About licenselu

Hello, LDAP configuration is not required if you're not using usergroup in the policies. We had the same problem (on time) with a PA-500. We upgraded to the last version of the PAN agent and PANOS 4.1.8. Problem solved... Regards, HA ... View more

Hello, Richard, I think the forum is a also good place to listen for the customer request. My customers also asked me this feature. By the way, Checkpoint support it... Regards, HA ... View more

Hello, I have updated a cluster of PA500 yesterday. The sync issue is now solved... Regards, HA ... View more

Hello, I have such configuration for a lot of customers (mainly banks). We use VLAN to provide L2 connectivity between the sites. One VLAN for Control plane (2 interfaces for redundancy) and one VLAN for Data plane (also 2 interfaces for redundancy). If you use Cisco switches, disable IGMP snooping for theses VLANS. This is not required but it's just an advice... PS : Putting the name of the company inside the doc its' not really a good idea... Regards, HA ... View more

Hello, I got the following official response from the TAC "We are aware of this issue which was introduced after PanOS 4.1.8.   Our devteam is currently working on a fix for this issue.   The workaround for now is to manually do the sync command in CLI." Regards, HA ... View more

Hello, Sorry for the confusion. Fortinet and Sonicwall - Does not provide user feedback when an application is blocked (page simply times out). Could lead to high numbers call from end users... - Does not allow to use directly AD group name in the policy (need to a group locally then create the mapping between local and AD group) - Does not allow to use AD user in the policy (only groups though group mapping) - Fortinet : Flow based AV does NOT scan compressed files (ZIP, etc). Sonicwall: can't remember... - Exception for SSL Insection must be done in CLI (Fortinet). Sonicwall: can't remember... - Reporting needs an extra box (FortiAnalyzer for Forti and Viewpoint for Sonic). Regards, HA ... View more

Hello, Just to clarify : "Fortinet could only do buffered antivirus scanning." That's not true ! Fortinet can also do stream based scanning BUT cannot scan compressed file (like zip file for example). If application control is key of the project, there's ONLY one way: Palo Alto. Another benefit is the single path architecture, even if you enable all 'UTM' features like AV, IPS, etc the throughput remains constant Other brand are based on an overlay model: more features you add, less performance you have. PA benefit over Fortinet and Sonicwall - Does not provide user feedback when an application is blocked (page simply times out). Could lead to high numbers call from end users... - Does not allow to use directly AD group name in the policy (need to a group locally then create the mapping between local and AD group) - Does not allow to use AD user in the policy (only groups though group mapping) - Fortinet : Flow based AV does NOT scan compressed files (ZIP, etc). Sonicwall: can't remember... - Exception for SSL Insection must be done in CLI (Fortinet). Sonicwall: can't remember... - Reporting needs an extra box (FortiAnalyzer for Forti and Viewpoint for Sonic). Hope it can help you Regards, HA ... View more

The reboot didn't change anything. ... View more

Hello, That's result of the command on both FW Active FW --------- Oct 03 12:07:14 cfgagent_flags_callback(pan_cfgagent.c:178): ha_agent: cfg agent received flags from server Oct 03 12:07:14 cfgagent_flags_callback(pan_cfgagent.c:182): new flags=0x6 Oct 03 12:07:14 cfgagent_config_callback(pan_cfgagent.c:203): ha_agent: cfg agent received configuration from server Oct 03 12:07:14 cfgagent_config_callback(pan_cfgagent.c:219): config length=30532 Oct 03 12:07:14 ha_cfgagent_phase1(src/ha_cfgagent.c:514): start Oct 03 12:07:14 ha_cfgagent_phase1_callback(src/ha_cfgagent.c:454): start Oct 03 12:07:14 ha_state_cfg_commit_start(src/ha_state_cfg.c:512): Starting monitor hold (no timeout) during phase1 Oct 03 12:07:14 ha_cfgagent_phase1_callback(src/ha_cfgagent.c:485): sending back true for p1done Oct 03 12:07:49 ha_cfgagent_phase2(src/ha_cfgagent.c:691): start Oct 03 12:07:49 ha_cfgagent_phase2_callback(src/ha_cfgagent.c:639): start Oct 03 12:07:49 ha_cfgagent_phase2_callback(src/ha_cfgagent.c:666): sending back true for p2done Oct 03 12:07:49 ha_state_cfg_commit_succeed(src/ha_state_cfg.c:563): Starting monitor hold after commit Oct 03 12:07:49 ha_state_start_monitor_hold(src/ha_state.c:973): Starting initial monitor hold for group 1; linkmon monitored         Ignoring link and path monitoring failures due to an HA state transition Oct 03 12:07:53 Error: ha_ping_send(src/ha_ping.c:488): Unable to send icmp packet:(errno: 22) Invalid argument Oct 03 12:07:53 Error: ha_ping_send(src/ha_ping.c:488): Unable to send icmp packet:(errno: 22) Invalid argument Oct 03 12:07:54 Error: ha_ping_send(src/ha_ping.c:488): Unable to send icmp packet:(errno: 22) Invalid argument Oct 03 12:07:54 Received HA1 MAC address: 00:1b:17:54:f3:13 Oct 03 12:07:54 Received HA2 MAC address: 00:1b:17:54:f3:15 Oct 03 12:07:54 Received HA2 MAC address: 00:1b:17:54:f3:15 Oct 03 12:07:55 Error: ha_ping_peer_miss(src/ha_ping.c:554): Missed 1 ping timeouts out of 3 (ha1) Oct 03 12:07:56 Error: ha_ping_send(src/ha_ping.c:488): Unable to send icmp packet:(errno: 22) Invalid argument Oct 03 12:07:56 ha_sysd_config_md5_notifier_callback(src/ha_sysd.c:2615): Got new config md5: ed4dfc17e96c6dacdc0f8a9e72f60fa4 Oct 03 12:07:56 ha_state_cfg_md5_set(src/ha_state_cfg.c:411): We were in sync and now we are out of sync; autocommit no; ha-sync yes; cfg-sync-off no Oct 03 12:07:56 ha_peer_send_hello(src/ha_peer.c:3950): Group 1 (HA1-MAIN): Sending hello message Hello Msg --------- flags    : 0x1 (preempt:) state    : Active (5) priority : 10 cookie   : 59474 num tlvs : 2   Printing out 2 tlvs   TLV[1]: type 2 (CONFIG_MD5SUM); len 33; value:     65643464 66633137 65393663 36646163 64633066 38613965     37326636 30666134 00   TLV[2]: type 11 (SYSD_PEER_DOWN); len 4; value:     00000000 Oct 03 12:07:57 Error: ha_ping_send(src/ha_ping.c:488): Unable to send icmp packet:(errno: 22) Invalid argument Oct 03 12:07:57 Received HA1-Backup MAC address: 00:1b:17:54:f3:14 Oct 03 12:07:57 Received HA2-Backup MAC address: 00:1b:17:54:f3:16 Oct 03 12:07:57 Received HA2-Backup MAC address: 00:1b:17:54:f3:16 Oct 03 12:07:58 Error: ha_ping_peer_miss(src/ha_ping.c:554): Missed 1 ping timeouts out of 3 (ha1-backup) Oct 03 12:08:49 ha_state_monitor_hold_callback(src/ha_state.c:1688): Group 1: ending initial monitor hold; no longer ignoring link and path monitoring failures due to an HA state transition Passive FW ---------- Oct 03 12:07:54 Error: ha_ping_peer_miss(src/ha_ping.c:554): Missed 1 ping timeouts out of 3 (ha1) Oct 03 12:07:56 ha_peer_recv_hello(src/ha_peer.c:3998): Group 1 (HA1-MAIN): Receiving hello message Msg Hdr ------- version : 1 groupID : 1 type    : Hello (2) token   : 0x4e35 flags   : 0x1 (req:) length  : 81   Hello Msg   ---------   flags    : 0x1 (preempt:)   state    : Active (5)   priority : 10   cookie   : 59474   num tlvs : 2     Printing out 2 tlvs     TLV[1]: type 2 (CONFIG_MD5SUM); len 33; value:       65643464 66633137 65393663 36646163 64633066 38613965       37326636 30666134 00     TLV[2]: type 11 (SYSD_PEER_DOWN); len 4; value:       00000000 Oct 03 12:07:56 ha_peer_recv_tlv(src/ha_peer.c:2898): Group 1 (HA1-MAIN): Received TLVs: Printing out 2 tlvs TLV[1]: type 2 (CONFIG_MD5SUM); len 33; value:   65643464 66633137 65393663 36646163 64633066 38613965   37326636 30666134 00 TLV[2]: type 11 (SYSD_PEER_DOWN); len 4; value:   00000000 Oct 03 12:07:56 ha_state_cfg_md5_set(src/ha_state_cfg.c:411): We were in sync and now we are out of sync; autocommit no;                                    ha-sync no; cfg-sync-off no Oct 03 12:07:56 ha_sysd_dev_cfgsync_update(src/ha_sysd.c:1474): Set dev cfgsync to Committing Oct 03 12:07:56 ha_state_cfg_from_insync_to_outsync(src/ha_state_cfg.c:609): peer group 1 has changed the md5, waiting f                                   or an update Oct 03 12:07:57 Error: ha_ping_peer_miss(src/ha_ping.c:554): Missed 1 ping timeouts out of 3 (ha1-backup) Oct 03 12:22:56 ha_state_cfg_sync_callback(src/ha_state_cfg.c:751): ha_state_cfg_sync_callback: retries: 4; insync: no Oct 03 12:22:56 Warning: ha_event_log(src/ha_event.c:47): HA Group 1: Running configuration not synchronized after retries Oct 03 12:22:56 ha_sysd_dev_cfgsync_update(src/ha_sysd.c:1474): Set dev cfgsync to Out-of-Sync Regards, HA ... View more

I just need user to ip mapping so no need to configure LDAP Server. I tried the following : admin@PA> debug user-id reset user-id-manager type all admin@PA>configure admin@PA#commit force admin@PA#exit admin@PA>debug software restart user-id but it didn't change anything. I'll reboot the firewall in 30 minutes. ... View more

Normally it sould work without configuring the LDAP server. I've many customer that haven't configured any LDAP server and it's working. ... View more

Hello, First, thanks for comment. Q: Do you see the following behavior:" A: No jobs will be seen under the passive device for HA sync.  (admin@PA>show jobs processed) After few minutes , the config on the passive device will be out of sync It will show the following:- Running Configuration: not synchronized Out-of-sync Reason: Running configuration not synchronized after retries Q :However at this time the the active device running configuration will show "synchronized. A: Exact. I had to upgrade from 4.1.6 to 4.1.8 because of the bug ID 43575 (mgmt-plane unresponsive). This is the only problem I face with 4.1.8. Regards, HA ... View more

Hello, I played with firemon in my lab with different firewall vendor (Palo Alto, Checkpoint, Fortinet). The problem (Log status in red) was NOT coming from the firewall but from Firemon itself ! Before getting the log of Checkpoint (even if the OPSec communication was OK) it took more than...1 DAY ! PS: You can also try to revalidate the device in firemon... Regards, Hedi ... View more