About kprakash

Please try the steps mentioned in these links. https://live.paloaltonetworks.com/docs/DOC-3053 https://live.paloaltonetworks.com/docs/DOC-1431 https://live.paloaltonetworks.com/docs/DOC-1308 Can you attach the output of the command, >tail lines 500 mp-log devsrvr.log Best regards, Karthik ... View more

The device server takes care of pushing configuration to the DP, and is also responsible for URL filtering requests/responses, along with handling user id functions. The device server usually comes up real quick after we restart the service. But you can still execute the command after office hours to be on a safer side. You can execute this command on the active, and the active firewall will synchronize the new information that it learnt after restarting the device server to its peer. Best regards, Karthik ... View more

You can restart the user-id process on the 4.0.12, by restarting the device server. >debug software restart device-server Hope that helps. BR, Karthik ... View more

Hi Gareth, You could try out the partial commit feature, but that does it just commits a specified parts of the  candidate config to the running config: Syntax commit {force} { partial device-and-network excluded | partial shared-object excluded | partial vsys <value> | partial no-vsys } Options > force — Forces the commit command in the event of a conflict > partial — Commits the specified part of the configuration + device-and-network — Excludes device and network configurations from the commit (configurations under config/mgt-config, config/devices/platform, config/devices/deviceconfig, and config/devices/network) + shared-object — Excludes shared object configurations from the commit (configurations under (config/ shared; also excludes config/devices/vsys if in single vsys mode) + vsys — Commits only the specified virtual system configurations Of if you want to selectively push some part of the configuration, you can save the candidate configuration, and then copy the set commands of the candidate config > set cli config-output-format set > show config diff Copy all these set commands, to a notepad. Revert the config to the running config, and go under configuration mode >configure # And now paste the selected configuration on the cli, and commit the changes. The last option is to use commit locks, so that other users may not commit the changes, unless the lock is taken away. Best regards, Karthik ... View more

Or what you can do is select the countries you want to allow and then check on the negate box. What this will do is all the countries in the list will not be blocked, and the rest will be. BR, Karthik ... View more

There are functions related to content and threat detection. What is the version on the firewall? BR, Karthik ... View more

Hi Cheon, Yes, we have the mappings on both the management plane and the data-plane. Hope that helps! BR, Karthik ... View more

TCP Previous segment lost] [TCP segment of a reassembled PDU],  [TCP Out-of-order] [TCP segment of a a reassembled PDU],  [TCP Dup ACK 170#1,  This is what I got from wireshark wiki: The hint "TCP segment of a reassembled PDU" indicates that the workstation is sending a large message to the server. In fact the message is so large that it is split over several frames. As soon as Wireshark sees the last frame it pieces the segments together and decodes the whole message I usually see these messages when there is a latency for the TCP traffic. And in order to determine the file that is being downloaded, and take necessary action, its always recommended to have SSL decryption enabled ( without SSL decryption, the PANFW skips the file check for its encrypted ). SSL decryption introduces a relative delay becuase the firewall has to decrypt the traffic, match the traffic against the signatures and encrypt it back. So I would expect this to be a normal behavior, if SSL decryption is enabled. In addition, with wildfire in action, the firewall looks up at  the first few packets of the file, and then calculates the hash, and then looks up for the hash matching that of any threat. This also causes a small delay, relative to the other firewall where wildfire is not configured. So the client and the server are expecting a steady TCP flow, and when there is a delay, they use these mechanisms to check that the stream is not dead BR, Karthik ... View more

Setting up the VPNs between the PA-4020 and the Sonic Wall should be pretty straight forward, and if all the parameters (IKE and IPSEC ) , routing through the tunnel interfaces and the polices are configured correctly, the VPNs come up just fine. Ensure that you have proxy id configured on either end as well (proxy ids are not mandatory for an IPSEC tunnel between 2 PANFWs ). I would recommend using Palo Alto firewalls for the remote offices, so that you wont run into any compatibility issues BR, Karthik ... View more

Although the passwords are shown as a hashed value on the exported file, when you import back the file onto a firewall, the same passwords are maintained. As hashes are irreversible ( cannot be decrpypted  ), the firewall computes the hash of the password that the user enters on the ssh or the gui, and if the hash of the password matches that of the running config, the PANFW identifies that the password is correct and lets you access the device. Tested this out in the lab. BR, Karthik ... View more

You can refer to the below link, explaining the VPN configuration. You can also search our documentation on VPN configuration. https://live.paloaltonetworks.com/docs/DOC-1163 Best regards, Karthik ... View more

Good Morning Randy, You can configure multiple tunnel sub interface for each of the VPNs, assign them to a zone ( like VPN zone ), and configure routes for the remote networks behind each peer, via these tunnel sub interfaces. If the ASA is configured with the  Virtual tunnel interfaces ( to use route based VPNs ), the migration should be pretty simple. You then have to a) Configure the untrust interface on the PANFW, through which the firewall will establish the tunnel, and transmit and receives the ESP packets. Configure a policy from untrust to untrust, permitting applications ike, ipsec ( and ciscovpn if the remote peers happen to be ASA devices ) b) Configure the trust interface/interfaces from where the internal hosts at the PANFW side are reachable on. Configure polices from Trust to VPN and also from VPN to Trust BR, Karthik ... View more