the username with netbios name. user1 mydomain\user1 Start the User-ID service.   Starting from PAN-OS 7.1 the ignore user list can also be configured for the Agentless User-ID through the WebUI   See also   How to Add/Delete Users from Ignore User List using Agentless User-ID   owner: sspringer
View full article
sspringer ‎07-20-2018 09:45 AM
42,653 Views
21 Replies
3 Likes
How to allow access to YouTube videos embedded in a website but block access to other YouTube videos.    Our use case is an administrator of the Palo Alto Networks next-generation firewall who wants to enable students/employees to watch YouTube videos embedded in their website but block access to all other YouTube videos. Here's how we do it!
View full article
sshibiraj ‎07-13-2018 07:42 AM
2,455 Views
0 Replies
1 Like
Issue In WF-500 version 7.1.x or earlier deployments, the Palo Alto Networks device will first establish TCP port 443 connection to WF-500. The WildFire will provide "<WF500-IP>:10443" as a server list and then Palo Alto Networks firewall will connect to the WildFire on TCP port 10443. TCP port 10443 is used to forward files and fetch report. When the WildFire appliance is configured with the host name, it then sends <WF_Hostname:10443> to the firewall. If the firewall’s DNS cannot resolve this hostname, registration will fail and no files are forwarded to the WF-500 appliance.   Starting from PAN-OS 8.0 TCP 443 will be used for all connections (10443 will no longer be commmunicated as a 'go-to'). Firewalls will still use 10443 to fetch signatures.   Resolution Configure host name, such that it is resolved with firewall’s DNS Delete the host name by using the following CLI command: admin@WF-500# delete deviceconfig system hostname admin@WF-500# commit   owner: ssharma
View full article
ssharma ‎07-13-2018 12:09 AM
6,588 Views
1 Reply
1 Like
Path monitoring enables the firewall to monitor specified destination IP addresses by sending ICMP ping messages to make sure that they are responsive. Use path monitoring for virtual wire, Layer 2, or Layer 3 configurations where monitoring of other network devices is required for failover and link monitoring alone is not sufficient.   Which source IP address to use For virtual wire and VLAN interfaces, enter the source IP address used in the probe packets sent to the next-hop router (Destination IP address). The local router must be able to route the address to the firewall. The source IP address for path groups associated with virtual routers will be automatically configured as the interface IP address that is indicated in the route table as the egress interface for the specified destination IP address.   This example explains how path monitoring works using a specific Vwire configuration.   Setup LAN Network -- Router A -- PANW Firewall (Vwire) -- Router B IP Router A: 1.1.1.254 IP Router B: 1.1.1.1   Device > High Availability > Link and Path Monitoring - HA Path Group Virtual Wire: This is the only place where you need to configure the source IP address.   Go to Device > High Availability > Link and Path Monitoring:   When you commit the configuration, you'll notice the following traffic on your network:   ARP Broadcast sourced from firewall to request the mac address for 1.1.1.1 :    Here is the ARP reply from destination ip 1.1.1.1:  Now the Path Monitoring can start:   Go to the CLI and verify the path monitoring is working fine: (active)> show high-availability path-monitoring   -------------------------------------------------------------------------------- total paths monitored :                         1 hold time to send probe packets :               1000 ms   (after device becomes active) -------------------------------------------------------------------------------- name/type                 destination     suc/total rtt min/max/avg (ms) probe cnt/interval(ms) -------------------------------------------------------------------------------- replay/virtual-wire       1.1.1.1         10/10     0.10/0.11/0.11      10/200     --------------------------------------------------------------------------------   Note: The ARP packet is sent from the vwire interfaces ,the ARP packet sent out will have a unique MAC not attached to any interface.
View full article
rvanderveken ‎07-13-2018 12:02 AM
5,959 Views
0 Replies
2 Likes
Panorama Management and Logging Overview           The Panorama solution is comprised of two overall functions: Device Management and Log Collection/Reporting. A brief overview of these two main functions follow:   Device Management: This includes activities such as configuration management and deployment, deployment of PAN-OS and content updates. Log Collection: This includes collecting logs from one or multiple firewalls, either to a single Panorama or to a distributed log collection infrastructure. In addition to collecting logs from deployed firewalls, reports can be generated based on that log data whether it resides locally to the Panorama (e.g single M-series or VM appliance) for on a distributed logging infrastructure.   The Panorama solution allows for flexibility in design by assigning these functions to different physical pieces of the management infrastructure. For example: Device management may be performed from a VM Panorama, while the firewalls forward their logs to colocated dedicated log collectors:         In the example above, device management function and reporting are performed on a VM Panorama appliance. There are three log collector groups. Group A, contains two log collectors and receives logs from three standalone firewalls. Group B, consists of a single collector and receives logs from a pair of firewalls in an Active/Passive high availability (HA) configuration. Group C contains two log collectors as well, and receives logs from two HA pairs of firewalls. The number of log collectors in any given location is dependent on a number of factors. The design considerations are covered below. Note: any platform can be a dedicated manager, but only M-Series can be a dedicated log collector.     Log Collection   Managed Devices   While all current Panorama platforms have an upper limit of 1000 devices for management purposes, it is important for Panorama sizing to understand what the incoming log rate will be from all managed devices. To start with, take an inventory of the total firewall appliances that will be managed by Panorama.   Use the following spreadsheet to take an inventory of your devices that need to store logs: MODEL PAN-OS (Major Branch #)  Location Measured Average Log Rate   Ex: 5060    Ex: 6.1.0 Ex: Main Data Center   Ex. 2500 logs/s                                      Logging Requirements   This section will cover the information needed to properly size and deploy Panorama logging infrastructure to support customer requirements. There are three main factors when determining the amount of total storage required and how to allocate that storage via Distributed Log Collectors. These factors are: Log Ingestion Requirements: This is the total number of logs that will be sent per second to the Panorama infrastructure. Log Storage Requirements: This is the timeframe for which the customer needs to retain logs on the management platform. There are different driving factors for this including both policy based and regulatory compliance motivators. Device Location: The physical location of the firewalls can drive the decision to place DLC appliances at remote locations based on WAN bandwidth etc.   Each of these factors are discussed in the sections below:   Log Ingestion Requirements   The aggregate log forwarding rate for managed devices needs to be understood in order to avo id a design where more logs are regularly being sent to Panorama than it can receive, process, and write to disk. The table below outlines the maximum number of logs per second that each hardware platform can forward to Panorama and can be used when designing a soluti on to calculate the maximum number of logs that can be forwarded to Panorama in the customer environment.            Device Log Forwarding Platform  Supported Logs per Second (LPS)  PA-200 250 PA-220 1,200 PA-500 625 PA-820/850 10,000 PA-3000 series 10,000 PA-3220 7,000 PA-3250 15,000 PA-3260 24,000 PA-5050/60 10,000 PA-5220 30,000 PA-5250 55,000 PA-5260 To Be Tested PA-7050/7080 70,000 VM-50 1,250 VM-100/200 2,500 VM-300/1000-HV 8,000 VM-500 8,000 VM-700 10,000                                                             The log ingestion rate on Panorama is influenced by the platform and mode in use (mixed mode verses logger mode). The table below shows the ingestion rates for Panorama on the different available platforms and modes of operation.  The numbers in parenthesis next to VM denote the number of CPUs and Gigabytes of RAM assigned to the VM.              Panorama Log Ingestion Platform  Mixed Dedicated  VM (8/16) 10,000 18,000 M-200 10,000 28,000 M-500 15,000 30,000 M-600 25,000 50,000   The above numbers are all maximum values. In live deployments, the actual log rate is generally some fraction of the supported maximum. Determining actual log rate is heavily dependent on the customer's traffic mix and isn't necessarily tied to throughput. For example, a single offloaded SMB session will show high throughput but only generate one traffic log. Conversely, you can have a smaller throughput comprised of thousands of UDP DNS queries that each generate a separate traffic log. For sizing, a rough correlation can be drawn between connections per second and logs per second.     Methods for Determining Log Rate New Customer: Leverage information from existing customer sources. Many customers have a third party logging solution in place such as Splunk, ArcSight, Qradar, etc. The number of logs sent from their existing firewall solution can pulled from those systems. When using this method, get a log count from the third party solution for a full day and divide by 86,400 (number of seconds in a day). Do this for several days to get an average. Be sure to include both business and non-business days as there is usually a large variance in log rate between the two. Use data from evaluation device. This information can provide a very useful starting point for sizing purposes and, with input from the customer, data can be extrapolated for other sites in the same design.  This method has the advantage of yielding an average over several days. A script (with instructions) to assist with calculating this information can be found is attached to this document. To use, download the file named "ts_lps.zip". Unpack the zip file and reference the README.txt for instructions. If no information is available, use the Device Log Forwarding table above as reference point. This will be the least accurate method for any particular customer. Existing Customer:     For existing customers, we can leverage data gathered from their existing firewalls and log collectors: To check the log rate of a single firewall, download the attached file named "Device.zip", unpack the zip file and reference the README.txt file for instructions. This package will query a single firewall over a specified period of time (you can choose how many samples) and give an average number of logs per second for that period. At minimum this script should be run for 24 consecutive hours on a business day. Running the script for a full week will help capture the cyclical ebb and flow of the network. If the customer does not have a log collector, this process will need to be run against each firewall in the environment. If the customer has a log collector (or log collectors), download the attached file named "lc_lps.zip", unpack the zip file and reference the README.txt file for instructions This package will query the log collector MIB to take a sample of the incoming log rate over a specified period.   Log Storage Requirements   Factors Affecting Log Storage Requirements There are several factors that drive log storage requirements. Most of these requirements are regulatory in nature. Customers may need to meet compliance requirements for HIPAA, PCI, or Sarbanes-Oxely.     PCI DSS requirement 10.7 Sarbanes-Oxley Act, Section 802 HIPAA - § 164.316(b)(2)(i)   There are other governmental and industry standards that may need to be considered. Additionally, some companies have internal requirements. For example: that a certain number of days worth of logs be maintained on the original management platform. Ensure that all of these requirements are addressed with the customer when designing a log storage solution.   Focus is on the minumum number of days worth of logs that needs to be stored. If there is a maximum number of days required (due to regulation or policy), you can set the maximum number of days to keep logs in the quota configuration.   Calculating Required Storage Calculating required storage space based on a given customer's requirements is fairly straight forward process but can be labor intensive when achieving higher degrees of accuracy. With PAN-OS 8.0, the aggregated size of all log types is 500 Bytes. This number accounts for both the logs themselves as well as the associated indices. The Threat database is the data source for Threat logs as well as URL, Wildfire Submissions, and Data Filtering logs.     Note that we may not be the logging solution for long term archival.  In these cases suggest Syslog forwarding for archival purposes.        The equation to determine the storage requirements for particular log type is:   Example: Customer wants to be able to keep 30 days worth of traffic logs with a log rate of 1500 logs per second:             The result of the above calculation accounts for detailed logs only. With default quota settings reserve 60% of the available storage for detailed logs. This means that the calculated number represents 60% of the total storage that will need to be purchased. To calculate the total storage required, devide this number by .60:       Default log quotas for Panorama 8.0 and later are as follows:   Log Type % Storage Detailed Firewall Logs 60 Summary Firewall Logs 30 Infrastructure and Audit Logs 5 Palo Alto Networks Platform Logs .1 3rd Party External Logs .1      The attached worksheet will take into account the default quota on Panorama and provide a total amount of storage required.       Calculating Required Storage For Logging Service   There are three different cases for sizing log collection using the Logging Service. For in depth sizing guidance, refer to Sizing Storage For The Logging Service.   Log collection for Palo Alto Networks Next Generation Firewalls Log collection for GlobalProtect Cloud Service Mobile User Log collection for GlobalProtect Cloud Service Remote Office     Log Collection for Palo Alto Next Generation Firewalls The log sizing methodology for firewalls logging to the Logging Service is the same when sizing for on premise log collectors. The only difference is the size of the log on disk. In the Logging Service, both threat and traffic logs can be calculated using a size of 1500 bytes.    Log Collection for GlobalProtect Cloud Service Mobile User Per user log generation depends heavily on both the type of user as well as the workloads being executed in that environment. On average, 1TB of storage on the Logging Service will provide 30 days retention for 5000 users. An advantage of the logging service is that adding storage is much simpler to do than in a traditional on premise distributed collection environment. This means that if your environment is significantly busier than the average, it is a simple matter to add whatever storage is necessary to meet your retention requirements.   Log Collection for GlobalProtect Cloud Service Remote Office GlobalProtect Cloud Service (GPCS) for remote offices is sold based on bandwidth. While log rate is largely driven by connection rate and traffic mix, in sample enterprise environments log generation occurs at a rate of approximately 1.5 logs per second per megabit of throughput. The attached sizing work sheet uses this rate and takes into account busy/off hours in order to provide an estimated average log rate.           LogDB Storage Quotas   Storage quotas were simplified starting in PAN-OS version 8.0. Detail and summary logs each have their own quota,  regardless of type (traffic/threat):   Log Type Quota (%) Detailed Firewall Logs 60 Summary Firewall Logs 30 Infrastructure and Audit Logs 5 Palo Alto Networks Platform Logs .1 3rd Party External Logs .1 Total 95.2       Device Location The last design consideration for logging infrastructure is location of the firewalls relative to the Panorama platform they are logging to. If the device is separated from Panorama by a low speed network segment (e.g. T1/E1), it is recommended to place a Dedicated Log Collector (DLC) on site with the firewall. This allows log forwarding to be confined to the higher speed LAN segment while allowing Panorama to query the log collector when needed. For reference, the following tables shows bandwidth usage for log forwarding at different log rates. This includes both logs sent to Panorama and the acknowledgement from Panorama to the firewall. Note that for both the 7000 series and 5200 series, logs are compressed during transmission.           Log Forwarding Bandwidth Log Rate (LPS)  Bandwidth Used 1300 8 Mbps 8000 56 Mbps 10000 64 Mbps 16000 52.8 - 140.8 Mbps (96.8)      Log Forwarding Bandwidth - 7000 and 5200 Series Log Rate (LPS)  Bandwidth Used 1300 .6 Mbps 8000 4 Mbps 10000 4.5 Mbps 16000 5 - 10 Mbps           Device Management There are several factors to consider when choosing a platform for a Panorama deployment. Initial factors include: Number of concurrent administrators need to be supported? Does the Customer have VMWare virtualization infrastructure that the security team has access to? Does the customer require dual power supplies? What is the estimated configuration size? Will the device handle log collection as well?   Panorama Virtual Appliance This platform operates as a virtual M-100 and shares the same log ingestion rate. Adding additional resources will allow the virtual Panorama appliance to scale both it's ingestion rate as well as management capabilities. The minimum requirements for a Panorama virtual appliance running 8.0 is 8 vCPUs and 16GB vRAM.           When to choose Virtual Appliance? The customer has large VMWare Infrastructure that the security has access to Customer is using dedicated log collectors and are not in mixed mode When not to choose Virtual Appliance? Server team and Security team are separate and do not want to share Customer has no virtual infrastructure   M-100 Hardware Platform This platform has dedicated hardware and can handle up to concurrent 15 administrators. When in mixed mode, is capable of ingesting 10,000 - 15,000 logs per second. When to choose M-100? The customer needs a dedicated platform, but is very price sensitive Customer is using dedicated log collectors and are not in mixed mode but do not have VM infrastructure When not to choose M-100? If dual power supplies are required Mixed mode with more than 10k log/s or more than 8TB required for log retention Has more than 15 concurrent admins   M-500 Hardware Platform This platform has the highest log ingestion rate, even when in mixed mode. The higher resource availability will handle larger configurations and more concurrent administrators (15-30). Offers dual power supplies, and has a strong growth roadmap. When to choose M-500? The customer needs a dedicated platform, and has a large or growing deployment Customer is using dual mode with more than 10k log/s Customer want to future proof their investments Customer needs a dedicated appliance but has more than 15 concurrent admins Requires dual power supplies When not to choose M-500? If the customer has VM first environment and does not need more than 48 TB of log storage The customer is very price sensitive   High Availability This section will address design considerations when planning for a high availability deployment. Panorama high availability is Active/Passive only and both appliances need to be fully licensed. There are two aspects to high availability when deploying the Panorama solution. These aspects are Device Management and Logging. The two aspects are closely related, but each has specific design and configuration requirements.   Device Management HA: The ability to retain device management capabilities upon the loss of a Panorama device (either an M-series or virtual appliance). Logging HA or Log Redundancy: The ability to retain firewall logs upon the loss of a Panorama device (M-series only).   Device Management HA When deploying the Panorama solution in a high availability design, many customers choose to place HA peers in separate physical locations. From a design perspective, there are two factors to consider when deploying a pair of Panorama appliances in a High Availability configuration. These concerns are network latency and throughput.   Network Latency The latency of intervening network segments affects the control traffic between the HA members. HA related timers can be adjusted to the need of the customer deployment. The maximum recommended value is 1000 ms. Preemption Hold Time: If the Preemptive option is enabled, the Preemption Hold Time is the amount of time the passive device will wait before taking the active role. In this case, both devices are up, and the timer applies to the device with the "Primary" priority. Promotion Hold Time: The promotion hold timer specifies the interval that the Secondary device will wait before assuming the active rote. In this case, there has been a failure of the primary device and this timer applies to the Secondary device. Hello Interval: This timer defines the number of milliseconds between Hello packets to the peer device. Hello packets are used to verify that the peer device is operational. Heartbeat Interval: This timer defines the number of milliseconds between ICMP messages sent to the peer. Heartbeat packets are used to verify that the peer device is reachable. Relation between network latency and Heartbeat interval Because the heartbeat is used to determine reachability of the HA peer, the Heartbeat interval should be set higher than the latency of the link between the HA members.   HA Timer Presets While customers can set their HA timers specifically to suit their environment, Panorama also has two sets of preconfigured timers that the customer can use. These presets cover a majority of customer deployments   Recommended: Timer Setting Preemption Hold TIme 1 Hello Interval 8000 Heartbeat Interval 2000 Monitor Fail Hold Up Time 0 Additional Master Hold Up Time 7000   Aggressive: Timer Setting      Preemption Hold TIme 500 Hello Interval 8000 Heartbeat Interval 1000 Monitor Fail Hold Up Time 0 Additional Master Hold Up Time  5000     Configuration Sync                                                                              HA Sync Process     The HA sync process occurs on Panorama when a change is made to the configuration on one of the members in the HA pair. When a change is made and committed on the Active-Primary, it will send a send a message to the Active-Secondary that the configuration needs to be synchronized. The Active-Secondary will send back an acknowledgement that it is ready. The Active-Primary will then send the configuration to the Active-Secondary. The Active-Secondary will merge the configuration sent by the Active-Primary and enqueue a job to commit the changes. This process must complete within three minutes of the HA-Sync message being sent from the Active-Primary Panorama. The main concern is size of the configuration being sent and the effective throughput of the network segment(s) that separate the HA members.     Log Availability The other piece of the Panorama High Availability solution is providing availability of logs in the event of a hardware failure. There are two methods for achieving this when using a log collector infrastructure (either dedicated or in mixed mode).   Log Redundancy PAN-OS 7.0 and later include an explicit option to write each log to 2 log collectors in the log collector group. By enabling this option, a device sends it's log to it's primary log collector, which then replicates the log to another collector in the same group:     Log duplication ensures that there are two copies of any given log in the log collector group. This is a good option for customers who need to guarantee log availability at all times. Things to consider:   1. The replication only takes place within a log collector group. 2. The overall available storage space is halved (because each log is written twice). 3. Overall Log ingestion rate will be reduced by up to 50%.    Log Buffering Firewalls require an acknowledgement from the Panorama platform that they are forwarding logs to. This means that in the event that the firewall's primary log collector becomes unavailable, the logs will be buffered and sent when the collector comes back online. There are two methods to buffer logs. The first method is to configure separate log collector groups for each log collector:         In this situation, if Log Collector 1 goes down, Firewall A & Firewall B will each store their logs on their own local log partition until the collector is brought back up. The local log partition for current firewall models are:   Model Log Partition Size (GB)  PA-200 2.4 PA-220 32 PA-800 Series 172 PA-3000 Series    90 PA-3200 Series 125 PA-5000 Series 88 PA-5200 Series 1800   The second method is to place multiple log collectors into a group. In this scenario, the firewall can be configured with a priority list so if the primary log collector goes down, the second collector on the list will buffer the logs until all of the collectors in the group know that the primary collector is down at which time, new logs will stop being assigned to the down collector.   In the architecture shown below, Firewall A & Firewall B are configured to send their logs to Log Collector 1 primarily, with Log Collector 2 as a backup. If Log Collector 1 becomes unreachable, the devices will send their logs to Log Collector 2. Collector 2 will buffer logs that are to be stored on Collector 1 until it can pull Collector 1 out of the rotation.     Considerations for Log Collector Group design   There are three primary reasons for configuring log collectors in a group:   Greater log retention is required for a specific firewall (or set of firewalls) than can be provided by a single log collector (to scale retention). Greater ingestion capacity is required for a specific firewall than can be provided by a single log collector (to scale ingestion). Requirement for log redundancy.   When considering the use of log collector groups there are a couple of considerations that need to be addressed at the design stage:   Spread ingestion accross the available collectors: Multiple device forwarding preference lists can be created. This allows ingestion to be handled by multiple collectors in the collector group. For example, preference list 1 will have half of the firewalls and list collector 1 as the primary and collector 2 as the secondary. Preference list 2 will have the remainder of the firewalls and list collector 2 as the primary and collector 1 as the secondary. Latency matters: Network latency between collectors in a log collector group is an important factor in performance. A general design guideline is to keep all collectors that are members of the same group close together. The following table provides an idea of what you can expect at different latancy measurements with redundancy enabled and disabled. In this case, 'Log Delay' is the undesired result of high latency - logs don't show up in the UI until well after they are sent to Panorama.     Inter LC Latency (ms) Log Rate Redundancy enabled Log Delay 50 10K No No 100 5K No No 100 10K No Yes 50 5K Yes No 50 10K Yes Yes 100 5K Yes No 150 3K Yes No 150 5K Yes Yes        Using The Sizing Worksheet      The information that you will need includes desired retention period and average log rate.     Retention Period: Number of days that logs need to be kept. Average Log Rate: The measured or estimated aggregate log rate. Redundancy Required: Check this box if the log redundancy is required. Storage for Detailed Logs: The amount of storage (in Gigabytes) required to meet the retention period for detailed logs. Total Storage Required: The storage (in Gigabytes) to be purchased. This accounts for all logs types at the defualt quota settings.     Example Use Cases                                                        
View full article
cstancill ‎07-12-2018 03:14 PM
93,232 Views
9 Replies
10 Likes
Issue   Seeing error on commit: Management Server failed to send ID request to client device.     Resolution   Restart both management and device server.  Run the following commands:   > debug software restart process device-server > debug software restart process management-server   The above commands do not have any impact on the traffic (DP).   owner: ansharma
View full article
panagent ‎07-12-2018 04:33 AM
11,546 Views
2 Replies
For Panorama 7.0, refer to the Panorama Administrator’s Guide for the procedures to Configure Log Forwarding, Add a Firewall as a Managed Device, and Analyze Log Data for the PA-7050 firewall and other firewall platforms.   Details A PA-7000 series is configured as a Panorama managed device. Panorama will display logs (traffic logs) for the PA-7000 series, even if there is not a "Log Forwarding Profile" defined or configured on any security policy.   The following examples are for traffic observed on Panorama, even though there is not a Log Forwarding Profile on PA-7000 series. Shown below is traffic observed for Rule "ANY" on Panorama for the PA-7000 series:   In the example below, changing context to the PA-7000 series, reveals the Forwarding Profile is not configured on the Security Policy "ANY":   As shown below, the Log Forwarding profile is not configured on the PA-7000 series:   What is observed in Panorama, is a real time running query from the management port on Panorama to the PA-7000 series, which results in displaying the logs.   Note: The logs are physically residing only on the PA-7000 series. This occurs because Panorama cannot handle the rate at which a PA-7000 series would send its logs out of the box, therefore offloading for this platform to Panorama is not supported.   However, the PA-7000 series does support offloading of its logs to syslog, email and SNMP servers. The PA-7000 series has a dedicated Log Processing Card (LPC). Any unused port on any of the NPCs can be defined to be the LPC (Interface Type: Log Card). A data port configured as the type Log Card performs log forwarding for all of the following: Syslog Email SNMP WildFire file forwarding Only one port on the Palo Alto Networks firewall can be configured as a Log Card interface and a commit error is displayed if log forwarding is enabled and there is no interface configured with the Interface Type: "Log Card".   Make sure that the IP assigned to the Log Card Interface can reach the Syslog, Email, SNMP and/or WildFire servers.   Special Note This limitation was overcome with the release of PAN-OS 8.0 For more information please refer to:   https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/management-features/pa-7000-series-firewall-log-forwarding-to-panorama   https://live.paloaltonetworks.com/t5/Featured-Articles/PAN-OS-8-0-Forwarding-PA-7000-Logs-to-Panorama/ta-p/132063
View full article
mivaldi ‎07-11-2018 09:58 AM
31,776 Views
6 Replies
2 Likes
Symptoms When configuring an IPsec VPN between an AWS Virtual Private Gateway and a Palo Alto Networks device, you might get an error. If you are using the  longer format resource IDs  generated by AWS for Palo Alto Networks as the vendor, you might run into errors while editing the VPN and network settings.   This normally is caused by going into the AWS portal, and then going to "VPC > VPN Connections" and then select "Download Configuration". If the VPN gateway is using the longer format resource IDs, then PAN-OS will not accept some of the generated configuration lines. An error similar to the following will be reported. admin@PA-VM# edit network ike crypto-profiles ike-crypto-profiles ike-crypto-vpn-0901877fe35f95b23-0 ike-crypto-vpn-0901877fe35f95b23-0 should be less than or equal to 31 characters   Invalid syntax. Diagnosis The reason of the invalid syntax is because currently in PAN-OS the network profiles name field accept a max of 31 characters. and the IKE crypto profile name field in the generated configuration contains 34 characters after using the longer instance IDs. (for example ike-crypto-vpn-0901877fe35f95b23-0).   Starting June 2018, AWS will switch to use Longer Format Resource IDs for all AWS resources like VPC IDs. Solution To resolve this you need to manually modify the configuration file generated before copy/paste the configuration into a PAN-OS firewall. You should replace all the instance of the ike crypto profile name as the following example: current value: ike-crypto-vpn-0901877fe35f95b23-0 new value: vpn-0901877fe35f95b23-0 Removing the (ike-crypto-) from the name will make the total number of characters equal to 23. And it will be accepted by PAN-OS.   As of 15-Jun-2018, AWS has updated the VPN configuration generator for PAN-OS to shorten the value for ike-crypto-profiles to automatically create a shorter unique name of the format: vpn-0901877fe35f95b23-0  
View full article
melamin ‎07-03-2018 05:54 PM
2,241 Views
0 Replies
How to Register and Activate Eval Panorama Software   The following procedure walks you through the steps to license, download, and install the Panorama management software.   STEP 1 | Register the Panorama Serial # Log in to the Customer Support Portal (https://support.paloaltonetworks.com) and select Assets > Devices > Register New Device.    In the Device Type window, select Register device using Serial Number or Authorization Code and click Submit To activate the Panorama software, enter the Serial Number you received in the “Request for Software Evaluation Approved” email and click Agree and Submit.   After successful registration, your Assets screen should display the newly registered and activated Eval Panorama.     STEP 2 | Download the Panorama software In the navigation menu, click Updates > Software Updates  Click the Filter By: drop down menu and select Panorama Base Images Locate the most recent base image that will be used for your environment and click the corresponding download link       STEP 3 | Install the Panorama software For detailed instructions on installing and configuring the Panorama software, go to  PANW Tech Docs: Panorama Admin Guide: Set up the Panorama Virtual Appliance   STEP 4 | Activate the support license on Panorama Open a web browser and navigate to the management IP address you set for Panorama Login using the factory default credentials of admin/admin for username and password On the Dashboard > General Information section, the Serial # field should say “Unknown”   Go to Panorama > Setup > Management > General Settings. Click the settings wheel and set the proper timezone and current system time. After clicking OK, the screen may freeze. If it does, close that browser tab and bring up a new tab to the Panorama GUI.   Go back to Panorama > Setup > Management > General Settings. Click the settings wheel again to enter the Evaluation Panorama Serial # that you registered on the support portal. Click OK   Click Commit at the top right corner and then Commit to Panorama to commit any pending changes.   Go to Panorama > Support If the Support license is not displayed here, you will need to reboot Panorama for the system to display the license info.   Go to Panorama > Licenses: this screen shouldn’t show any additional feature licenses   Go to Panorama > Dynamic Updates to download the latest Apps & Threats, WildFire, and Antivirus content updates   Go to Panorama > Software to download the latest software version if needed   STEP 5 | Complete the Panorama software configuration
View full article
bfrentz ‎07-03-2018 12:42 PM
9,323 Views
0 Replies
User-created disk-image/machine-image backups to restore a VM-series firewall instance are not supported across all hypervisors, including public cloud platforms. This includes all functions that allow creating a copy of the disk and memory state of the instance.   To restore a VM-Series firewall, import a backup of the PAN-OS configuration on to a newly deployed VM-series firewall instance from a base image file or from the public cloud marketplace.
View full article
oconnellm ‎07-02-2018 06:25 AM
1,944 Views
0 Replies
To download software: Log in to Support Portal Click Software Updates link.   To receive notifications when this document is updated, see  Email Notifications for Subscribed Activities .   Version Release Date 6.1.21 29-Jun-18 6.1.20 8-Mar-18 6.1.19 5-Dec-17 6.1.18 20-Jul-17 6.1.17 28-Apr-17 6.1.16 30-Jan-17 6.1.15 31-Oct-16 6.1.14 1-Sep-16 6.1.13 21-Jul-16 6.1.12 9-Jun-16 6.1.11 14-Apr-16 6.1.10 24-Feb-16 6.1.9 13-Jan-16 6.1.8 23-Nov-15 6.1.7 23-Sep-15 6.1.6 29-Jul-15 6.1.5 30-Jun-15 6.1.4 13-May-15 6.1.3 19-Mar-15 6.1.2 2-Feb-15 6.1.1 18-Dec-14 6.1.0 27-Oct-14
View full article
panagent ‎06-29-2018 12:56 AM
86,040 Views
7 Replies
1 Like
Overview When using nested user groups, the Palo Alto Networks firewall will be able to return all users within the main group, along with all users within the nested group(s). For example, if the "top_level_group" contains two nested groups: "nested_group_1", and "nested_group2". All queries to the  top_level_group from the firewall will be able to pull back users in the nested groups as well. A security policy can be configured with the "top_level_group", and users from the "nested_group_1" and "nested_group_2" will also be included.   Verification The CLI command: show user group name xxx can be used to display the users within the the group.   The output shows that the "top_level_group" contains users from the "nested_group_1" and "nested_group_2".   > show user group name "cn=top_level_group,cn=users,dc=pantac2012,dc=gcs,dc=paloaltonetworks,dc=com" short name:  pantac2012\top_level_group source type: service source:      panlab2012   [1] pantac2012\panuser1 [2] pantac2012\panuser2 [3] pantac2012\panuser3 [4] pantac2012\panuser10 [5] pantac2012\panuser11 [6] pantac2012\panuser12   > show user group name "cn=nested_group_1,cn=users,dc=pantac2012,dc=gcs,dc=paloaltonetworks,dc=com" short name:  pantac2012\nested_group_1 source type: service source: panlab2012   [1] pantac2012\panuser1 [2] pantac2012\panuser2 [3] pantac2012\panuser3   > show user group name "cn=nested_group_2,cn=users,dc=pantac2012,dc=gcs,dc=paloaltonetworks,dc=com" short name:  pantac2012\nested_group_2 source type: service source: panlab2012   [1] pantac2012\panuser10 [2] pantac2012\panuser11 [3] pantac2012\panuser12     See also Retrieving AD groups fails - nested-group-level exceeds limit   owner: pmak
View full article
pmak ‎06-27-2018 01:58 PM
18,246 Views
5 Replies
To download software: Log in to Support Portal Click Software Download link.   To receive notifications when this document is updated, see  Email Notifications for Subscribed Activities . Version Release Date 4.1.2 14-Jun-18 4.1.1 26-Apr-18 4.1.0 6-Mar-18 4.0.8 12-Apr-18 4.0.7 22-Feb-18 4.0.6 16-Jan-18 4.0.5 4-Dec-17 4.0.4 12-Oct-17 4.0.3 5-Sep-17 4.0.2 25-May-17  
View full article
panagent ‎06-14-2018 01:43 PM
140,902 Views
3 Replies
4 Likes
To download software: Log in to Support Portal Click Software Updates link.   To receive notifications when this document is updated, see Email Notifications for Subscribed Activities.   Version Release Date   8.1.2  13 -June-18   8.1.1  2 -May-18   8.1.0   6-Mar-18  
View full article
‎06-13-2018 04:52 PM
9,683 Views
0 Replies
2 Likes
Introduction: This document describes the recommended update interval and timings for Dynamic Updates. The network load on the update server varies depending on the timing, and it's recommended to avoid relatively busy times to receive stable updates.    Recommendation: 1. Update Interval (Recurrence) A shorter recurrence setting is recommended, as it will trigger the next update sooner.   For example, if Recurrence is set to "Daily" and if  Dynamic Update failed, the scheduled update won't happen until the next day. If it's set to "Hourly", the scheduled update will be triggered in our hour.   2. Update Timings (Minutes Past Hour / Minutes Past Half-Hour / Time) The following timings are the ones that are recommended to be avoided: 00/01/02/03/05/10/15/16/20/25/30/31/35/40/45/46/50/55 min     PAN-OS 6.1                                        Time value can be selected from the pull down menu, and also can be modified manually.   PAN-OS 7.0                                         Time value can be selected from the pull down menu, and also can be modified manually.   PAN-OS 8.0                     PAN-OS 8.1   These recommendation settings can be applied to Antivirus, WildFire and "Application and Threats" signature updates. (Except for the case where WildFire update is configured as "Every Minute").   Please set a threshold that determines the amount of time the firewall waits before installing the latest content if necessary. For more detail, please refer to the Administrator's Guide ("Best Practices for Application and Threat Content Updates" section) and the article below.     See Also: https://www.paloaltonetworks.com/documentation/document-search?q=Best+Practices+for+Application+and+Threat+Content+Updates https://live.paloaltonetworks.com/t5/Management-Articles/Dynamic-updates-scheduled-with-a-threshold-set-but-are-never-or/ta-p/65952                                    
View full article
ymiyashita ‎06-04-2018 01:19 AM
5,260 Views
0 Replies
How to collect logs from the different GlobalProtect clients (Windows and Mac).
View full article
sraghunandan ‎05-30-2018 03:39 PM
31,275 Views
5 Replies
1 Like
As shown in the following screenshot, the ethernet protocol type is:0x7261        owner: rvanderveken
View full article
rvanderveken ‎05-28-2018 04:35 AM
5,766 Views
0 Replies
When the patch list of the HIP object is long, it is difficult to find which required patches are missing.   Copy the missing patches from HIP Check logs and save it in a text file called patches.txt.  Use the following shell command to scan the Palo Alto Networks running config for each of the missing patches. $ for k in `cut -d$'\t' -f2 patches.txt`; do echo $k; grep $k running-config.xml; done In this example, KB2952664 is missing.    
View full article
terence.lee ‎05-27-2018 06:45 AM
2,170 Views
0 Replies
SCTP (Stream Controlled Transmission Protocol) is a reliable, message-based transport protocol used widely by mobile networks. See how Palo Alto Networks plans to manage all SCTP-related App-IDs, beginning in May 2018, and how the SCTP Security feature in PAN-OS 8.1 still has you covered!
View full article
saverma ‎05-15-2018 04:48 PM
15,744 Views
0 Replies
How to configure PAN to advertise static/connected routes to its BGP peers except for one of them. This holds good for  connected/OSPF/RIP routes.   Steps  1. Example showing 2 BGP peers.     2. The following static routes are configured on the box If only 100.1.1.0/24 and 50.0.0.0/24 static routes has to redistributed to Peer3 and all static routes to Peer2 then.   4.  Create a redistribution profile to allow all static routes.   5. Use the same redistribution profile in the redist profile of the BGP.   6.  Now this will redistribute all the static routes to peers Peer2 and Peer3. In order to restrict the redistribution , we need to use the export policy and allow the 2 routes.   7. If you check the neighbor/Local-rib/Rib-out , you can see the desired result.   Via the CLI Use the following command to show the bgp loc-rib info: admin@Lab> show routing protocol bgp loc-rib   VIRTUAL ROUTER: default (id 1) ========== Prefix             Nexthop           Peer       Weight   LocPrf Org       MED flap AS-Path *50.0.0.0/24                         Local           0       100 i/c         0     0 *100.1.1.0/24                         Local           0       100 i/c         0     0 *172.17.0.0/16       172.17.0.0       Local           0       100 i/c         0     0 *192.168.254.0/24                     Local           0       100 i/c         0     0   total routes shown: 4     8. Now check the rib-out , only routes 100.1.1.0/24 and 50.0.0.0/24 are redistributed to Peer3 and all routes to Peer2.   Via the CLI Use the following command to show the bgp rib-out info: admin@Lab> show routing protocol bgp rib-out   VIRTUAL ROUTER: default (id 1)   ==========   Prefix             Nexthop           Peer       Originator       Adv Status   Aggr     Status     AS-Path 50.0.0.0/24         172.19.1.1       peer1.1     0.0.0.0           advertised   no aggregation   64713 100.1.1.0/24         172.19.1.1       peer1.1     0.0.0.0           advertised   no aggregation   64713 172.17.0.0/16       172.19.1.1       peer1.1     0.0.0.0           advertised   no aggregation   64713 192.168.254.0/24     172.19.1.1       peer1.1     0.0.0.0           advertised   no aggregation   64713 50.0.0.0/24         172.19.1.1       Peer1.3     0.0.0.0           advertised   no aggregation   64713===>Peer3 100.1.1.0/24         172.19.1.1       Peer1.3     0.0.0.0           advertised   no aggregation   64713===>Peer3   total routes shown: 6   Important Note ------------------- If you have redistribute OSPF,Connected,static route in BGP use the redistribution profile and redist tab on the BGP for the same and use the export rule only when you have to restrict the redistribution to peers as shown in the above example.   If you want to restrict the BGP routes sent out from the box , Use only the export tab and restrict it.  Do not use export and redist tab for exporting BGP routes in BGP.
View full article
panagent ‎05-14-2018 05:27 PM
10,838 Views
1 Reply
If there is a specific site that you would like to determine the URL category, please visit the test site in the article to test the URL. This article is a complete list of PAN-DB URL filtering categories.
View full article
‎05-10-2018 11:25 AM
194,612 Views
21 Replies
5 Likes
Question What is the Max Length of Security Rules' Description Field?   Answer In PAN-OS 8.0 and older The description field can be a maximum of 255 characters. The policy name is limited to 31 characters. In PAN-OS 8.1  The policy name has been increased to 63 characters. Description field has not changed and is still limited to 255 characters.   owner: ukhapre
View full article
ukhapre ‎05-10-2018 08:25 AM
3,939 Views
1 Reply
The tunnel keepalive, used for checking if the GlobalProtect Gateway is up or not, cannot be adjusted. GlobalProtect client sends a keepalive every 10 seconds and if there is no response from the Gateway for 50 seconds, tunnel is torn down.   The timeout value set using the below commands is the timeout between GlobalProtect Client and firewall's GlobalProtect  Portal/Gateway web-server.    > configure  # set deviceconfig setting global-protect timeout <3-150> # set deviceconfig setting global-protect keepalive <3-150> # commit  # exit   So, changing these values will not affect the tunnel keepalives sent by the GlobalProtect client. This is a firewall setting and not a GlobalProtect client setting.
View full article
jputhenvel ‎05-09-2018 10:27 AM
11,796 Views
6 Replies
1 Like
Details Here are some checks that should be made when Panorama is out of sync with one of many managed firewalls, or simply cannot connect to a firewall. Check IP connectivity between the devices. Make sure port 3978 is open and available from the device to Panorama. Make sure that a certificate has been generated or installed on Panorama. Confirm the serial number configured in Panorama (case sensitive). If a permitted IP list is configured for the management interface, make sure that Panorama IP is allowed in the list. By default, it will allow all IPs if a list is not specified. Make sure Panorama is on a version greater than or equal to that of the managed devices. Panorama can manage devices running supported PAN-OS versions of the same or a lower release. Check MTU settings on the managed device, as the value may need to be reduced. If a device on the path is fragmenting packets, communication from Managed Device to Panorama will not succeed. Verify that there is not a large time difference between the clock (Date/Time) on Panorama and the clock (Date/Time) on the managed device.   owner: swhyte
View full article
swhyte ‎05-09-2018 10:26 AM
34,403 Views
8 Replies
2 Likes
Las funciones de múltiples factores de autentificación de Palo Alto Networks a partir de PAN-OS 8.0. S e mostrará como poder hacer la integración con DUO Security, como poder hacer MFA para autentificar aplicación Web, y como poder hacer MFA en aplicación NO-Web (solicitando autentificación a través del agente de GlobalProtect).
View full article
MarceloRey ‎05-09-2018 10:24 AM
3,722 Views
0 Replies
2 Likes
Ask Questions Get Answers Join the Live Community