What does not get uploaded in Config that needs changed via CLI?

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L0 Member

What does not get uploaded in Config that needs changed via CLI?

We have a PA-500 that has a bad hard drive in it. We copied the config from the bad device and transferred it to the new RMA device they have sent us. on the GUI all the settings have transferred over just fine and nothing looks different. But when the device is in place we have network issues and it is looking like packets are being dropped (some users can get to say google.com while the person next to them cant.) I have worked with about 6 different engineers on this issue and finally have had one notice one difference. The difference had to do with the "show running tcp state". The "bypass-exceed-oo-queue" = NO on the new device BUT was set to YES on the old device. So it does not look like this setting is transferred when you upload the config to a new device. My question is what else is not transferred from the old device to the new one? The engineer was able to see this difference while comparing the two tech support files. Is there anything else that needs to be manually changed on the new device? I am afraid to send the defective device back if we still need to look at settings on it and make changes on the new one to match. Any help/advice would be great, and by the way we are using PAN OS v4.1.13. Thanks in advance.

Highlighted
L1 Bithead

As a rule I've found that anything on the Device tab or any configuration that can only be input through the CLI needs to be checked that its HA synchronized or configuration exported. The obvious stuff is the device addresses etc. but some of the other stuff is less obvious such as how certificates are handled.

Highlighted
L2 Linker

There are some configuration-settings which can be configured from operational mode and therefore not resides in the configuration-file.

For example you can configure "tcp-non-syn-check" in following two ways:

1.

set session tcp-reject-non-syn <yes|no>  -> active but not in the config-file....

2.

config

set deviceconfig setting session tcp-reject-non-syn <yes|no>

commit  ->   active an in the config-file...


As far as I know the only way to configure the bypass-exceed-oo-queue is the following:


config

set deviceconfig setting tcp bypass-exceed-oo-queue <yes|no>

commit

Though this setting should had definitely resided in the config-file....is the setting really not available under deviceconfig-stanza in the exported config-file..?

If no indeed a very odd behaviour. Any statements from PAN-support yet?

Regarding the gerneral PAN tcp handling the following document is maybe helpful for you:

https://live.paloaltonetworks.com/docs/DOC-1731

CU

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!