About S.Cantwell

Hello   I am not sure that we are supposed to be increasing the default size of the FWs. The customer should make a decision to purchase either a Azure-based Panorama (for collecting the logs), implement a Cortex Data Lake (for collecting logs and machine learning analysis), or consider what logs need to be tracked.   30% of the hard drive is partitioned for Traffic logs. 16% of the hardware is partitioned for Threat Logs 4% for Configuration Logs 4% for System logs.   MUST ALL traffic from the be logged?  Example of traffic that would not needed to be (web-browsing, dns, ssl), as these are applications that log quickly, filling up the hardware drive.  With proper planning, perhaps a balance could be determined to see IF there is a need to change the % of the partitions around.   From the gui of the FW, the person should go to the Device Log --> Setup --> Logging and Reporting (it is the 3rd tile DOWN within setup).... Modify this section,which by default does not have any days for logs to last, as shown in my example below     After the commit, one should (1x/week) ssh into the FW to issue this command > show system logdb-quota   The output (in about 30 secs or less) will tell you what percentage you have configured for traffic, and it also tell you how much you have used to date.     Quotas: system: 0.75%, 0.032 GB Expiration-period: 30 days config: 0.75%, 0.032 GB Expiration-period: 30 days alarm: 0.75%, 0.032 GB Expiration-period: 30 days appstat: 0.75%, 0.032 GB Expiration-period: 30 days hip-reports: 0.75%, 0.032 GB Expiration-period: 30 days traffic: 48.39%, 2.056 GB Expiration-period: 180 days threat: 25.00%, 1.062 GB Expiration-period: 180 days Disk usage: traffic: Logs and Indexes: 2.1G Current Retention: 96 days threat: Logs and Indexes: 1.1G Current Retention: 48 days system: Logs and Indexes: 32M Current Retention: 4 days config: Logs and Indexes: 33M Current Retention: 12 days       ... View more

Hello   Your Panorama should be the same version (or higher) of your FWs, so you Panorama should be 9.0.10. As for your FWs.  I would strongly recommend (confirm) that you require the 9.0.9HF-1... does it solve your issue. Else, if you are not certain, then I would recommend that you keep your FWs at 9.0.10 as well. I would NOT recommend keeping FWs at 8.0 level, per PANW recommendations. The 8.0.x has gone end of life, as of about 1 year ago (Oct 2019)     ... View more

Good Day   You will be using the forward portion of the Log Forwarding Profile.   https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/configure-log-forwarding.html   Essentially   Create the profile. Add in what notifications you want (Threat logs... ok... ALL logs?... log geq medium? ok.) Where do you want these log messages to be fwd to?  SNMP, email, syslog, Panorama. ok... good Next, modify your security policy and apply the log forward profile to whatever rules you want to be, well, log forwarded to.   Let me know how else I can assist. ... View more

Hi Mike   From a RO account, there is the command "show config running" and the output is in xml format.   testadminro@Cantwell-PA-220> show config running config { preferences { saved-log-query { traffic { h323 { query "( addr.src in 172.17.13.13 ) and ( app neq dns ) and ( app neq dhcp ) and ( app neq ntp ) and ( receive_time geq '2019/01/14 16:59:32' )"; } } } } } expedition { permissions { role-based { superuser yes; } } phash ********; } fred; testadmin { permissions { role-based { custom {   So, to summarize, there does not seem a good ability to load a config in "set" notation, but could export with 1000s of lines as XML.   Any other questions I can answer for you?     ... View more

from cli, the admin role would be deviceadmin.   I tried deviceadmin-readonly.. and naturally the choices are different   as deviceadmin   testadmin@Cantwell-PA-220# check Check configuration status commit Commit current set of changes copy Copy a statement delete Delete a data element edit Edit a sub-element exit Exit from this level find Find CLI commands with keyword load Load configuration from disk move Move a node within an ordered collection override Override a template element quit Quit from this level rename Rename a statement revert Revert changes from configuration run Run an operational-mode command save Save configuration to disk   The deviceadmin-readonly does not offer the same choice:   testadminro@Cantwell-PA-220# check Check configuration status edit Edit a sub-element exit Exit from this level find Find CLI commands with keyword quit Quit from this level run Run an operational-mode command show Show a parameter top Exit to top level of configuration up Exit one level of configuration   Just remember a deviceadmin from CLI can make whatever changes they want... they ARE a device admin, with full capabilities.   There is NO ability to restrict an account to ONLY allow saves/backups individually.     ... View more

Are you looking at the Panorama logs? Can you upload screen captures from devices, so we can visually see what you are explaining to us? ... View more

Hello   I must admit, I am a little confused by what I am reading/understanding.   Are we to understand that the user information originally WAS there, and then...just disappeared, only to show back up again?   Perhaps you can upload a few screen captures   to better illustrate what you are attempting to describe?   Thank you. ... View more

Scottt   Ensure all 4 remote networks (from the Cisco side) are configured as Proxy IDs in the PANW FW. Ensure that the routing table on the PANW shows 4 routes, one for each proxy ID network, that you created.   Thanks   Steve  ... View more

Hello   This is something (I believe) that the Admin team could create a ticket and assign the to the correct group within PANW. ... View more

Hello   I would probably best refer you to this section of the Admin guide for DHCP option assistance.   https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/dhcp.html ... View more

Good Day   Per the other response I provided, I believe this information should be created in a web ticket, and have TAC forward this information over to Unit 42, which the group responsible for Threat Intelligence.   Thank you. ... View more

Good Day   I may not have the "official" response, but what I would do is... create a support ticket with those public IPs in it, and put into the notes of the case, why you believe these IPs should be added, evidence to support it, etc.  The more detail you can, the better.   And then I would ask that this information/ticket be sent over to Unit42 within PANW, which handles threat intelligence for their perusal and consideration.   Thank you. ... View more

Hello   Agreed!  If you need VLAN 176, you may need to rethink your deployment.   You could be very easy to use a feature called VWire, to connect from the clinic switch, to the (upstream device) that is allowing P2P (some interconnecting switch or whatever.   Consider that Vwire is sort of like a "intelligent" repeater.  Whatever is plugged into (port 3) goes out port 4. A bump in the wire. No L2 or Layer3 addressing (no mac or spanning tree, and definitely no routing)   Just create a VWire object, and assign 2 ports (not your L3 interfaces) and create 2 more zones (untrusted-vwire and trusted-vwire)   You may need to create similar policies to mimic what you have.   If you do this, then you would not even need routing, the traffic goes from vlan176 in the clinic, through the FW, through the P2P to the other side, by the hospital.   Just an idea.     ... View more

Hello there.   The licensed date is the last date that the customer is entitled to support from PANW.   The licensed date, is the last date that any updates (dynamic or otherwise) could be installed on the FW.   AV is released every 24 hours. No more AV after (whatever date) in Nov 2020   AppID and Content ID is done weekly. After (whatever date) no additional Threats signatures could be downloaded.   WF is done every 1 minute.   After (whatever date) in November, there would be no additional WF upates.   PAN-DB (This is the biggie) After (whatever date), there is NO more PAN-DB url categories on the FW. Traffic would be not be inspected for match condition or URL categories in URL Filtering.   Summary.... while it may be "ok" to let license for Content-ID and WF to lapse, PAN-DB should not be allowed to lapse.   Thank you.   ... View more

Good Morning.   Are you doing anything with UserID within your environment.   Can you look at the UserID agent (local on FW, or on a Windows server) and find the tab called Probing. Ensure that there is NO probing enabled for either UserID agent.   I think this could be the issue (I do not have the issue, just trying to offer how to perhaps disable it) ... View more