This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About shadowpeak
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About shadowpeak
11-16-2021
4Posts
6Likes
1Solution
Nov 16, 2021Last Visited
User
Activity
User
Profile
Latest posts by shadowpeak
| Subject | Views | Posted |
|---|---|---|
| 3528 | 08-24-2013 04:17 PM | |
| 3972 | 12-06-2012 10:22 PM | |
| 3511 | 04-15-2012 11:01 PM | |
| 4831 | 04-13-2012 06:38 AM | |
| 6531 | 08-10-2011 07:13 AM | |
| 5846 | 05-21-2011 09:27 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 04-15-2012 11:01 PM | |
| 2 Likes | 08-24-2013 04:17 PM | |
| 3 Likes | 12-06-2012 10:22 PM |
User Badges
Community Statistics
| Member Since | 03-21-2011 02:13 PM |
| Date Last Visited | 11-16-2021 10:48 AM |
| Posts | 4 |
| Total Likes Received | 6 |
08-24-2013
04:17 PM
2 Kudos
For a live, continuously-updating view of all network interface throughput numbers (useful when trying to locate intermittent traffic spikes that are impacting firewall performance) run: show system state browser Type Shift L and select Port Stats, type “y”, type “u” To modify the screen refresh rate (default 5 seconds) hit “r” This doesn't give historical statistics but can provide them in real time.
... View more
12-06-2012
10:22 PM
3 Kudos
broadleyn wrote:
Must have :
So important, I'm listing it before my numbered items below : TCPDUMP support. I miss this basic feature nearly every day since our switch to Palo Alto. The web-based set up of background packet filters across fw, rx, tx and drop profiles is so tedious, I die inside each time I'm forced to use it. I now tcpdump from our F5's far more often because it's easier to troubleshoot using this industry standard and well-understood tool.
I miss tcpdump as well. My eyes lit up when I saw a reference to tcpdump in the PANOS 5.0 documentation and after loading up 5.0 on a test box sure enough the tcpdump command was now present. Unfortunately it can only capture traffic on the management interface NIC and doesn't work with the data plane interfaces.
... View more
04-15-2012
11:01 PM
1 Kudo
Another factor that can potentially cause long commits is performing User-ID with a sizable Active Directory structure that contains thousands of User Groups. In 3.1 and 4.0 the user & group discovery is performed by the User-ID agent and the Filter Group Members setting on the agent can be used to reduce the number of user groups sent to the firewall. In 4.1 and later user & group discovery is performed by the firewall itself; the corresponding function is called Group Include List (located under Group Mapping Settings) and will need to be configured on the firewall. By only sending the groups that are actually referenced in policies on the firewall commit times can be improved, especially with very large AD environments.
... View more
04-13-2012
06:38 AM
show vpn flow clear vpn ike-sa gateway <gateway name> clear vpn ipsec-sa tunnel <tunnel name>
... View more
08-10-2011
07:13 AM
When icmp is specified as an application in a rule, it appears that icmp requests and replies do not match that rule. The application ping must be added to the rule for a match to occur against echo request and echo reply packets. Isn't ping a subset of the icmp protocol as a whole? I understand how to make this work by adding the application ping, but do not understand why the app icmp does not allow ping. Is the app icmp "all icmp types and codes except ping"?
... View more
05-21-2011
09:27 PM
Must Have: - Better integration between the wealth of documents in KnowledgePoint and the PAN-OS Administration Guide. As an example the "How to Set Up and Configure High Availability PANOS 3.1" should be referenced/hyperlinked right in the "Setting Up High Availability" section of the Administration Guide. - Ability to verify speed/duplex of an interface from the web GUI Nice to Have: - The option to execute at least some elements of the test command ("test security-policy-match", "test routing", "test nat-policy-match") against the candidate configuration instead of the running configuration. Would be very handy to verify behavior of a new rule/route prior to a commit. - Ability to delete an old saved config from the web GUI
... View more
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks