About emr_1

Really? Hmm... it looks to be fixed on my platform (PA-3220) with 10.2.8. ... View more

10.2.8 was just released. Even I'm not testing it yet, share this info with you all. ... View more

I think OPTION 2 in above knowledge article is what you want to do. ... View more

I believe you concluded you are hitting PAN-234929 and this is listed in 11.1.1 addressed issues. https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-release-notes/pan-os-11-1-1-known-and-addressed-issues/pan-os-11-1-1-addressed-issues   However, this knowledge indicates it will be fixed in 11.1.3. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000Xh9oCAC   I'm not sure which is true.. though you might need to wait for fix. OR try to restart process again on 11.1.1? ... View more

Hi Reaper, Thanks for your reply. I understood. ... View more

Your link said ... === Resolution Contact Palo Alto Networks Technical Support as the resolution will require root access. ===   This means you need to open a ticket, and then TAC engineer will login to your device via zoom live session. He/She will do "debug tac-login challenge" and additional commands on your device.   ... View more

Go to your closed case, then move to "Manage Your Case". You'll find re-open option there.   ... View more

The availability of entering "otp" might be depends on your platform and version. I'll show you two samples; one is pan-os 11.0 with PA-445, another is pan-os 10.2 with panorama. === admin@PA-445> show system info | match sw-version sw-version: 11.0.2-h2 admin@PA-445> admin@PA-445> request certificate fetch ? <Enter> Finish input admin@PA-445>   admin@Panorama> show system info | match sw-version sw-version: 10.2.7 admin@Panorama> admin@Panorama> request certificate fetch ? * otp One time password to generate the certificatei admin@Panorama> ===   As you can see, PA-445 does not have "otp" option. Please check on your platform. You can check with entering "?" on your command.     ... View more

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0   This explains how PAN device handles packet and each feature works. At beginning of section 3, it says... A  firewall session consists of two unidirectional flows, each uniquely identified. In PAN-OS ’s implementation, the firewall identifies the flow using a 6-tuple key: Source and destination addresses: IP addresses from the IP packet.  Source and destination ports:  Port numbers from TCP/UDP protocol headers.  For non-TCP/UDP, different  protocol  fields are used (e.g. for ICMP the ICMP identifier and sequence numbers are used, for IPSec terminating on device the Security Parameter Index (SPI) is used, and for unknown, a constant reserved value is used to skip Layer-4 match). Protocol: The IP protocol number from the IP header is used to derive the flow key .   Security zone: This field is derived from the ingress interface at which a packet arrives.   Other elements you are listing are used after few more packets are traversed. Hope this helps you. ... View more

I believe default setting is to generate v3 certificate. Here is my test result with PAN-OS 9.1.12     After export this cert, check with openssl command: ==== user@dom:~$ openssl x509 -text -noout -in ./cert_testcert.crt Certificate: Data: Version: 3 (0x2) Serial Number: 3359397260 (0xc83c558c) Signature Algorithm: sha256WithRSAEncryption Issuer: CN = testca Validity Not Before: Oct 12 05:21:15 2023 GMT Not After : Oct 11 05:21:15 2024 GMT Subject: CN = testcert.local Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:9d:a6:2c:d8:de:f8:2d:4f:5f:f0:cc:3f:0c:da: 0f:7d:25:fa:03:1b:8c:6e:bd:59:52:9d:24:44:86: 57:fb:d7:f7:b1:cc:21:44:be:d5:cc:80:fd:4e:e4: ca:01:3e:dd:c6:f1:18:8e:46:a2:d7:22:6d:93:35: ..snip.. ==== ... View more

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000CpoRCAS Is this what you are looking for? ... View more