Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

What does not get uploaded in Config that needs changed via CLI?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

What does not get uploaded in Config that needs changed via CLI?

L0 Member

We have a PA-500 that has a bad hard drive in it. We copied the config from the bad device and transferred it to the new RMA device they have sent us. on the GUI all the settings have transferred over just fine and nothing looks different. But when the device is in place we have network issues and it is looking like packets are being dropped (some users can get to say google.com while the person next to them cant.) I have worked with about 6 different engineers on this issue and finally have had one notice one difference. The difference had to do with the "show running tcp state". The "bypass-exceed-oo-queue" = NO on the new device BUT was set to YES on the old device. So it does not look like this setting is transferred when you upload the config to a new device. My question is what else is not transferred from the old device to the new one? The engineer was able to see this difference while comparing the two tech support files. Is there anything else that needs to be manually changed on the new device? I am afraid to send the defective device back if we still need to look at settings on it and make changes on the new one to match. Any help/advice would be great, and by the way we are using PAN OS v4.1.13. Thanks in advance.

2 REPLIES 2

L1 Bithead

As a rule I've found that anything on the Device tab or any configuration that can only be input through the CLI needs to be checked that its HA synchronized or configuration exported. The obvious stuff is the device addresses etc. but some of the other stuff is less obvious such as how certificates are handled.

There are some configuration-settings which can be configured from operational mode and therefore not resides in the configuration-file.

For example you can configure "tcp-non-syn-check" in following two ways:

1.

set session tcp-reject-non-syn <yes|no>  -> active but not in the config-file....

2.

config

set deviceconfig setting session tcp-reject-non-syn <yes|no>

commit  ->   active an in the config-file...


As far as I know the only way to configure the bypass-exceed-oo-queue is the following:


config

set deviceconfig setting tcp bypass-exceed-oo-queue <yes|no>

commit

Though this setting should had definitely resided in the config-file....is the setting really not available under deviceconfig-stanza in the exported config-file..?

If no indeed a very odd behaviour. Any statements from PAN-support yet?

Regarding the gerneral PAN tcp handling the following document is maybe helpful for you:

https://live.paloaltonetworks.com/docs/DOC-1731

CU

  • 2830 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!