About PavelK

Hello @MatthewJenkins   I see, sorry to hear that. If even after rebooting you are getting the same error, I would open a TAC ticket. The output from "show log-collector-es-cluster health" should return status of ES instead of this error. This might required TAC's root access to resolve it.   Kind Regards Pavel ... View more

Hello @Alpalo   thanks for post!   You will have to import the certificate to passive Firewall and then create SSL/TLS profile. These configurations are not synchronized between Active / Passive Firewalls: what-settings-dont-sync-in-activepassive-ha: Kind Regards Pavel ... View more

Hello @qmso475   BPry is right, with all currently supported PAN-OS versions it is not possible to apply threat updates without valid subscription. Documentation for reference: What Happens When Licenses Expire?. Unfortunately, I do not believe there is any solution than renew the subscription.   Kind Regards Pavel ... View more

Hello @MatthewJenkins    PAN-OS 11 is quite new and at least based on list of known issues there are a few bugs related to ElasticSearch. As a next step I would try to restart ElasticSearch processes: debug elasticsearch es-restart optional all   Kind Regards Pavel   ... View more

Hello @qmso475   without license you will not be able to download dynamic updates. The only way around it is to upload updates manually: How to Manually Install Antivirus, Content, and WildFire Updates on the Firewall. This should be temporary solution until you get this Firewall licensed again.   Kind Regards Pavel ... View more

Hello @SachinGargNTT   I had an issue with reportd before in PAN-OS 9.1, not in 10.1. Based on my past experience, when the process restarts Panorama is still up, only GUI is not accessible with an error: "Critical processes (reportd) are down. Please try again later". To dig into details, could you check log from CLI:  tail lines 50000 mp-log reportd.log?   Kind Regards Pavel   ... View more

Hello @kevinospf   thank you for reply.   To get more detailed log to troubleshoot the issue, you should SSH to Panorama, then issue in CLI this command: tail follow yes mp-log configd.log. From CLI you typically get more information compared to logs in GUI.   Kind Regards Pavel ... View more

Hello @yurisilva   thank you for reply.   Your screenshot does not cover whole screen, however it looks like it is the IoT Security Default Profile. Could you click on down arrow and click on Global Find to see whether it is reference in anu configuration? If it does not return anything, I do not think this is a root cause of traffic to Panorama. As a next steps, I would suggest to export running configuration and check whether there is any Panorama related configuration left. Also could you navigate to: Monitor > Session Browser and see whether there i still any session running to Panorama IP address. If there is any, try to kill it.   Kind Regards Pavel ... View more

Hello @kevinospf    thank you for reply.   The "Reference Templates" configuration in Device Group is not mandatory. Technically both Device Group and Template stack are independent configurations, however in some scenarios they have dependency on each other. The Reference Templates is used in the case you are pushing Device Group configuration to the Firewall that has no Template Stack assigned. For example you need zones from Template to push policies in Device Group. Could you check this tutorial: Why Would I Need to Create Reference Templates in Device Groups? and documentation Reference Template (Refer to step No.4).   Kind Regards Pavel ... View more

Hello @JeremyGlaus   thank you for stepping in! The option you pointed out is indeed answer to the question and has an official KB: How Configuration Change is Being Applied Depending on “Merge with Candidate Config” Commit Option. I am going to marked your answer as an accepted solution.   Thank you and Regards Pavel   ... View more

Hello @Felixcao   thanks for post!   The scenario you described is expected behavior. When the configuration is pushed from Panorama to managed Firewall the commit all is performed which also commits local uncommitted configuration.   Kind Regards Pavel ... View more

Thank you for reply @yurisilva   Would it be possible to provide a screen shot of that IoT log forwarding setting?   Kind Regards Pavel ... View more

Hello @kevinospf   thank you for reply.   At this point, I would try to remove the problematic configuration from your Template, commit it to Panorama, then add the same configuration, commit it and push it again to managed Firewall. While this is being pushed, I would watch out for this job in managed Firewall from task menu: Once this completes and desired configuration is not in the place, I would review logs on Panorama and managed Firewall to see in depth what was configured:   Panorama : tail follow yes mp-log configd.log FW : tail follow yes mp-log devsrv.log   Regarding your question whether there is any configuration that can't be pushed from Panorama, the short answer is basically everything that is configurable in Device Group and Template can be pushed. There might be some corner cases, but I could not find any documentation that would pointed out to specific configuration that can't be done from Panorama.   Kind Regards Pavel ... View more