About drewdown

Do the HA ports come up even if HA isn't enabled?    I have a production 3220 I am trying to add a new 3220 to and before I enable HA I wanted to make sure the HA ports were up and working before I flip the switch.  The HA ports are showing down and the onsite contact said they are connected directly to each other and the chances that both have bad ethernet cables are slim to none.  Using straight through cables and not crossover.     ha1-a: Control link 192.168.162.1/192.168.162.2 ha1-b: HA1 Backup 192.168.162.5/192.168.162.6 ethernet1/6: Data link <<<< only ports showing up 192.168.162.9/192.168.162.10         To be Passive (NEW 3220): ethernet1/6 69 1000/full/up 64:7c:e8:47:49:45 ha1-a 5 ukn/ukn/down(autoneg) 08:66:1f:05:ee:57 ha1-b 7 ukn/ukn/down(autoneg) 64:7c:e8:47:49:0 ha1-a 5 1 ha 0 N/A ha1-b 7 1 ha 0 N/A ######################################### Active (Production 3220): ethernet1/6 69 1000/full/up 84:d4:12:3e:da:45 ha1-a 5 ukn/ukn/down(autoneg) 08:66:1f:03:55:02 ha1-b 7 ukn/ukn/down(autoneg) 84:d4:12:3e:da:07 ha1-a 5 1 ha 0 N/A ha1-b 7 1 ha 0 N/A     ... View more

Trying to provide some tunnel redundancy to some of our AWS environments.  I have 2 ISPs both with an interface/static IPs on my HA PANs. ISP-A is my default with a default route to the internet pointing to its next hop.   ISP- A Eth1/8 9.9.9.9/24 ZONE-A ISP-B Eth1/7 10.10.10.10/24 ZONE-B   Currently have all my VPN tunnels across ISP-A and want to bring up some tunnels across ISP-B.  I created the IKE gateways and attached them to Eth1/7 ISP-B but in the logs I see the VPN traffic being dropped because its sending the traffic from Eth1/7 to Eth1/8 which is wrong, it should just go from Eth1/7 to the internet.  I am missing something but not sure what.   Do both public interfaces need to be in the same ZONE?  That is the only thing I can really see that maybe causing it.  We have 2 static routes pointing out each ISP with the metric on the ISP-B higher than ISP-A so it prefers that route.     How do I force specific VPN tunnel traffic out of the secondary interface?  I thought just trying the gateways to that interface would suffice but it doesn't appear to be the case.     Do I need static routes pointing to ISP-B for each tunnel endpoint at AWS?       ... View more

I have Panorama managing roughly 10 firewalls.  I have logging setup on those FWs to send to Panorama, email and send syslog to a 3rd party host.  I struggled immensely trying to get everything configured correctly on PANORAMA and the FWs themselves to even send logs.   The syslog server is getting the logs but they are all coming from PANORAMA vs the local FWs and I can't seem to figure out why.     I have a syslog server profile configured on PANORMA and pushed/created the same on every firewall. I don't have templates for every fw (why I don't know - dont get me started on templates) so I manually created a matching syslog server profile on all them because if I didn't the push would complain about that profile not existing on them.    I also have a Log Forwarding object on all of them that includes sending syslog to the syslog server profile:   Now when the logs reach the syslog server they are coming from the PANORAMA and not the fws themselves.  I thought having the Forward Method option of "Panorama/Logging Service" unchecked would mean the FWs themselves would send the logs but that doesn't seem to be the case.   Can someone explain what that option entails and the best way to go about this?  I would think I would want the fws to send syslogs themselves so that the fw IPs would be seen as the sender but I can't get them to do that.  They are in the actual log but the reporting IP is PANORAMA. I ran a pcap for 514 on one of the firewalls and it shows sending them to the syslog server but the security team reports that no logs come from the individual fw IPs.         admin@3020(active)> tcp 0 0 10.100.1.40:44984 10.129.2.99:514 ESTABLISHED admin@3020(active)> tcpdump filter "port 514" snaplen 0 Press Ctrl-C to stop capturing tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes ^C2 packets captured 4 packets received by filter 0 packets dropped by kernel admin@3020(active)> view-pcap mgmt-pcap mgmt.pcap 10:17:14.544409 IP 3020.domain4u.com.44984 > ec222.domain4u.com.shell: . ack 1879714823 win 115 10:17:14.560967 IP ec222.domain4u.com.shell > 3020.domain4u.com.44984: . ack 1 win 211           If I run the same commands from the PANORAMA I see this:     admin@m100> tcpdump filter "port 514" snaplen 0 Press Ctrl-C to stop capturing tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes ^C6 packets captured 17 packets received by filter 0 packets dropped by kernel admin@pan-m100-cs> view-pcap mgmt-pcap mgmt.pcap 10:49:56.794253 IP panorama.domain4me.com.53305 > ec222.domain4u.com.syslog: SYSLOG user.info, length: 573 10:49:56.794299 IP panorama.domain4me.com.53305 > ec222.domain4u.com.syslog: SYSLOG user.info, length: 573 10:49:56.794348 IP panorama.domain4me.com.53305 > ec222.domain4u.com.syslog: SYSLOG user.info, length: 573 10:49:56.796670 IP panorama.domain4me.com.53305 > ec222.domain4u.com.syslog: SYSLOG user.info, length: 572 10:49:56.796705 IP panorama.domain4me.com.53305 > ec222.domain4u.com.syslog: SYSLOG user.info, length: 572 10:49:56.796756 IP panorama.domain4me.com.53305 > ec222.domain4u.com.syslog: SYSLOG user.info, length: 572       And I do have PANORAMA > Syslog Server Profile configured as well, so is that what is sending the logs? If so what are the local firewalls doing if anything at all?  I just can't seem to wrap my head around the right way to do this.  Meaning how do you do this from PANORAMA if you don't have Templates for every device?  Note all of my polices originate from PANORAMA and they all have the same logging configuration so why are am I no seeing event logs from the firewalls when the cli shows its sending them?      ... View more