About darren_g

holmesw wrote: The CLI commands for forcing failover and then returning to HA mode are: admin@pafw2(active)> request high-availability state suspend Successfully changed HA state to suspended admin@pafw2(suspended)> request high-availability state functional admin@pafw2(passive) I knew about the suspend command, I just wasn't sure if it meant suspend the HA state, or suspend the HA (and make both firewalls active). I know now it's the former - and I've tested it this week, so I know it works. Makes troubleshooting the network issues way easier when I can just put the primary back online with two clicks! Cheers and thanks ... View more

FredReimer wrote: Hello Darren, Just an addition piece of information: If you have configured "Link and Path monitoring" into the HA config, You can unplug one of the monitoring interface from Primary node and it will trigger a failover to another node. Thanks Not so easy when the firewall is in a data centre 15 minutes walk from where I sit in my office. 🙂 ... View more

Cool, thanks! ... View more

Does that cause a failover, or just suspend the HA configuration? This is what I am a little concerned about - I don't want both devices going active. Also, how do you re-enable it? Just do the same on the other device? ... View more

ericgearhart - I didn't see that one, and the original advisory on packet storm appears to have been amended to indicate this was fixed on 5.0.9. ... View more

ericgearhart wrote: The advisory that came out yesterday or the one that came out weeks ago? Are we thinking of the same vulnerability? ericgearhart, I got two vulnerabilities the day before I posted my original reply - one of which *looked* like it was a duplicate of an earlier CSS vulnerability, the other of which referred to a management API key bypass. Both stated the vulnerability was present up to 5.0.9. ... View more

Except for the security advisory which came out yesterday recommending upgrade to 5.0.10 or better to fix both a management API key bypass issue and a cross site scripting vulnerability. ... View more

What PanOS version are you running, and which CPU is under the load? If it's the management CPU, and the spike is every 5 minutes or so, there's nothing you can do about it. Version 6 is supposed to help in reducing these spikes, but it's caused by the log index process, which kicks off every 5 minutes, and will normally kick your management CPU up to 60-70% for a couple of minutes. As I said, V6 is supposed to fix this - haven't installed V6 yet, so I can't comment one way or another if it does. ... View more

msullivan wrote: You should tie the traffic down, permitting only valid outbound SMTP servers through the firewall.  The issue you're facing is that your IP reputation can get tarnished by unruely clients and you'll end up on RBLs all over the place.  That of course, can impede your business processes. Cheers, Mike Which is exactly why I did it - some piece of i-Crap was sending email using SMTP and identifying itself as "localhost.localdomain", and I ended up in a blacklist somewhere which stopped my regular SMTP relay from working, despite it being configured correctly. ... View more

Steven Puluka wrote: As hparikh mentions, these setup processes are in the management plane, but the traffic for the user is in the data plane processing. As far as capacity goes, each of the PA platforms has an upper limit on the number of SSL vpn connections that it can support.  This is in large part to keep the box from being overloaded.  You should feel comfortable going up to these levels.  And be aware of where that limit is to plan upgrades. Product selector has this limit information. Product Selection I'm not pushing even close to the stated limits for the device - and yet I'm seeing issues with the management plane responding to SNMP, and continued excessive CPU usage (beyond the well known 5 minute indexing spikes). It's not an obvious performance issue - yet - but if the box is working hard enough to regularly drop SNMP, then I'm obviously getting close to putting it under a load it can't reasonably deal with. Perhaps once I bite the bullet and upgrade to V6 (with it's reported fix for the log indexing issue which has been in 4.x and 5.x) this may settle down. Thanks for your input. ... View more

Thank you. Short and simple answer. ... View more

MarkTan wrote: Hello, In a scenario with two palo alto firewalls where the active firewall fails over to the passive firewall, if there are IPSEC tunnels established are they suppose to automatically come up on the second firewall when the failover occurs or do we have to initialize them manually? If we wanted them to automatically come up, how would we do so? Can someone provide a configuration example? Thanks, Mark In my experience, as long as the tunnel is actually active (I.E. currently passing traffic), then yes, they do. And without interruption to traffic flows, normally. I have occasionally run into issues when failing *back* from the HA peer to the normal "primary" - sometimes that will drop and re-establish the tunnel almost immediately - but that's enough to break some things (I have a GRE tunnel which goes through the Palo Alto and terminates on another device inside my network - when this drop out occurs, the GRE tunnel always breaks). Cheers. ... View more

BobW wrote: Yes that is helpful.  It sounds more like I am used to in the past.  I am now working at a boarding school and a number of Ipad Apps, web(ish) email programs etc., have a dependency in the PA on outgoing port 25 as well as port 587.  I am fortunate that the vast majority of workstations are Apple based so realistically not as big a concern as a Windows OS. Any additional thoughts would be appreciated, Bob I deny it from everything except our authorised email gateway and just ignore the application dependency warnings I get every time I commit a config change. ... View more