This Nominated Discussion Article is based on the post "HSCI and HA " by @Ramakrishnan  and answered by @reaper & @aleksandar.astardzhiev .     Folks, I would like understand the difference between HSBI and HA1, HA1B, HA2, HA2B  As per my understanding HA1 for control & HA1B for backup link HA2 for data & HA2B for backup link  control carries  heartbeats and communication  Dara traffic carries Ip table, arp table, session table? Is that correct?   For state full session sync up we “must” use HSBI link? Or it can be used for over HA2?   I have little expertise in PA, but I never see such implementation? can you please clarify? your swift response is much appreciated  Response:    HA1 is the 'brains' of the HA cluster, sharing configuration, routing information, control messages to see if the peer is alive and functional, etc.  HA1b is a backup link (if for some reason HA1 is disconected but both firewalls are still fully functional, they will assume the remote peer is down and both start accepting packets at the same time, this is not fun to have happen, so make sure to set up HA1b)   HA2 is where the session table gets synced so if a firewall goes down the perr can pick up existing sessions ha2b is the backup link you are not required to use the HSCI link, you can assign the type 'HA' to dataplane interfaces and use those instead you cannot use HSCI for HA1 connections, but you should either use the dedidicated HA1a/HA1b, the AUX1/AUX2, or dataplane interfaces (dedicated links preferred)     Please check the following documentations - https://docs.paloaltonetworks.com/hardware/pa-1400-hardware-reference/pa-1400-series-overview/front-panel-1400-series  https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/high-availability/ha-concepts/ha-links-and-backup-links/ha-ports-on-the-pa-7000-series-firewall HSCI is high speed interface, which main purpose is to be used for HA2. As @reaper  already mentined HA2 is data link, it is used to sync session information between the two HA members. (and also forward traffic in case you use active/active). So if you have the physical capability to connect both member directly (no routers, no switches, no other intermediate devices), it is always recommend to  use the HSCI for HA2.   If you cannot connect both peer directly, you can reserve one of the data plane interfaces for HA and then configure HA2 to use that dataplane interface. By default no dataplane interface is being reserved for HA, that is why when you try to edit HA your dropdown offers only HSCI. Regarding the IP addresses: - As you can see from above links HSCI is layer1 interface, so must use "ethernet" for HA2 transport, which used PAN custom/properiotry ethernet frames which doesn't use IP address. So even if you set some addresses they will be ignored if transport is set to ethernet Transport —Choose one of the following transport options: Ethernet —Use when the firewalls are connected back-to-back or through a switch (Ethertype 0x7261). IP —Use when Layer 3 transport is required (IP protocol number 99). UDP —Use to take advantage of the fact that the checksum is calculated on the entire packet rather than just the header, as in the IP option (UDP port 29281). The benefit of using UDP mode is the presence of the UDP checksum to verify the integrity of a session sync message.   For HA1 you must use IP addresses and you must have different addresses for each member. If you connect them directly you have to specify the same subnet. If they are not connected directly you should configure a gateway which will route between the two networks.  

Factory resetting your firewall is a drastic step that should only be taken when necessary and with careful consideration. It's important to note that a factory reset should not be taken lightly, as it will erase all configurations and data on the firewall. If you decide factory resetting is the route you need to take, make sure to back up your existing configuration and keep a tech support file on hand for that device.   Steps to Factory Reset Your VM-Series Firewall   1. Login to the CLI and enter the following command: debug system maintenance-mode Once entered, your VM-Series will reboot.        2. Continue maintenance mode and select "Factory Reset"        3. Select and enter while on "Factory Reset". Your firewall will then go through the reset process.     4. Once complete, select and enter on "Reboot".      Your VM-Series Firewall will then reboot normally and you will have a fresh image of PAN-OS. Please wait for the "PA-VM:" login prompt to enter the default credentials. 

This Nominated Discussion Article is based on the post "CLI Guide Needed for Palo Alto FW" by @ganeshprasad and answered by @Raido_Rattameister. Read on to see how you can find commands in the CLI!   Hello All,   Please share me the Palo alto cli guide which will have all command line. Solution:    HTML https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-cli-quick-start/use-the-cli   PDF https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/pan-os/11-0/pan-os-cli-quick-start/pan-os-cli-quick-start.pdf   You can also find commands using find command. For example searching for "license"   > find command keyword license delete license key <value> delete license token-file <value> show oss-license show running url-license show license-token-files name <value> debug dataplane ctd-agent license request license install <value> request license info request license fetch auth-code <value> request license api-key set key <value> request license api-key delete request license api-key show request license deactivate VM-Capacity mode <auto|manual> request license deactivate key mode <auto|manual> features request license deactivate key mode <auto|manual> features [ <features1> <features2>... ] request dnsproxy license refresh scp import license from <value> remote-port <1-65535> source-ip <ip/netmask> scp export license-token-file from <value> to <value> remote-port <1-65535> source-ip <ip/netmask> tftp import license from <value> file <value> remote-port <1-65535> source-ip <ip/netmask> tftp export license-token-file from <value> to <value> remote-port <1-65535> source-ip <ip/netmask> > configure Entering configuration mode [edit] # find command keyword license set shared admin-role <name> role device webui device licenses <enable|read-only|disable>

Real-time retrieval of WildFire signatures, WildFire Inline ML and Advanced Wildfire that are available for Palo Alto NGFW and Prisma Access SASE.