About ssharma

Management server is close to a gig 2267       20   0  947m 196m 3708 S    0 20.2   2369:37 mgmtsrvr which should be of some concern. But given the commit goes fine and you are not able to see the routes is bit wired. I would still suggest restarting both services mentioned above and also reboot the device if possible. If that still does not resolve the issue, contact Palo Alto support for further analysis. Thank you. ... View more

Hi Phil, I am interested in looking at not only CPU but also the memory utilization of it. If you can paste the output of "show system resources", I can make some comments based on the output. If you don't have dynamic routing (bgp or ospf) restarting routed should not be disruptive. There is no suggested reboot routine, but based on the utilization and device performance, you can reboot a device once it runs a longer period of times. Thank you. ... View more

Hi Phil, That is not an expected behavior. Please go ahead an add a random route say 1.1.1.1/32 and point the next hop as your default route. Do a commit and run "show routing route" and see if 1.1.1.1 appears on the routing table. Do a show jobs all to see if the commit itself went fine? Check show system resources for mgmtsrvr, devsrvr and routed and notice if one of them is abnormally high. If possible try restarting management server and routed porcess debug software restart management-server debug software restart routed If that still does not help and then do a reboot. Hope this helps. Thank you. ... View more

Since active was running high, give it some more time. Traffic should be flowing normally however. Try in another 5 minutes and see if you are able to log in. Thank you. ... View more

Active is running high on management plane as suspected and passive is running high as well. Please go ahead and restart managmenet server on both device and see if that fixes the issue. Thank you. ... View more

Hi Asabadin, You need to export "Mercedes_Bundle" along with the key from the firewall. You can use PEM format and give it a passphrase. Once exported you should be able to open it in notepad. You will see following format : -----BEGIN CERTIFICATE----- MIIC5zCCAc+gAwIBAgIBFD.. -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-256-CBC,A35588EF895 bPd92JfJYc407emq4 -----END RSA PRIVATE KEY----- Then open the root certificate in the notepad as well. You will NOT need private key of the root cert. Then go ahead and add root cert below RSA key. -----BEGIN CERTIFICATE----- <root cert> -----END CERTIFICATE----- So your order should be Mercedes_Bundle Mercedes_Bundle key Root cert If you have intermediate certificate in the chain, then Mercedes_Bundle Mercedes_Bundle key Intermediate Cert Root cert Once you have all in one text file, save it and import it to the firewall. While importing you will need to provide key file, this will be the same cert that we just created (that means brose same cert file twice). Passphrase would be same that you used to export. Follow following document to achieve that : How to Install a Chained Certificate Signed by a Public CA Once successfully imported, do a commit one more time. Warning should go away. Hope this helps. Thank you. ... View more

Glad we could help. Thank you. ... View more

Hi CPKaiser, You will need CA on the device. This can be a self signed cert from the PA box itself or if you have PKI infrastucture you can generate a CA from there and import it to Palo Alto device. This way firewall is able to look through SSL traffic as the CA cert would have both public and private key. Please keep in mind that since this certificate might not be trusted by student browser, they will get an browser error if they try to access SSL sites. Workaround is to install the certificate in their trusted root store. Hope this helps. Thank you. ... View more

Hi Rkra, Here is one of the discussion that you will find useful : Monitor vpn interfaces Hope this helps. Thank you. ... View more

Hi, You can configure that with Link monitoring. There is another option as well for path monitoring. If you are looking for option for interface then link monitoring is what you are looking for. Here in snapshot above, I have asked firewall to monitor both ethernet 11 and 12 and if "Any" of the interface goes down, it will cause a failover. You can also configure "All" , that would mean if both 11 and 12 goes down then only failover will occur. Hope this helps. Thank you. ... View more

Yes, management interface will respond. But after reboot, auto commit is happens on the device. During this time all dataplane ports would not respond or pass any traffic. Depending on the Hardware of the device and amount of configuration it might take time for auto commit to complete. "show jobs all"  shows progress for the auto commit. While updating, secondary will take over as active, and since interfaces are not connected to switch the traffic will be basically blackholed. Next time during the upgrade monitor the auto-commit, and once it is done, make the primary (connected to switch) active device again and see if that resolves the issue. Thank you. ... View more