dokucama

User Tools

Site Tools

Trace: machine_learning ansible tcpnotes
network_stuff:palo_alto

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
network_stuff:palo_alto [2023/03/24 20:00] jotasandokunetwork_stuff:palo_alto [2023/11/02 14:38] (current) – external edit 127.0.0.1
Line 3: Line 3:
  
 ---- ----
-IU:+UI:
 \\ \\
   * Contexts    * Contexts 
-  * Commit from panorame. We can stage multiple changes and stage OOH,+  * Commit from panorama. We can stage multiple changes and stage OOH,
   * Policies (pre and post rules)   * Policies (pre and post rules)
  
Line 36: Line 36:
  
   show user ip-user-mapping   show user ip-user-mapping
 +  debug user-id reset captive-portal ip-address 10.8.20.134    # This will kick out the user
   debug user-id reset captive-portal <ip-address>   debug user-id reset captive-portal <ip-address>
   request support check #    request support check # 
   !   !
 +  ! USERS
   show user ip-user-mapping all  # Users   show user ip-user-mapping all  # Users
   clear user-cache all   clear user-cache all
Line 48: Line 50:
   show log iptag datasource_subtype equal VMWare_Esxi   show log iptag datasource_subtype equal VMWare_Esxi
   !   !
-  test cp-policy-match source x.x.x.x destination y.y.y.y  ! Policy testing  
-  show running captive-portal-policy  -> current captive-portal policy 
  
 __General troubleshooting__ __General troubleshooting__
Line 82: Line 82:
  
   show system statistics   show system statistics
 +Logging
   show interface ethernet1/?   show interface ethernet1/?
   shows latest log entries first   shows latest log entries first
   show log traffic direction equal backward   show log traffic direction equal backward
 +  show log system direction equal backward
 +  show log url direction equal backward
  
  
-  !+System:
   show system statistics   show system statistics
   show interface ethernet1/?   show interface ethernet1/?
-  ! 
-  show log traffic direction equal backward 
-  shows latest log entries first 
-  ! 
-  show log system direction equal backward 
-  show log url direction equal backward 
-  ! 
   show system logdb-quota   show system logdb-quota
   show running logging   show running logging
   show counter global   show counter global
-  !+  show routing route 
 +  show running resource-monitor 
 +  show system resources 
 +   
 +  show log traffic direction equal backward 
 +  shows latest log entries first 
 +   
 +Debugging:
   debug dataplane pool statistics # look for buffer pool exhaustion (when first number of x/y gets close to 0)   debug dataplane pool statistics # look for buffer pool exhaustion (when first number of x/y gets close to 0)
   !   !
Line 110: Line 112:
   !   !
   show interfaces all ! to see interfaces and its zones   show interfaces all ! to see interfaces and its zones
-  show routing route 
-  show running resource-monitor 
   !   !
-  show system resources 
-  ! 
-   
   tftp export configuration from running-config.xml to ip-addr # to save running-config to tftp server at ip-addr   tftp export configuration from running-config.xml to ip-addr # to save running-config to tftp server at ip-addr
   tftp export stats-dump to ip-addr # to save data for AVR report to tftp server at ip-addr   tftp export stats-dump to ip-addr # to save data for AVR report to tftp server at ip-addr
- 
- 
  
  
Line 129: Line 124:
 show user group name "cn=netperm-trax-information-services,ou=network permissions,ou=groups,ou=resources,dc=corporate,dc=local" show user group name "cn=netperm-trax-information-services,ou=network permissions,ou=groups,ou=resources,dc=corporate,dc=local"
  
 +----
  
- +**PANORAMA NOTES - PANOS NOTES:**
- +
- +
----- +
-**Panorama notes:**+
  
 TO see traffic TO see traffic
   Monitor > Logs > Traffic   Monitor > Logs > Traffic
   User auth > Captive Portal   User auth > Captive Portal
-\\ 
- * Create rules : sec tab (before rule), Add , Rule Name, Post Rule , Rule type (universal) ; User (if required) ; Application 
- * COMMIT: 2 commits: 1st panorama, then properly commit to the gateway 
-\\ 
-To list the user groups that PA periodically pull down from LDAP: https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Check-Users-in-LDAP-Groups/ta-p/59028 
 \\ \\
 PANORAMA MONITOR:\\ PANORAMA MONITOR:\\
Line 154: Line 141:
  
  
-CLI commands: 
  
-  show user ip-user-mapping 
-  debug user-id reset captive-portal ip-address 10.8.20.134    # This will kick out the user 
-\\ 
 How to View Currently Installed SFP Modules: https://live.paloaltonetworks.com/t5/Management-Articles/How-to-View-Currently-Installed-SFP-Modules/ta-p/60908 How to View Currently Installed SFP Modules: https://live.paloaltonetworks.com/t5/Management-Articles/How-to-View-Currently-Installed-SFP-Modules/ta-p/60908
 \\ \\
Line 164: Line 147:
 Support Support
 request support check request support check
- 
----- 
- 
- Users 
-  show user ip-user-mapping all 
-  clear user-cache (#all) 
  
 ---- ----
Line 177: Line 154:
   debug user-id reset captive-portal ip-address 10.200.10.118 # Force the user to re-authenticate (example)   debug user-id reset captive-portal ip-address 10.200.10.118 # Force the user to re-authenticate (example)
 \\ \\
-  show captive-portal -> view captive-portal config 
-  test authentication authentication-profile testny username xxxxxx password -> Radius testing 
-  find command keyword Esx 
-  show log iptag datasource_subtype equal VMWare_Esxi 
  
   test cp-policy-match source x.x.x.x destination y.y.y.y  -> Test captive-portal if works between two addresses   test cp-policy-match source x.x.x.x destination y.y.y.y  -> Test captive-portal if works between two addresses
Line 218: Line 191:
   show running resource-monitor   show running resource-monitor
   show system resources   show system resources
-\\ +
-tftp export configuration from running-config.xml to ip-addr +
-to save running-config to tftp server at ip-addr +
-\\ +
-tftp export stats-dump to ip-addr +
-to save data for AVR report to tftp server at ip-addr+
 \\ \\
 ---- ----
Line 235: Line 203:
  
 ---- ----
-Generate traffic and then: 
-  debug dataplane packet-diag set capture off 
-  view-pcap filter-pcap mypcapfile.pcap 
-  tftp export filter-pcap from mypcapfile.pcap to 10.10.10.10 
-\\ 
  
-Clean up: 
-  debug dataplane packet-diag set capture off 
-  debug dataplane packet-diag set filter off 
-  debug dataplane packet-diag clear filter all 
-  debug dataplane packet-diag clear capture stage receive 
-  delete debug-filter file mypcapfile.pcap 
-\\ 
-Check settings: 
-  debug dataplane packet-diag show setting 
-\\ 
-Check Users in AD groups 
-  show user group list | match trax-information 
-  show user group name "cn=netperm-trax-information-services,ou=network permissions,ou=groups,ou=resources,dc=corporate,dc=local" 
  
- match the group name in AD 
- 
-then use group name command which will list all the users in the group 
- 
-USEFUL FILTER EXPRESSION 
  
 MONITOR MONITOR
Line 266: Line 211:
  
 ---- ----
-**To verify POLICY (from the gateways)** 
- 
-  test security-policy-match protocol 6 from OUTSIDE to INSIDE source 207.82.215.170 destination 204.128.53.8 destination-port 5046 
- 
-  > show user user-ids match-user atelesford 
- 
-  test security-policy-match protocol 6 from OUTSIDE to INSIDE source 10.30.162.81 destination 10.35.56.40 destination-port 443 source-user corporate\gphillip 
-   
      
  
network_stuff/palo_alto.1679688032.txt.gz · Last modified: (external edit)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki