This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

About niuk

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
niuk
‎06-10-2021
since ‎11-29-2014
L3 Networker
User Activity
User Profile
Latest posts by niuk
View All
User Badges
Community Statistics
Member Since ‎11-29-2014 11:38 AM
Date Last Visited ‎06-10-2021 03:47 PM
Posts 87
Total Likes Received 13

Moving rules and objects between VSYS (device groups) in Panorama

by in General Topics
‎07-11-2016 01:20 PM
‎07-11-2016 01:20 PM
I am trying to move security rules from one VSYS (or rather device group) to another VSYS in Panorama. It fails when I try to use 'Move' in GUI because objects (addresses, services) are not moved yet. But when I try to move objects I can't because they are used in rules which are not moved yet.... typical Catch22;) So I am trying to use copy in CLI instead and I know how to copy security rules in 'set' format but not sure how to display objects in 'set' format to copy them later, see below: me@Panorama# show address "A3par1m " A3par1m "A3par1sd " A3par1sd "A3par1w " A3par1w ..... I know I can use 'Clone' in GUI instead of 'Move' but then it adds '-1' to object name even if object is not existing on another VSYS (device group) ... View more

Re: LACP in HA issue

by in General Topics
‎07-06-2016 05:23 AM
‎07-06-2016 05:23 AM
Spanning tree is enabled on switch for that vlan where firewalls lives in. But there was no changes of active ports when firewall MAC appeared (on switch where Passive is connected) ... View more

Re: HA not synchronized after commit from Panorama

by in General Topics
‎07-05-2016 03:38 PM
‎07-05-2016 03:38 PM
I manusally synced Active with Passive and it worked, see output below. Sync from Passive to Active was not avail, because they are in sync now.    admin@MR-DC1-PFWP01(active)> tail mp-log ha_agent.log 2016-07-05 18:35:26.225 -0400 debug: ha_state_cfg_check_insync(src/ha_state_cfg.c:269): Group 1: cancel config sync timer 2016-07-05 18:35:29.022 -0400 debug: ha_sysd_mgmt_finsync_notifier_callback(src/ha_sysd.c:2482): Mgmtsrvr sent finsync success 2016-07-05 18:35:29.022 -0400 debug: ha_state_cfg_check_insync(src/ha_state_cfg.c:253): group 1: mgmtsrvr insync: NO; insync2: YES 2016-07-05 18:35:29.022 -0400 debug: ha_state_cfg_check_insync(src/ha_state_cfg.c:269): Group 1: cancel config sync timer 2016-07-05 18:35:29.276 -0400 debug: ha_sysd_mgmt_finsync_notifier_callback(src/ha_sysd.c:2482): Mgmtsrvr sent finsync success 2016-07-05 18:35:29.276 -0400 debug: ha_state_cfg_check_insync(src/ha_state_cfg.c:253): group 1: mgmtsrvr insync: NO; insync2: YES 2016-07-05 18:35:29.276 -0400 debug: ha_state_cfg_check_insync(src/ha_state_cfg.c:269): Group 1: cancel config sync timer 2016-07-05 18:35:29.346 -0400 debug: ha_sysd_config_status_notifier_callback(src/ha_sysd.c:2793): Ending monitor increase holdup on commit end 2016-07-05 18:35:29.346 -0400 debug: ha_state_stop_increase_monitor_holdup(src/ha_state.c:1220): Ending monitor holdup increase after commit in 60 seconds 2016-07-05 18:35:29.346 -0400 Error: ha_state_stop_increase_monitor_holdup(src/ha_state.c:1229): Got into montior holdup increase stop without start admin@MR-DC1-PFWP01(active)> ... View more

Re: HA not synchronized after commit from Panorama

by in General Topics
‎07-05-2016 12:35 PM
‎07-05-2016 12:35 PM
HA Links are up , sync was fine just before commit from Panorama and is still fine ... View more

Re: HA not synchronized after commit from Panorama

by in General Topics
‎07-05-2016 12:34 PM
‎07-05-2016 12:34 PM
See below: admin@PFWP01(active)> tail mp-log ha_agent.log 2016-07-05 15:26:10.515 -0400 debug: ha_state_cfg_md5_set(src/ha_state_cfg.c:458): We were out of sync and now we are out of sync; autocommit no; ha-sync no; panorama no; cfg-sync-off no; pre-old-insync no; pre-new-insync no 2016-07-05 15:26:10.516 -0400 Warning: ha_event_log(src/ha_event.c:47): HA Group 1: Commit on peer device with running configuration not synchronized; synchronize manually 2016-07-05 15:26:11.638 -0400 debug: ha_sysd_config_status_notifier_callback(src/ha_sysd.c:2793): Ending monitor increase holdup on commit end 2016-07-05 15:26:11.638 -0400 debug: ha_state_stop_increase_monitor_holdup(src/ha_state.c:1220): Ending monitor holdup increase after commit in 60 seconds 2016-07-05 15:27:29.082 -0400 debug: ha_sysd_config_status_notifier_callback(src/ha_sysd.c:2793): Ending monitor increase holdup on commit end 2016-07-05 15:27:29.082 -0400 debug: ha_state_stop_increase_monitor_holdup(src/ha_state.c:1220): Ending monitor holdup increase after commit in 60 seconds 2016-07-05 15:27:29.082 -0400 Error: ha_state_stop_increase_monitor_holdup(src/ha_state.c:1229): Got into montior holdup increase stop without start 2016-07-05 15:30:41.732 -0400 debug: ha_sysd_config_status_notifier_callback(src/ha_sysd.c:2793): Ending monitor increase holdup on commit end 2016-07-05 15:30:41.732 -0400 debug: ha_state_stop_increase_monitor_holdup(src/ha_state.c:1220): Ending monitor holdup increase after commit in 60 seconds 2016-07-05 15:30:41.732 -0400 Error: ha_state_stop_increase_monitor_holdup(src/ha_state.c:1229): Got into montior holdup increase stop without start admin@PFWP01(active)> ... View more

HA not synchronized after commit from Panorama

by in General Topics
‎07-05-2016 11:50 AM
‎07-05-2016 11:50 AM
I tried it twice, same result every time. I commited change from Panorama to Active firewall and noticed 'Not synchronized' message in Dashboard HA tab. I can't even sync Active with Passive manually. I am using 5060 with 7.1.2  ... View more

Re: LACP in HA issue

by in General Topics
‎07-03-2016 04:17 AM
‎07-03-2016 04:17 AM
No specific time frame, every hour or few. I've not try to turn off LACP neither ping from host behind the firewall to outside of the firewall. I was advised to trigger a GARP and catpure it.  ... View more

LACP in HA issue

by in General Topics
‎06-25-2016 05:47 AM
‎06-25-2016 05:47 AM
I have a pair of PAN 5060 (v.7.1.2) firewalls  in HA Passive/Active connected with LACP to pair of core Nexus 9000 switches. From time to time (every hour or few) connectivity to active firewall is faling (can't ping firewall LACP L3 interface ip address from core) for a few sec. When it happens I noticed presence of MAC adddress of firewall on the core switch where passive HA cluster member is connected but failover is not a case here (there is neither no reason not trace of failover).  When connectivity is restored I can see MAC address of firewall back on core switch where active firewall is connected. ... View more

Re: ‘HTTP/1.1 406 Not Acceptable’ response from API when using CURL

by in Automation/API Discussions
‎04-14-2016 09:57 AM
‎04-14-2016 09:57 AM
I've added -H "Accept: text/javascript, text/html, application/xml, */*" to curl but still the same error. At least I see Accept header set correctly in the request   > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.18 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2 > Host: 10.95.2.234 > Accept: text/javascript, text/html, application/xml, */* > < HTTP/1.1 406 Not Acceptable < Server: < Date: Thu, 14 Apr 2016 16:56:32 GMT < Content-Type: text/html < Transfer-Encoding: chunked < Connection: keep-alive < ETag: "2b27-5c-5596c066" < X-FRAME-OPTIONS: SAMEORIGIN ... View more

‘HTTP/1.1 406 Not Acceptable’ response from API when using CURL

by in Automation/API Discussions
‎04-14-2016 09:40 AM
‎04-14-2016 09:40 AM
I am running curl against the API URL where I have VM-1000-HV PAN (7.0.1) and getting ‘HTTP/1.1 406 Not Acceptable’ response (see output below). The same URL works fine in the browser (just copied and pasted to Chrome), so it is correct.   $ curl -v --insecure "https://10.95.2.234/esp/restapi.esp?type=op&cmd=<show><running><resource-monitor><second></second></resource-monitor></running></show>&key=LUFRPT0wOFBSTWxOdGIvazFxRkc2b2VpZnNnTUEyc1E9QnRPY0ZGNWhMd3Rya3l6VndyZnVhUT09 =" * About to connect() to 10.95.2.234 port 443 (#0) *   Trying 10.95.2.234... connected * Connected to 10.95.2.234 (10.95.2.234) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * warning: ignoring value of ssl.verifyhost * skipping SSL peer certificate verification * SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA * Server certificate: *       subject: E=support@paloaltonetworks.com,CN=localhost,OU=Support,O=Palo Alto Networks,L=Sunnyvale,ST=CA,C=US *       start date: Jul 12 22:18:24 2010 GMT *       expire date: Jul 11 22:18:24 2020 GMT *       common name: localhost *       issuer: E=support@paloaltonetworks.com,CN=localhost,OU=Support,O=Palo Alto Networks,L=Sunnyvale,ST=CA,C=US > GET /esp/restapi.esp?type=op&cmd=<show><running><resource-monitor><second></second></resource-monitor></running></show>&key=LUFRPT0wOFBSTWxOdGIvazFxRkc2b2VpZnNnTUEyc1E9QnRPY0ZGNWhMd3Rya3l6VndyZnVhUT09 = HTTP/1.1 > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.18 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2 > Host: 10.95.2.234 > Accept: */* > < HTTP/1.1 406 Not Acceptable < Server: < Date: Thu, 14 Apr 2016 14:28:55 GMT < Content-Type: text/html < Transfer-Encoding: chunked < Connection: keep-alive < ETag: "2b27-5c-5596c066" < X-FRAME-OPTIONS: SAMEORIGIN < * Connection #0 to host 10.95.2.234 left intact * Closing connection #0 [irek@nms01m ~]$   ... View more

Re: PA-200 Initial Configuration from console only

by in General Topics
‎12-06-2014 12:48 PM
‎12-06-2014 12:48 PM
It worked  after I deleted zones and rule1 delete zone untrust network virtual-wire delete zone trust network virtual-wire delete rulebase security rules rule1 ... View more

PA-200 Initial Configuration from console only

by in General Topics
‎12-06-2014 10:28 AM
‎12-06-2014 10:28 AM
Trying initial setup of PA-200 using console connection (public on ethernet 1/1, no mgmt connected). I know I have to remove virtual wire, but having validation error below. Any suggestions ? delete network interface ethernet 1/1 virtual-wire delete network interface ethernet 1/2 virtual-wire delete network virtual-wire default-vwire delete network interface ethernet 1/1 virtual-wire units 1/1 Validation Error:                                                               zone -> untrust -> network -> virtual-wire 'ethernet1/1' is not a valid reference zone -> untrust -> network -> virtual-wire is invalid                           This operation invalidates configuration for devices -> localhost.localdomain -> vsys -> vsys1 -> zone -> untrust ... View more
Labels:

Re: Globalprotect Mobile - no cert found

by in General Topics
‎12-05-2014 10:09 AM
‎12-05-2014 10:09 AM
What is my option if i don't want certificate based authentication , how do I setup whole thing  so phone doesn't need certificate (credentials only)? ... View more

Globalprotect Mobile - no cert found

by in General Topics
‎12-05-2014 05:54 AM
‎12-05-2014 05:54 AM
I've seen post like Re: IOS Global Protect APP - Required Client Certificate is not found but the fix was to manually import certificate to phone..How do I make my GP on droid to auto-download cert and connect ? I have same problem on Windows PC , manual cert import make the client working ... View more

Re: Web Interface access from Internet

by in General Topics
‎12-03-2014 04:26 AM
‎12-03-2014 04:26 AM
The fix was to access web gui on port 4443....I have Global Protect configured, and  believe or not , GP swings system https port to 4443 ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎06-10-2021 03:47 PM
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks