This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
- Panorama
- AIOps for NGFW
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- Cloud NGFW for AWS
- CN-Series
- VM-Series:
- Private Cloud
- OCI
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
- Cortex Xpanse
Security Operations
- Resources
About DJFirewallSupport
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- About DJFirewallSupport
06-21-2022
10Posts
1Like
0Solutions
Jun 21, 2022Last Visited
User
Activity
User
Profile
Latest posts by DJFirewallSupport
| Subject | Views | Posted |
|---|---|---|
| 2124 | 11-02-2012 06:56 AM | |
| 2124 | 11-01-2012 01:58 PM | |
| 2529 | 11-01-2012 08:13 AM | |
| 960 | 10-24-2012 02:04 PM | |
| 1022 | 10-23-2012 06:20 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 11-01-2012 08:13 AM |
User Badges
Community Statistics
| Member Since | 07-17-2012 09:58 AM |
| Date Last Visited | 06-21-2022 09:38 AM |
| Posts | 10 |
| Total Likes Received | 1 |
11-02-2012
06:56 AM
Thanks for the info - I will be having someone at the local site swap the crossover cable on the dataplane interface I configured for HA to see if it's the cable.... and if not working I will just use the mgt interface per your config. Thanks, - Dave
... View more
11-01-2012
01:58 PM
Thanks Renato, that is helpful. I have tried your configuration and it is working. But are you saying that I can't utilize a dataplane interface for HA1 on the PA-200? Or just that I don't have to? Obviously it's nice to save the physical dataplane interfaces if I can as PA-200 only has 4 of them...But on the other hand, it would also be nice to have an HA1 primary and HA1 backup like I do for full HA configurations...for purposes of HA control link resiliency. Note the comment by "npare" to this document seems to indicate that you can use a dataplane interface for HA1 primary: But if I can only use the management interface for HA1, what happens when mgt interface of primary goes down....obviously a failover should happen there. But how will upstream/downstream gateways learn the MAC address of the new node? Thanks for clarifying, - Dave
... View more
11-01-2012
08:13 AM
1 Kudo
Hi All, Trying to configure a pair of PA-200's as an active-passive cluster using "HA lite". Right now both devices are showing active, so it seems the nodes do not see each other as cluster members. I have defined one HA link on both firewalls, ethernet1/2...they are connected together via a cross-over cable and both interfaces are showing UP.. I realize that state synchronization is not possible with one HA link, but just looking for config sync. When I do a "show high-availability state" from CLI, I get: Peer Information: Connection status: down Connection down reason: Never able to connect to peer I have tried to suspend the device with the worse priority...and then make it functional again (hoping it goes into passive state)..but it only goes right back to active. Note I am running 4.1.8 code here. I have also found a doc that indicates the MGT port is used for HA1 with an HA-lite configuration. Is that true? If so, does that mean I don't need the cross-over on ethernet1/2? Note when I ping the peer HA1 IP address (from either firewall) I simply get back an ICMP "Destination host unreachable" .... I am sure this is a problem! Below are my configs for this...perhaps I have something missing? Grateful if anyone with this knowledge and experience on HA lite would take a look for me....thanks in advance. Node 1: set deviceconfig high-availability group 1 mode active-passive passive-link-state auto set deviceconfig high-availability group 1 mode active-passive monitor-fail-hold-down-time 1 set deviceconfig high-availability group 1 configuration-synchronization enabled yes set deviceconfig high-availability group 1 peer-ip 192.168.201.2 set deviceconfig high-availability group 1 election-option device-priority 95 set deviceconfig high-availability group 1 election-option heartbeat-backup yes set deviceconfig high-availability group 1 election-option preemptive no set deviceconfig high-availability group 1 election-option promotion-hold-time 2000 set deviceconfig high-availability group 1 election-option hello-interval 8000 set deviceconfig high-availability group 1 election-option heartbeat-interval 1000 set deviceconfig high-availability group 1 election-option flap-max 3 set deviceconfig high-availability group 1 election-option preemption-hold-time 1 set deviceconfig high-availability group 1 election-option monitor-fail-hold-up-time 0 set deviceconfig high-availability group 1 election-option additional-master-hold-up-time 500 set deviceconfig high-availability interface ha1 encryption enabled no set deviceconfig high-availability interface ha1 monitor-hold-time 3000 set deviceconfig high-availability interface ha1 ip-address 192.168.201.1 set deviceconfig high-availability interface ha1 netmask 255.255.255.0 set deviceconfig high-availability interface ha1 port ethernet1/2 set deviceconfig high-availability interface ha1-backup set deviceconfig high-availability enabled yes Node 2: set deviceconfig high-availability group 1 peer-ip 192.168.201.1 set deviceconfig high-availability group 1 configuration-synchronization enabled yes set deviceconfig high-availability group 1 mode active-passive passive-link-state auto set deviceconfig high-availability group 1 mode active-passive monitor-fail-hold-down-time 1 set deviceconfig high-availability group 1 election-option device-priority 100 set deviceconfig high-availability group 1 election-option heartbeat-backup yes set deviceconfig high-availability group 1 election-option preemptive no set deviceconfig high-availability group 1 election-option promotion-hold-time 2000 set deviceconfig high-availability group 1 election-option hello-interval 8000 set deviceconfig high-availability group 1 election-option heartbeat-interval 1000 set deviceconfig high-availability group 1 election-option flap-max 3 set deviceconfig high-availability group 1 election-option preemption-hold-time 1 set deviceconfig high-availability group 1 election-option monitor-fail-hold-up-time 0 set deviceconfig high-availability group 1 election-option additional-master-hold-up-time 500 set deviceconfig high-availability enabled yes set deviceconfig high-availability interface ha1 encryption enabled no set deviceconfig high-availability interface ha1 monitor-hold-time 3000 set deviceconfig high-availability interface ha1 ip-address 192.168.201.2 set deviceconfig high-availability interface ha1 netmask 255.255.255.0 set deviceconfig high-availability interface ha1 port ethernet1/2 set deviceconfig high-availability interface ha1-backup -- Thanks and regards, - Dave
... View more
- Tags:
- high_availablitly
Labels:
- Labels:
-
Troubleshooting
10-24-2012
02:04 PM
This is definitely not ideal...it would be quite useful to have this feature implemented as it is especially helpful for troubleshooting situations. But thanks for your answer just the same... Regards, - Dave
... View more
10-23-2012
06:20 AM
Hi, Sorry I know this is an old thread but figured I'd ask here as my issue is the same... I am interested in finding the specific route in the route table that will be used for a specific destination network lookup. So I do "test routing fib-lookup ip 2.2.2.2 virtual-router default" command but the output only shows the interface that will be used in the route lookup...not the specific route that it will take. i.e.: admin@stocbfw01(active)> test routing fib-lookup ip 2.2.2.2 virtual-router default -------------------------------------------------------------------------------- runtime route lookup -------------------------------------------------------------------------------- virtual-router: default destination: 2.2.2.2 result: interface ethernet1/1.236 In addition to virtual-router, destination, and result in the output, I was expecting to see the route entry that would be responsible for forwarding the packet. Is there a way I can see this information via the "test routing" command? Thanks, - Dave
... View more
10-22-2012
04:04 PM
Hi, I've deployed two standalone firewalls...i.e., non-HA. And have been using the interface comment field to document the switch port that interface is connected to. I'm now building an active/passive cluster and noticed that when I sync the configs, the passive firewall gets its interface comments overwritten with the comments from the active. I don't suppose there's any way to exclude this specific portion of the config from the HA sync? Alternatively, is there any other location in the config where I can document info such as this? Thanks and regards, - Dave
... View more
- Tags:
- interface_name
Labels:
- Labels:
-
Configuration
10-04-2012
02:11 PM
Thanks for the reply sdurga... Yes, as you say Panorama objects do not show up in XML config file on firewall...I wonder if there is a hidden command from CLI to see them? I wouldn't be surprised... Yep, I know you can see them on Web-UI of device and just count them...but was looking for another method for box to give me total #... thanks. - Dave
... View more
10-03-2012
12:50 PM
Heya, Two related questions regarding address objects and current limits.... 1) Is there a command to see the number of address objects currently on a specific firewall (whether they're local objects or Panorama objects)? I'm familiar with how to view address object limits for a particular platform (show system state | match address)...but would like to see how many address objects are currently on a given firewall. 2) Will there be any future enhancement to Panorama such that address objects not in use in a policy do not get downloaded to all firewalls in a given device group? As this would certainly lessen the number of address objects on any Panorama-managed firewall. And if there will be such a feature, will there also be a provision to go back and remove address objects not used in policies but that live on device today? Thanks and regards, - Dave
... View more
Labels:
- Labels:
-
Management
-
Panorama
09-20-2012
02:51 PM
Thanks for that, mate... would be nice if there was a feature to merge an XML config snippet in with the running.... but alas I'll get by....thanks...
... View more
09-20-2012
11:54 AM
Hi - I was wondering if it's possible to merge a portion of the Panorama config that I'm manipulating offline (say in Notepad++) with the existing Panorama running config? Specifically, I've got objects I'm defining in a device-group and I'm defining those in an XML file offline. What I'd like to do is upload/import this XML file and merge it into the existing Panorama running config. Is this possible? If not, I imagine I can just export the whole Panorama config.....do my edits/adds offline, and then upload whole config again? If this is the only option, can someone tell me the procedure for doing this in Panorama? Thanks much! - Dave
... View more
- Tags:
- panorama
Labels:
- Labels:
-
Management
-
Panorama
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-21-2022
09:38 AM
|
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2022 - Palo Alto Networks