About gmoerschel

The following change log may be useful to all of you wondering how an upgrade goes in an HA active-passive pair. It would be nice if PAN support were to put this into a tech note. Each step is essentially a check or an observation from top to bottom. 2050 Firewall Upgrade 4.07 to 4.1.2 Log: Pre download of PAN-OS 4.1.0 and 4.1.2 to both units No commits pending firewalls shows HA is in synch Same version of dynamic updates are installed on both units Backup configs from both and export them On PAN2 (the current passive), suspend the unit via GUI:device/ha/suspend @ 9:17 am PAN2 upgrade to 4.1.0 starting @ 9:18am PAN2 reboot @ 9:22 PAN2 back up at 9:25 and auto com until 9:38. PAN2 comes up as non-functional state. Note that the unit will not be able to log you in for several minutes as the upgrade process is happening. PAN2 Started 4.1.0 to 4.1.2 upgrade at 9:40 PAN2 reboot at 9:44 PAN2 back up at 9:50 and auto com until 9:53. PAN2 comes up as non-functional state. Because 4.1.x HA is not compatible with 4.0.x HA there is no way to make the newly upgrade firewall the active. The older fw code must be suspended first and then the new fw is made functional which then brings it into the active state. Because of this limitation, the sessions going through the active will sever when it is suspended. Detail below: do quickly PAN1 from cli: request high-availability state suspend NOTE: active sessions will sever when active becomes suspended do quickly PAN2 from cli: request high-availability state functional PAN2 immediately becomes active. loss of 14 pings PAN1 upgrade to 4.1.0 starting @ 10:56am PAN2 (not PAN1!!) redefined pre-emption to 98 to be favored over PAN1 so that PAN1 does not become active upon reboot into initial 4.1.0 install. PAN1 reboot @ 11:04 PAN1 back up at 11:10 and auto com until 11:20 PAN1 state shows as "initial" after auto com completes PAN1 Started 4.1.0 to 4.1.2 upgrade at 11:23 PAN1 state transitioned to passive while 4.1.2 upgrade was running PAN1 reboot at 11:27 PAN1 back up at 11:32 and auto com until 11:35. PAN1 comes up as passive. HA dashboard widgets on both sides show no errors and states are synched. PAN2 pre-emption number set back to 101 then PAN2 was suspended. At this point an auto com job started running on PAN2 after PAN1 became active. This job took about 1 minute. This may be a synch check. PAN2 commit config (to set back preemption value to 101) PAN2 "request high-availability state functional" and state then becomes passive Process completed at 11:43 am Post upgrade items to do: Download GlobalProtect client Activate GlobalProtect client Enable user ID on outside zone per error message (probably a Global Protect requirement) Ensure User-ID agent reconnects Test GlobalProtect upgrade and function ... View more

Has anyone developed a PAN-specific security audit standard that can be used for verifying the efficacy of PAN firewalls as a firewall / IPS control?  If so, can you share? Thanks ... View more

There are several sigs described as "HTTP SQL Injection" (30514, 33338, 33340, 33305, and maybe others) that are server-side mediums with a default alert. What are these signatures looking for? Atypical SQL statements that indicate an attempt to get more from a database than one might normally need? More info in the description would be helpful. ... View more