About niuk

niuk · ‎07-05-2016

HA Links are up , sync was fine just before commit from Panorama and is still fine

niuk · ‎07-05-2016

See below: admin@PFWP01(active)> tail mp-log ha_agent.log 2016-07-05 15:26:10.515 -0400 debug: ha_state_cfg_md5_set(src/ha_state_cfg.c:458): We were out of sync and now we are out of sync; autocommit no; ha-sync no; panorama no; cfg-sync-off no; pre-old-insync no; pre-new-insync no 2016-07-05 15:26:10.516 -0400 Warning: ha_event_log(src/ha_event.c:47): HA Group 1: Commit on peer device with running configuration not synchronized; synchronize manually 2016-07-05 15:26:11.638 -0400 debug: ha_sysd_config_status_notifier_callback(src/ha_sysd.c:2793): Ending monitor increase holdup on commit end 2016-07-05 15:26:11.638 -0400 debug: ha_state_stop_increase_monitor_holdup(src/ha_state.c:1220): Ending monitor holdup increase after commit in 60 seconds 2016-07-05 15:27:29.082 -0400 debug: ha_sysd_config_status_notifier_callback(src/ha_sysd.c:2793): Ending monitor increase holdup on commit end 2016-07-05 15:27:29.082 -0400 debug: ha_state_stop_increase_monitor_holdup(src/ha_state.c:1220): Ending monitor holdup increase after commit in 60 seconds 2016-07-05 15:27:29.082 -0400 Error: ha_state_stop_increase_monitor_holdup(src/ha_state.c:1229): Got into montior holdup increase stop without start 2016-07-05 15:30:41.732 -0400 debug: ha_sysd_config_status_notifier_callback(src/ha_sysd.c:2793): Ending monitor increase holdup on commit end 2016-07-05 15:30:41.732 -0400 debug: ha_state_stop_increase_monitor_holdup(src/ha_state.c:1220): Ending monitor holdup increase after commit in 60 seconds 2016-07-05 15:30:41.732 -0400 Error: ha_state_stop_increase_monitor_holdup(src/ha_state.c:1229): Got into montior holdup increase stop without start admin@PFWP01(active)>

niuk · ‎07-05-2016

I tried it twice, same result every time. I commited change from Panorama to Active firewall and noticed 'Not synchronized' message in Dashboard HA tab. I can't even sync Active with Passive manually. I am using 5060 with 7.1.2

niuk · ‎07-03-2016

No specific time frame, every hour or few. I've not try to turn off LACP neither ping from host behind the firewall to outside of the firewall. I was advised to trigger a GARP and catpure it.

niuk · ‎06-25-2016

I have a pair of PAN 5060 (v.7.1.2) firewalls in HA Passive/Active connected with LACP to pair of core Nexus 9000 switches. From time to time (every hour or few) connectivity to active firewall is faling (can't ping firewall LACP L3 interface ip address from core) for a few sec. When it happens I noticed presence of MAC adddress of firewall on the core switch where passive HA cluster member is connected but failover is not a case here (there is neither no reason not trace of failover). When connectivity is restored I can see MAC address of firewall back on core switch where active firewall is connected.

niuk · ‎04-14-2016

I've added -H "Accept: text/javascript, text/html, application/xml, */*" to curl but still the same error. At least I see Accept header set correctly in the request > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.18 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2 > Host: 10.95.2.234 > Accept: text/javascript, text/html, application/xml, */* > < HTTP/1.1 406 Not Acceptable < Server: < Date: Thu, 14 Apr 2016 16:56:32 GMT < Content-Type: text/html < Transfer-Encoding: chunked < Connection: keep-alive < ETag: "2b27-5c-5596c066" < X-FRAME-OPTIONS: SAMEORIGIN

niuk · ‎04-14-2016

I am running curl against the API URL where I have VM-1000-HV PAN (7.0.1) and getting ‘HTTP/1.1 406 Not Acceptable’ response (see output below). The same URL works fine in the browser (just copied and pasted to Chrome), so it is correct. $ curl -v --insecure "https://10.95.2.234/esp/restapi.esp?type=op&cmd=<show><running><resource-monitor><second></second></resource-monitor></running></show>&key=LUFRPT0wOFBSTWxOdGIvazFxRkc2b2VpZnNnTUEyc1E9QnRPY0ZGNWhMd3Rya3l6VndyZnVhUT09 =" * About to connect() to 10.95.2.234 port 443 (#0) * Trying 10.95.2.234... connected * Connected to 10.95.2.234 (10.95.2.234) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * warning: ignoring value of ssl.verifyhost * skipping SSL peer certificate verification * SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA * Server certificate: * subject: E=support@paloaltonetworks.com,CN=localhost,OU=Support,O=Palo Alto Networks,L=Sunnyvale,ST=CA,C=US * start date: Jul 12 22:18:24 2010 GMT * expire date: Jul 11 22:18:24 2020 GMT * common name: localhost * issuer: E=support@paloaltonetworks.com,CN=localhost,OU=Support,O=Palo Alto Networks,L=Sunnyvale,ST=CA,C=US > GET /esp/restapi.esp?type=op&cmd=<show><running><resource-monitor><second></second></resource-monitor></running></show>&key=LUFRPT0wOFBSTWxOdGIvazFxRkc2b2VpZnNnTUEyc1E9QnRPY0ZGNWhMd3Rya3l6VndyZnVhUT09 = HTTP/1.1 > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.18 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2 > Host: 10.95.2.234 > Accept: */* > < HTTP/1.1 406 Not Acceptable < Server: < Date: Thu, 14 Apr 2016 14:28:55 GMT < Content-Type: text/html < Transfer-Encoding: chunked < Connection: keep-alive < ETag: "2b27-5c-5596c066" < X-FRAME-OPTIONS: SAMEORIGIN < * Connection #0 to host 10.95.2.234 left intact * Closing connection #0 [irek@nms01m ~]$

niuk · ‎12-06-2014

It worked after I deleted zones and rule1 delete zone untrust network virtual-wire delete zone trust network virtual-wire delete rulebase security rules rule1

niuk · ‎12-06-2014

Trying initial setup of PA-200 using console connection (public on ethernet 1/1, no mgmt connected). I know I have to remove virtual wire, but having validation error below. Any suggestions ? delete network interface ethernet 1/1 virtual-wire delete network interface ethernet 1/2 virtual-wire delete network virtual-wire default-vwire delete network interface ethernet 1/1 virtual-wire units 1/1 Validation Error: zone -> untrust -> network -> virtual-wire 'ethernet1/1' is not a valid reference zone -> untrust -> network -> virtual-wire is invalid This operation invalidates configuration for devices -> localhost.localdomain -> vsys -> vsys1 -> zone -> untrust

niuk · ‎12-05-2014

What is my option if i don't want certificate based authentication , how do I setup whole thing so phone doesn't need certificate (credentials only)?

niuk · ‎12-05-2014

I've seen post like Re: IOS Global Protect APP - Required Client Certificate is not found but the fix was to manually import certificate to phone..How do I make my GP on droid to auto-download cert and connect ? I have same problem on Windows PC , manual cert import make the client working

niuk · ‎12-03-2014

The fix was to access web gui on port 4443....I have Global Protect configured, and believe or not , GP swings system https port to 4443

niuk · ‎12-01-2014

no NAT

niuk · ‎12-01-2014

I moved below to TOP and committed set rulebase security rules TEST from WAN-zone to WAN-zone source any destination x.x.x.x action allow service service-https application any rulebase { security { rules { TEST { from WAN-zone; to WAN-zone; source any; destination x.x.x.x; action allow; service service-https; application any; but no difference , maybe I should do service application-default , and application ssl application ssl; service application-default;

niuk · ‎12-01-2014

I looked port 443 (nothing) , and 22 (where I am actually connected) admin@PA-200-1> show session all filter destination-port 443 No Active Sessions admin@PA-200-1> show session all filter destination-port 22 -------------------------------------------------------------------------------- ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port]) Vsys Dst[Dport]/Zone (translated IP[Port]) -------------------------------------------------------------------------------- 19243 ssh ACTIVE FLOW y.y.y.y[39267]/WAN-zone/6 (y.y.y.y[39267]) vsys1 x.x.x.x[22]/WAN-zone (x.x.x.x[22]) ......

Member Since	‎11-29-2014 11:38 AM
Date Last Visited	‎06-10-2021 03:47 PM
Posts	85
Total Likes Received	14

Online Status	Offline
Date Last Visited	‎06-10-2021 03:47 PM

About niuk

Re: Errors when adding indicators to node created with stdlib.localDB proto

Re: Errors when adding indicators to node created with stdlib.localDB proto

Re: SAML (SSO) not in authentication sequence ?

Errors when adding indicators to node created with stdlib.localDB prototype

SAML (SSO) not in authentication sequence ?

Re: PAN-OS 8.0 HTTP Log Integration with Slack

PAN to send logs to Azure Log Analytics (Sentinel)

Re: Polling JSON Format for Okta

Re: Pulling threat intelligences feeds from tenable

Cannot make changes from Panorama , shows template in sync ?

How to quickly find (and remove) unused objects in policy ?

Re: Import TXT or CSV to an Address Group?

PAN sessioninfo version 2 - Snap Telemetry

Slack channel ?

Palo Alto firewall automation with Jenkins and pandevice

Re: SAML (SSO) not in authentication sequence ?

Re: How to quickly find (and remove) unused objects in policy ?

Re: Polling JSON Format for Okta

Re: How to quickly find (and remove) unused objects in policy ?

Re: Captive portal (web form) can't find action

Re: HA not synchronized after commit from Panorama

Re: HA not synchronized after commit from Panorama

HA not synchronized after commit from Panorama

Re: LACP in HA issue

LACP in HA issue

Re: ‘HTTP/1.1 406 Not Acceptable’ response from API when using CURL

‘HTTP/1.1 406 Not Acceptable’ response from API when using CURL

Re: PA-200 Initial Configuration from console only

PA-200 Initial Configuration from console only

Re: Globalprotect Mobile - no cert found

Globalprotect Mobile - no cert found

Re: Web Interface access from Internet

Re: Web Interface access from Internet

Re: Web Interface access from Internet

Re: Web Interface access from Internet

Unlock your full community experience!

About niuk