About Chatri

The best way to verify that would be do is from the CLI 1) Run the command set cli config-output-format set 2) PA-200>configure ( enter the configuration mode) 3) PA-200 # show ( just run the command 'show') This will show you the entire configuration, and then you can search fro the ip by using the character '/' on the CLI output, then search for the string ( which in this case would be your IP address that has been retired). Doing this will highlight any match for the IP address in the configuration. Using the key 'n' will keep showing you the next match for the ip in the config, you can keep doing that and figure out where in the config is that Ip being referenced. Hope this helps ... View more

Hello Mat, To answer your first question: 1.  When I click on 'load' next to a committed configuration in the list of backups, I dont understand where that loads to? (the message just says its loaded) Is it the configuration showing in the context in Panorama for that particular device (so when I go to that context will the candidate configuration be the one I loaded?) or is it loaded onto the actual device so if I log on locally will that be the candidate config? ---> When one clicks on load in the back up config sub tab...the config gets loaded on the device...it is as good as loading that version of config locally on the firewall. Regarding your second question: I tried to replicate it with a dataplane interface being used to connect to Panorama just as you have it set up...but do not see the same issue on 5.4 and 5.0.6 devices, it would be ideal to open up a case with support to track this issue, because as long as the devices are connected one should be able to load the config with the 'backups' load option. ... View more

Hello, If you have a case with PA support open, could you mention the case number? ... View more

I tried to replicate this issue and have not able to on any browser ( IE, Firefox and Chrome). Have you experienced the same issue with all browsers or is it just on Chrome? What version of Chrome are you using? But, to answer your question, there is no such known issue so far with the code 5.1.0. Can you try and see if you face the same issue with other browsers as well. ... View more

If you Look at the sessions that are getting created for SIP and RTP you will be able to see if the NAT is being properly applied or not. Now, the SIP INVITE packet will have the internal address in the SDP payload, and PA will have to NAT the SDP payload using the SIP NAT 1:1 NAT rule ( If no App override is in place) One way Audio, would usually mean, either the PA is not doing the correct NAT on the Payload which would mean the RTP session that are opened up will have the Internal Address, in which case the remote end will not be able to route the response correctly. Or If there is application Override in place, then the PA will not do a NAT at all on the INVITE payload, which would mean that the RTP session ( Audio) will get opened up with the Private address of the call initiator. The best way to verify if the PA is doing the NAT correctly, is to capture This traffic at receive and transmit stage on the PA, then look at the INVITE packet ( layer 7 payload ) to see if the Proposed IP in the Transmit capture is NATted by comparing it to the receive capture INVITE payload. Note: If the clients are NOT NAT AWARE ( if the clients are not configured to know their NATted IP), then application override will not solve the problem. You can upload the captures here along with SIP and RTP session details and I can take a look. Hope that helps. Aditya ... View more

Yes, you are correct in assuming that if you schedule the dynamic updates to be fetched only during the change controls windows to automatically upgrade the dynamic updates then this problem will not be something to worry about, as you can make changes to your rules based on any updated app after having tested during the change control windows. Hopr that helps. ... View more

Will you be able to provide the following info: 1) The decryption rule 2) The session details ( show session id output) for the ssl session. 3) If possible pcaps. We will first need to determine whether the session is getting decrypted or not ( I assume its not as the app is still 'ssl;'). Then we look in to the rule that you have in place to determine why the session may not be getting decrypted. Pcaps will tell us exactly what the certs are that are being exchanged suring the ssl handshake. Although, I recommend opening up a TAC case as all of this can done in one troubleshooting session. ... View more

Well, its hard to say why this was disabled as a default setting for a specific reason. But as far as the block page chewing up the sessions is concerned that definitely would not be an issue with the blocked applications, as the block page does not need additional sessions than the main browsing session, the block page is just pushed with a response page packet in the same session stream, so its highly unlikely that this would be an issue even with the non browser based apps. HTH ... View more

5.0.3 definitely had a lot of log indexing issues that usually cause restarts of MGT server as well as a few other userid issues which also caused the MGT CPU to spike. But as far as the log indexing issue goes that can cause high CPU issues, that will be fixed in 5.0.7. 5.0.6 although has a few fixes with respect to high CPU issues, waiting for 5.0.7 ( which should be out anytime in the next 12-13 days) will not be a bad option at all. HTH ... View more

The interface that you are using to log in to the API browser or to put in the API request, you set up an interface management profile on that interface and  specify permitted Ip addresses on it. That should help you achieve what you are trying to achieve. ... View more

Have you tried restarting the user-id service on the machine on which the pan_agent is installed? ... View more