Overview Configuration Audit versions are useful for rolling a Palo Alto Networks firewall back to a past configuration or for the purpose of comparing the modifications made across commits. This document explains how to change the limit of saved audit versions using the WebUI and CLI. Details The Palo Alto
Issue Once configured, a Panorama template cannot be reset to default values Note: The templates feature in Palo Alto Networks Panorama was introduced in PAN-OS 5.0. In this example, a high-availability profile was changed to enable HA and have GroupID 1. Template values can generally be removed by
It’s no surprise that in the wake of the rapid increase in cyber attacks, governments around the world are moving towards strengthening their cyber security, and even taking steps to mandate better collaboration on security issues between the private and public sectors.
Overview This document describes how to create an admin role in Palo Alto Networks Panorama and push this role to managed devices. The example screenshots below represent a Panorama and devices running PAN-OS 8.0.x but also applies to previous and later versions Steps Under Panorama > Templates, create a template
A Threat ID of 40033 is logged into the threat logs when the Palo Alto Networks firewall sees 500 DNS ANY queries in 60 seconds from the same source/destination. Details Threat ID 40033 indicates that a DNS ANY Queries Brute Force DOS Attack has been detected. While an ANY
It’s no surprise that in the wake of the rapid increase in cyber attacks, governments around the world are moving towards strengthening their cyber security, and even taking steps to mandate better collaboration on security issues between the private and public sectors. Here is a sample of the most recent initiatives: US – Feb-2013: Obama Orders Cybersecurity Standards for Infrastructure European Union – Feb-2013: EU Unveils New Cybersecurity Policy Italy – Jan-2013: Italian Government Approves Cybersecurity Measures to beef up strengthen online security and protect critical infrastructure from increasing cyber …
The command show counter global provides information about the processes/actions taken on the packets passing through the device; whether they are dropped, NAT-ed, decrypted and so on. These counters are for all the traffic and are useful in troubleshooting poor performance, packet loss, latency, and so on. Use the command
The command show system resources gives a snapshot of Management Plane (MP) resource utilization including memory and CPU. This is similar to the ‘top’ command in Linux. show system resources provides information about the memory used and available and if the MP is using swap. If the swap usage remains
The command show running resource-monitor gives an overview of the Data Plane (DP) CPU and buffer usage for various time intervals. The cores specified in the CPU usage output have dedicated functionalities: Core 0: used for Management Plane (MP) and Data Plane (DP) communication Core 1: used for session and
Overview This document explains how to perform a fib lookup for a particular destination within a particular virtual router on a Palo Alto Networks firewall. Steps Select the desired virtual router from the list of virtual routers configured with the command: > test routing fib-lookup virtual-router Specify a destination
The recent New York Times attack, just like many of the other high-profile attacks over the past couple of years, demonstrated the evolution towards multi-vector, sophisticated attacks. If you haven’t enabled WildFire on your Palo Alto Networks firewalls to complement your threat prevention capabilities, it’s time to do so.
Overview This document describes the steps to properly generate and apply certificates for a scenario involving multiple GlobalProtect Gateways managed by a single GlobalProtect Portal. Steps Check licenses. Device hosting the portal should have a portal and gateway license.All the gateways managed by the portal need to have a
Issue A custom application has the same name as a new application in the latest installed content release. PAN-OS does not allow changing the custom application's name citing the newly introduced application cannot be modified. Resolution Revert to a previous content release that does not contain the new application.
Note: Enter the commands in configure mode. MTU values can be set on the interface level. Management Interface (available in PAN-OS 5.0 and later): # set deviceconfig system mtu Dataplane Interface: # set network interface ethernet ethernet1/3 layer3 mtu MSS values can be adjusted only at the
Issue PAN-OS devices will not commit configurations that hard code interfaces to full duplex when speed is set to 1000. The commit will fail with the following error: Cause The commit fails because the Gigabit Ethernet specification requires auto-negotiation. Explicitly specifying 1000/full is technically an invalid configuration. In previous
Yesterday, I had the opportunity to attend our inaugural ‘lunch and learn’ technical seminar co-hosted with our strategic partner Citrix in the beautiful, but cloudy, Portland, Oregon. This seminar in Portland (along with a concurrent seminar that occurred in Salt Lake City) kicks off an entire series of seminars (“Ensure Performance and Security With an App-Enabled Cloud Network”) all across North America and Latin America. The recent ‘union’ between Palo Alto Networks and Citrix didn’t just result in a lunch at a great steak restaurant (Morton’s here in Portland), but …
Craig Elliott, chief executive officer of Pertino, a cloud-networking startup, knows that the antivirus software his company uses won’t deter all hacking attacks. That won’t stop him from using it. “It’s a safety blanket,” he says. “It’s CYA [cover your ass] more than anything else.”
Overview The Include/Exclude list is applied to the hosts and users identified through the User-ID Agent. The User-ID Agent tries to identify users for the IP range designated as Include. Likewise, the User-ID Agent does not identify users for the network address range designated as Exclude. Details If the
For those who missed it, Gartner, Inc. recently released its Magic Quadrant for Enterprise Network Firewalls and it gives me pleasure to announce that we are again positioned in the “Leaders” quadrant. If you’re interested in reading the full report and see all of Gartner’s findings, you can get it here. While the full report has a number of interesting data points about the enterprise network firewall market that are worth noting, there are three that I find particularly interesting and want to highlight to you. Gartner’s report offered guidance …
Issue A vpn tunnel goes down and comes back up. A look at the global counters show that the flow_fwd_zonechange counter is incrementing. > show counter global Cause The flow_fwd_zonechange counter indicates that the egress zone of a packet does not match the egress zone of the matching session.
Panorama can only be configured for one of the URL DBs (BrightCloud or PAN-DB). However, Panorama includes support for auto-migration of URL categories between non-matching vendors when pushing policies to managed devices. When a mismatch is detected between the URL DB configured on Panorama and URL DB configured
Overview In order to create or modify the url filtering profiles which can be pushed to the managed Palo Alto Networks firewalls, Panorama needs to have a list of URL filtering categories. However, Panorama does not have a URL Filtering license, and the URL Filtering database does not appear under
Issue A site-to-site IPSec VPN between a Palo Alto Networks firewall and a firewall from a different vendor is configured. Phase 1 succeeds, but Phase 2 negotiation fails. A look at the ikemgr.log with the CLI command: > tail follow yes mp-log ikemgr.log shows the following errors: (
Symptom After replacing the fan in a Palo Alto Networks PA-5020, PA-5050, or PA-5060 firewall, the fan LED is green for 3 seconds and then turns off. Resolution Ensure the fan is inserted with the correct orientation. When replacing the fan, the filter should be closest to the chassis
Simple Network Management Protocol (SNMP) is a set of standards defined by the IETF used for network management. There are multiple versions of SNMP with differing levels of functionality and security. SNMP is used to query device state and to send alerts about events. This Tech Note shows you how
Overview This document describes how to enable, configure, and verify the DNS Proxy feature on a Palo Alto Networks firewall. Steps On the Web UI: Navigate to Network > DNS Proxy. Click Add to bring up the DNS Proxy dialog. Select the interfaces on which DNS proxy should
Symptom On a Palo Alto Networks PA-5000 Series firewall, the system logs may show the following messages: 2012/11/30 19:21:41 info general general 0 New Disk Pair maint detected. 2012/11/30 19:21:41 info general general 0 New Disk Pair sysroot0 detected. 2012/11/30 19:21:41 info general general 0 New Disk Pair sysroot1 detected.
Issue Single Sign-On (SSO) fails when using GlobalProtect (GP) on a Windows system running in a VMware virtualized environment when accessed with Remote Desktop. Cause When logged on to a VM via Remote Desktop, local credentials are not presented in the same way as a native operating system, due to