About Rajesh12

You can update the below service route with int1/1 so that software updates will be done by using data plane port.   Also ensure below items were checked before upgrading the firewalls. You have valid licenses applied on firewalls and firewalls are registered in support portal. DNS servers are configured. Dynamic updates installed should be of latest version       ... View more

Thanks @fjwcash . In my case I have firewalls of which some use private IP of panorama and others use public IP of panorama. So If I configure public IP for mgmt interface of Panorama, does my firewalls which use private IP of panorama will also receive POST message with Public IP of Panorama? ... View more

@Nizmytom    What is the internet URL name? Also what does threat log shows for TCP 80 traffic, how does it categorized (Malware, virus etc..)? Do you see any threat log for TCP 443 traffic? Is the traffic of both 443 and 80 hitting same rule? If hitting different rules, does both rules have same security profile groups/threat profiles applied or is there any difference? ... View more

Agreed @fjwcash . I actually had the same issue now with Panorama sending its private IP in the POST message. Luckily my firewall had internal connection also. So for now I was just relying on service routes to solve this.   Any idea why they have changed this behavior?   Also if we update public IP of panorama in mgmt interface settings, will the POST message in payload will be updated with public IP?  ... View more

Mighty restart to the rescue. Glad your issue is resolved @rjdahav163  ... View more

@rjdahav163    Whenever you try to ping an IP from firewall, by default it will use your mgmt plane and then will forward traffic to gateway configured for mgmt plane. It wont look up firewalls routing table. If you specify source as specific data plane interface, then it will use that interface IP as source and will look into your routing table to forward the traffic.   for ping host 1.2.3.4 It is expected to go through mgmt plane as you have not defined any specific source. Validate if anything is blocking this PING traffic on the gateway of your mgmt plane or on further hops.   for ping source <our_public_interface_addr> host 1.2.3.4 This sounds like intrazone traffic and will exit through your external interface. There is chance that you might not notice traffic log for this if log generation is not enabled on default intrazone rule. Also as peer device is PA, validate if you have applied any interface management profile on the external interface of peer firewall which is restricting PING to only certain IP's. ... View more

@zachzoom    Yes, it will show up in Threat Vault when once PA defined signatures for it. ... View more

Thanks for your inputs @BPry  and @MP18.    Yes, functionality remains same for most of the part. But I actually was looking for step by step process that will be taken place during the scheduled updates. As per the traffic logs analysis that I have done yesterday, below is my understanding.   Before PAN OS 8.0 1. Panorama initiates connection to managed firewall during the schedule time on port TCP 3978. 2. Panorama pushes the package to managed firewall by using same connection.   From PAN OS 8.0 1. Panorama initiates connection to managed firewall during the schedule time on port TCP 3978. 2. In response, managed firewall initiate new connection to panorama on port TCP 28433 to pull the updates (because I noticed logs where firewall initiate connection to Panorama to pull the updates instead of using earlier connection).   Please correct me if I'm missing anything.     Cheers! ... View more

@RREALICA    PA have not released signature for this vulnerability yet. But you can monitor it at threat vault.   https://threatvault.paloaltonetworks.com/ ... View more