USER --https-- PANORAMA(vm-ver10) -- sgzdmzfw01(PA-5050) -- ldzdmzfw01(PA-5050) ---- UI: \\ * Contexts * Commit from panorama. We can stage multiple changes and stage OOH, * Policies (pre and post rules) ---- IF WE SUSPECT WE ARE UNDER ATTACH. FIRST THINGS TO CHECK: * PANO: Monitor > Logs > Threat (and filter by ''( severity eq critical )'' * PANO: Monitor > Logs > Traffic * cli : ''show running resource-monitor'' [[https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVpCAK|External Link]] ---- **COMMIT : 2 commits: 1st panorama, then properly commit to the gateway. Then you PUSH it to the devices** * Create rules : sec tab (before rule), Add , Rule Name, Post Rule , Rule type (universal) ; User (if required) ; Application * To list the user groups that PA periodically pulls down from LDAP: https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Check-Users-in-LDAP-Groups/ta-p/59028 When using the CLI, better to still commit via the UI. CLI follows a lot the junos paradigm (levels, set, stanzas and commit): > set cli config-output-format set ip-address 192.168.0.150 default-gateway 192.168.0.1 > configure # set system deviceconfig ip-address # show | match whatever << to show all the configuration in display set format # edit << to move to a level (same fashion as junos) ---- __CLI commands__: show user ip-user-mapping debug user-id reset captive-portal ip-address 10.8.20.134 # This will kick out the user debug user-id reset captive-portal request support check # ! ! USERS show user ip-user-mapping all # Users clear user-cache all show user ip-user-mapping all type CP # to verify which user account to clear. Captive portal debug user-id reset captive-portal ip-address 10.200.10.118 # Force the user to re-authenticate (example) show captive-portal -> view captive-portal config test authentication authentication-profile # Radius testing ! show log iptag datasource_subtype equal VMWare_Esxi ! __General troubleshooting__ show system info show jobs processed ping source int-ip-addr host ip-addr source int-ip-addr is not needed when sourcing from mgmt interface captures in CLI: !sup: debug dataplane packet-diag set filter on debug dataplane packet-diag set filter match source src_ip destination dest_ip debug dataplane packet-diag set capture stage receive file mypcapfile.pcap debug dataplane packet-diag set capture on ! !Generate traffic and then: debug dataplane packet-diag set capture off view-pcap filter-pcap mypcapfile.pcap tftp export filter-pcap from mypcapfile.pcap to 10.10.10.10 ! Clean up: debug dataplane packet-diag set capture off debug dataplane packet-diag set filter off debug dataplane packet-diag clear filter all debug dataplane packet-diag clear capture stage receive delete debug-filter file mypcapfile.pcap \\ To verify policy access (from the gateways): test security-policy-match protocol 6 from OUTSIDE to INSIDE source 207.82.215.170 destination 204.128.53.8 destination-port 5046 test security-policy-match protocol 6 from OUTSIDE to INSIDE source 10.30.162.81 destination 10.35.56.40 destination-port 443 source-user corporate\gphillip show system statistics Logging show interface ethernet1/? shows latest log entries first show log traffic direction equal backward show log system direction equal backward show log url direction equal backward System: show system statistics show interface ethernet1/? show system logdb-quota show running logging show counter global show routing route show running resource-monitor show system resources show log traffic direction equal backward shows latest log entries first Debugging: debug dataplane pool statistics # look for buffer pool exhaustion (when first number of x/y gets close to 0) ! show system state filter sys.monitor.mp.exports show system state filter sys.monitor.dp.exports show session all | match ip-addr show session id nnnnn ! show interfaces all ! to see interfaces and its zones ! tftp export configuration from running-config.xml to ip-addr # to save running-config to tftp server at ip-addr tftp export stats-dump to ip-addr # to save data for AVR report to tftp server at ip-addr Check settings: debug dataplane packet-diag show setting Check Users in AD groups ​show user group list | match trax-information show user group name "cn=netperm-trax-information-services,ou=network permissions,ou=groups,ou=resources,dc=corporate,dc=local" ---- **PANORAMA NOTES - PANOS NOTES:** TO see traffic Monitor > Logs > Traffic User auth > Captive Portal \\ PANORAMA MONITOR:\\ Examples: ( addr.src in 192.168.67.130) and ( app eq dns ) ( addr.src in 192.168.67.130) and (action neg allow ) and ( app eq ms-update ) ---- How to View Currently Installed SFP Modules: https://live.paloaltonetworks.com/t5/Management-Articles/How-to-View-Currently-Installed-SFP-Modules/ta-p/60908 \\ Support request support check ---- **Captive portal** show user ip-user-mapping all type CP # to verify which user account to clear. debug user-id reset captive-portal ip-address 10.200.10.118 # Force the user to re-authenticate (example) \\ test cp-policy-match source x.x.x.x destination y.y.y.y -> Test captive-portal if works between two addresses show running captive-portal-policy -> current captive-portal policy ---- General troubleshooting show system info show jobs processed make sure autocom completed okay (especially after updates) \\ ping source int-ip-addr host ip-addr source int-ip-addr is not needed when sourcing from mgmt interface \\ show log system direction equal backward show log url direction equal backward show system logdb-quota show running logging show counter global debug dataplane pool statistics. look for buffer pool exhaustion (when first number of x/y gets close to 0) show system state filter sys.monitor.mp.exports show system state filter sys.monitor.dp.exports \\ to find a particular session nnnnn show session all | match ip-addr to see details of that particular session show session id nnnnn to see route table show routing route to see dataplane cpu stats show running resource-monitor show system resources \\ ---- captures in CLI: sup: debug dataplane packet-diag set filter on debug dataplane packet-diag set filter match source src_ip destination dest_ip debug dataplane packet-diag set capture stage receive file mypcapfile.pcap debug dataplane packet-diag set capture on ---- MONITOR ( user.src eq 'corporate\wabidoye' ) ---- * User auth > Captive Portal * How to View Currently Installed SFP Modules: [[https://live.paloaltonetworks.com/t5/Management-Articles/How-to-View-Currently-Installed-SFP-Modules/ta-p/60908]] ---- URL filtering:\\ Panorama# [edit shared profiles url-filtering Profile-URL-Filtering] ---- PALO ALTO NETWORKING:\\ [[https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-cli-quick-start/cli-cheat-sheets/cli-cheat-sheet-networking.html]]\\ To quickly check what role the firewall has in the network (running any routing protocol or just static routes) do this: > show routing summary Or via UI: In the FW (no pano) : network tab > virtual routers > click in hyperlink under Name column ---- __USE CASES__:\\ NAT between two zones, knowing the source zone, source nats, destination zone and source natted IPs: * Determine the zone in which the source/interface unnated IP would be. * Local FW cli: ''show routing route'' * Policy > Nat > Pre-rules: * from/to zones. ''source-translation static-ip translated-addr ess '' + '' bi-directional yes'' * Then if, eg, we want to allow inbound through that natted IP: * policyes > security > prerules * inside and outside ranges and zones and destination as the natted ip defined before