About mikand

I guess the security reason is that IF someone hacks your PA box (because you didnt protect the mgmt-interface enough or did something else bad) then the attacker shouldnt be able to use your hacked PA box as a jumpbox to reach further into your internal networks. However from a troubleshooting point of view I totally agree with you that telnet (or something similar) is needed. What if PA removes the fullblown telnet client but instead replace it with some extension to the test command? Like a test-ip command or such that could take a syntax such as: srcip (default 0.0.0.0) srcport (default random >1023) dstip (must be specified) dstport (must be specified) flags (optional like syn, ack, psh, fin, rst etc) mode (default oneshot, other mode(s) are: handshake) where mode would be if it should send just one packet or if it should complete a tcp handshake. Like mode=oneshot, mode=handshake. this way one could make the PA to send a syn packet to a specific host/port and then see if you get any syn-ack (or such like rst, fin-ack or something else) in return? The return stuff would be so you dont have to run tcpdump on some other device along the road between the PA and the device which has troubles. ... View more

Depends on which PANOS version you have, but check the "CLI Reference Guide" over at ... View more

Regarding your original question, something like iptraf would be nifty if that existed in PA 🙂 http://iptraf.seul.org/shots.html Regarding your QoS, when you enable QoS you always do that on egress interface (since this is where the PA can decide in which order the packets will leave the device). Also when you enable QoS the performance will decrease - there is a list somewhere on this forum with some performance figures when QoS is enabled (its something like (for PA-5060 (edit: actually 4000 series and older)) 20Gbit/s firewall, 10Gbit/s threat, 5Gbit/s QoS or so). Edit: Here is the qos performance table I was thinking of: https://live.paloaltonetworks.com/message/5367#5367 And according to the link below the qos engine was changed in 5000 series (so my example of 20/10/5 is a behaviour for the 4000 series and downwards) https://live.paloaltonetworks.com/message/12541#12541 ... View more

What if you run the "test" command in cli? Will it be random aswell on which rule it will hit? ... View more

You will have to update the standby unit on its own for obvious reasons. One way to limit number of possible hickups for current sessions is to start the update on the standby unit. Then perform a failover and update the other device (this way you only have one failover instead of two). However im not sure what will happen to the session sync when switching major version. ... View more

Is it possible for you to find out why it was removed (and if its possible for it to return) and update this thread? The CLI guide for 5.0 I was referring to was created 2012-11-12 16:36:08 and modified 2012-11-12 16:37:19 (seen in the pdf-properties since the document seems to lack version information in the text). ... View more

According to the PAN-OS_5.0_CLI_Reference_Guide.pdf the command is still there in PANOS 5.0: telnet Opens a Telnet session to another host. Syntax telnet { 8bit {no | yes} | port <value> | host <value> } Options + 8bit — Use 8-bit data path (no or yes) + port — Specifies the port to connect to on the remote host (0-65535) * host — Specifies the host name or IP address of remote host Sample Output The following command opens a Telnet session to the host 1.2.5.5 using 8-bit data. username@hostname> telnet 8bit 1.2.5.5 Required Privilege Level superuser, vsysadmin, deviceadmin ... View more

Yes switching firmwares will require a reboot. In your case running 4.0.8 I think the recommended way of upgrading would be to first download and install (and reboot into) 4.1.0, and then do the same from 4.1.0 into 4.1.8 (or whatever 4.1 version you might want to use - 4.1.9 is the latest currently). Or while you are at it, go straight to 5.0.x ? ... View more

The QoS fix in 5.0.1 seems to be broken, see for more information. Regarding realtime flow, does slv mean something like (if it existed) "show session tail" ? Where you get a tcpdump lookalike output for all new sessions which are being setup? ... View more

What if you for the first commit just set "none" as security zone and on the second commit select "trust"? I also thinking if the ip's you selected for loopback perhaps cannot exist on trust since the range they are part of already exists on a different zone (like untrust or such)? ... View more

I guess this doc would answer all your NAT related questions 🙂 ... View more

Another workaround could be to put a L3 device (L3 switch or such) in front of your PA and setup a linknet between this L3 device and the PA box. Like so: PA <- 10.0.0.1/30, 10.0.0.2/30 -> L3-device <- 192.168.255.254/16 This way the PA box only see one mac, the mac of 10.0.0.2 (or whatever ip you setup). While the L3-device takes the hit regarding shitloads of clients vs. mac-addresses. ... View more

To make ping work you will probably need to create a mgmt-profile (only containing ping) which you attach to untrust and then a security rule which will allow the U-turn NAT to ping this interface from the other zone. ... View more

According to these threads it seems that the value if 1800 seconds is hardcoded and cannot be changed. Hopefully you can issue this as a feature request (given that this "hardcoded" isnt burned into the NPU's being used): ... View more

According to the manual you can setup static-entries in the dns proxy. However I dont know if these entries can work on their own without a real dns server on the other end. I mean if the client can query the PA ip (or ip on the other side of the PA) to get a reply from the PA itself without any real dns server (resolver or authoritive) on the other end. ... View more