About Ambidexter6

Hi,   Thanks for the reply!   I would I COULDN'T get it to happen!   I've changed about 50 of our 60 firewalls over the last few days. They all do it, except in two cases the restart seemed to happen but it just left the SSH process inaccessible - so I had to reboot it! 😄     In one case, it seemed the process didn't need to be restarted...after a day or so, it seemed to not have any issue and the changes were in place. But a 2% success rate isn't a good thing...especially since I (nor Palo) can explain why one worked and 2 killed the SSH process.   I also just don't get why there's no way to restart the process or push the SSH changes via Panorama. It just doesn't make sense. How is that "next generation"? It sounds more like "last century"! And there's no version of 8.x.x. that will allow me to change the Key Exchange protocol? I need 9.0 or 9.1? That's just idiotic. I just upgraded all of these to 8.1.13 like 2 months ago, so we're not going to 9.x!   I have a HA pair of 5520s and a single 5520 which I'll try this on. It may work, or totally crash. It's anyone's guess! Cheers, Ambi ... View more

I have, thanks. It does work, except i need 9.0 or 9.1 to enable the KEX algorithms to be selected manually, to remove sha1.   My question is now, that I have a number of changes to the management port to do, how do I push them to 60+ firewalls in Panorama? I'd want to add these to an existing template. But maybe a new template that's "related" to some existing template?   Thanks, Ambi ... View more

Hi,   I finally figured this out!   The issue is that the management interface on all the firewalls needs to have the "Permitted IP Addresses" which defines which IPs can permit SSH, SNMP, ping, etc.   This is located in Panorama -> Setup -> Interfaces -> Management -> Permitted IP Addresses.   The thing that made me finally figure this out was the "Device Management Services" section: That section isn't in every firewall, just Panorama, whereas the othere sections (Administrative Management Services, and Network Services) are in every firewall. But how could I not see that the firewalls were all in the permitted list? That's easy. We've got over 70 firewalls, and the page these go into on Panorama (or any firewall) only scrolls. It does not page, it does not allow import/export, and you can't resize the window. So, unless you show them in the CLI, there's no way to really know for sure that they're in there.   For example, I can't export them, and I can't template them, so I have the 70 firewalls, as well as IPs for any user, monitoring device, SNMP manager, syslog machine, etc. defined here, so I have at least 100 devices.   Now, the list is templated for the firewalls themselves...that is to say, each firewall's individual list of permitted IPs is identical as they all use the "Base" template for such settings. But for Panorama, it's all manual.   So what I needed to do was screen-shot the 5 pages of firewalls from the working, primary Panorama, and do the same thing with the Secondary. Then, highlight which was missing on each side (if there was something missing from the Primary, it would show up).   Now, this could be easier by using the CLI, but I dissuade casual users of Panorama from SSH-ing into it, so I wanted to document the procedure with the GUI. And it works, but it's smelly.   Thanks for your assistance!   Regards, Ambi ... View more

Hi,   Thanks for your suggestion!   Unfortunately, the two panorama servers are defined in the Panorama Settings dialog. We're enabling push, with 240 second timeouts and a 25 SSL retry count.   I might want to see if deleting the secondary's IP in a firewall then adding it again makes it work. The problem with this is the Panorama servers are defined by template. So I'd need to override it, the revert it. That may be more than I want to do.   Is there a CLI command to show the status of connections to the Panorama peers...both on Panorama to see the firewalls, and the firewalls to see both Panoramas?   Thanks, Ambi ... View more