This is an old revision of the document!
USER --https-- PANORAMA(vm-ver10) -- sgzdmzfw01(PA-5050)
-- ldzdmzfw01(PA-5050)
IU:
- Contexts
- Commit from panorame. We can stage multiple changes and stage OOH,
- Policies (pre and post rules)
IF WE SUSPECT WE ARE UNDER ATTACH. FIRST THINGS TO CHECK:
- PANO: Monitor > Logs > Threat (and filter by
( severity eq critical ) - PANO: Monitor > Logs > Traffic
- cli :
show running resource-monitorExternal Link
COMMIT : 2 commits: 1st panorama, then properly commit to the gateway. Then you PUSH it to the devices
- Create rules : sec tab (before rule), Add , Rule Name, Post Rule , Rule type (universal) ; User (if required) ; Application
- To list the user groups that PA periodically pulls down from LDAP: https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Check-Users-in-LDAP-Groups/ta-p/59028
When using the CLI, better to still commit via the UI. CLI follows a lot the junos paradigm (levels, set, stanzas and commit):
> set cli config-output-format set ip-address 192.168.0.150 default-gateway 192.168.0.1 > configure # set system deviceconfig ip-address # show | match whatever << to show all the configuration in display set format # edit << to move to a level (same fashion as junos)
CLI commands:
show user ip-user-mapping debug user-id reset captive-portal <ip-address> request support check # ! show user ip-user-mapping all # Users clear user-cache all show user ip-user-mapping all type CP # to verify which user account to clear. Captive portal debug user-id reset captive-portal ip-address 10.200.10.118 # Force the user to re-authenticate (example) show captive-portal -> view captive-portal config test authentication authentication-profile <authentication-profile-name> # Radius testing ! show log iptag datasource_subtype equal VMWare_Esxi ! test cp-policy-match source x.x.x.x destination y.y.y.y ! Policy testing show running captive-portal-policy -> current captive-portal policy
General troubleshooting
show system info show jobs processed ping source int-ip-addr host ip-addr source int-ip-addr is not needed when sourcing from mgmt interface
captures in CLI:
!sup: debug dataplane packet-diag set filter on debug dataplane packet-diag set filter match source src_ip destination dest_ip debug dataplane packet-diag set capture stage receive file mypcapfile.pcap debug dataplane packet-diag set capture on ! !Generate traffic and then: debug dataplane packet-diag set capture off view-pcap filter-pcap mypcapfile.pcap tftp export filter-pcap from mypcapfile.pcap to 10.10.10.10 ! Clean up: debug dataplane packet-diag set capture off debug dataplane packet-diag set filter off debug dataplane packet-diag clear filter all debug dataplane packet-diag clear capture stage receive delete debug-filter file mypcapfile.pcap
To verify policy access (from the gateways):
test security-policy-match protocol 6 from OUTSIDE to INSIDE source 207.82.215.170 destination 204.128.53.8 destination-port 5046 test security-policy-match protocol 6 from OUTSIDE to INSIDE source 10.30.162.81 destination 10.35.56.40 destination-port 443 source-user corporate\gphillip
show system statistics
show interface ethernet1/? shows latest log entries first show log traffic direction equal backward
! show system statistics show interface ethernet1/? ! show log traffic direction equal backward shows latest log entries first ! show log system direction equal backward show log url direction equal backward ! show system logdb-quota show running logging show counter global ! debug dataplane pool statistics # look for buffer pool exhaustion (when first number of x/y gets close to 0) ! show system state filter sys.monitor.mp.exports show system state filter sys.monitor.dp.exports show session all | match ip-addr show session id nnnnn ! show interfaces all ! to see interfaces and its zones show routing route show running resource-monitor ! show system resources ! tftp export configuration from running-config.xml to ip-addr # to save running-config to tftp server at ip-addr tftp export stats-dump to ip-addr # to save data for AVR report to tftp server at ip-addr
Check settings: debug dataplane packet-diag show setting
Check Users in AD groups show user group list | match trax-information show user group name “cn=netperm-trax-information-services,ou=network permissions,ou=groups,ou=resources,dc=corporate,dc=local”
Panorama notes:
TO see traffic
Monitor > Logs > Traffic User auth > Captive Portal
* Create rules : sec tab (before rule), Add , Rule Name, Post Rule , Rule type (universal) ; User (if required) ; Application
* COMMIT: 2 commits: 1st panorama, then properly commit to the gateway
To list the user groups that PA periodically pull down from LDAP: https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Check-Users-in-LDAP-Groups/ta-p/59028
PANORAMA MONITOR:
Examples:
( addr.src in 192.168.67.130) and ( app eq dns ) ( addr.src in 192.168.67.130) and (action neg allow ) and ( app eq ms-update )
CLI commands:
show user ip-user-mapping debug user-id reset captive-portal ip-address 10.8.20.134 # This will kick out the user
How to View Currently Installed SFP Modules: https://live.paloaltonetworks.com/t5/Management-Articles/How-to-View-Currently-Installed-SFP-Modules/ta-p/60908
Support request support check
Users
show user ip-user-mapping all clear user-cache (#all)
Captive portal
show user ip-user-mapping all type CP # to verify which user account to clear. debug user-id reset captive-portal ip-address 10.200.10.118 # Force the user to re-authenticate (example)
show captive-portal -> view captive-portal config test authentication authentication-profile testny username xxxxxx password -> Radius testing find command keyword Esx show log iptag datasource_subtype equal VMWare_Esxi
test cp-policy-match source x.x.x.x destination y.y.y.y -> Test captive-portal if works between two addresses show running captive-portal-policy -> current captive-portal policy
General troubleshooting
show system info show jobs processed
make sure autocom completed okay (especially after updates)
ping source int-ip-addr host ip-addr
source int-ip-addr is not needed when sourcing from mgmt interface
show log system direction equal backward show log url direction equal backward
show system logdb-quota show running logging
show counter global
debug dataplane pool statistics. look for buffer pool exhaustion (when first number of x/y gets close to 0)
show system state filter sys.monitor.mp.exports show system state filter sys.monitor.dp.exports
to find a particular session nnnnn
show session all | match ip-addr
to see details of that particular session
show session id nnnnn
to see route table
show routing route
to see dataplane cpu stats
show running resource-monitor show system resources
tftp export configuration from running-config.xml to ip-addr
to save running-config to tftp server at ip-addr
tftp export stats-dump to ip-addr
to save data for AVR report to tftp server at ip-addr
captures in CLI:
sup:
debug dataplane packet-diag set filter on debug dataplane packet-diag set filter match source src_ip destination dest_ip debug dataplane packet-diag set capture stage receive file mypcapfile.pcap debug dataplane packet-diag set capture on
Generate traffic and then:
debug dataplane packet-diag set capture off view-pcap filter-pcap mypcapfile.pcap tftp export filter-pcap from mypcapfile.pcap to 10.10.10.10
Clean up:
debug dataplane packet-diag set capture off debug dataplane packet-diag set filter off debug dataplane packet-diag clear filter all debug dataplane packet-diag clear capture stage receive delete debug-filter file mypcapfile.pcap
Check settings:
debug dataplane packet-diag show setting
Check Users in AD groups
show user group list | match trax-information show user group name "cn=netperm-trax-information-services,ou=network permissions,ou=groups,ou=resources,dc=corporate,dc=local"
match the group name in AD
then use group name command which will list all the users in the group
USEFUL FILTER EXPRESSION
MONITOR
( user.src eq 'corporate\wabidoye' )
To verify POLICY (from the gateways)
test security-policy-match protocol 6 from OUTSIDE to INSIDE source 207.82.215.170 destination 204.128.53.8 destination-port 5046
> show user user-ids match-user atelesford
test security-policy-match protocol 6 from OUTSIDE to INSIDE source 10.30.162.81 destination 10.35.56.40 destination-port 443 source-user corporate\gphillip
- User auth > Captive Portal
- How to View Currently Installed SFP Modules: https://live.paloaltonetworks.com/t5/Management-Articles/How-to-View-Currently-Installed-SFP-Modules/ta-p/60908
URL filtering:
Panorama# [edit shared profiles url-filtering Profile-URL-Filtering]
PALO ALTO NETWORKING:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-cli-quick-start/cli-cheat-sheets/cli-cheat-sheet-networking.html
To quickly check what role the firewall has in the network (running any routing protocol or just static routes) do this:
> show routing summary
Or via UI: In the FW (no pano) : network tab > virtual routers > click in hyperlink under Name column
USE CASES:
NAT between two zones, knowing the source zone, source nats, destination zone and source natted IPs:
- Determine the zone in which the source/interface unnated IP would be.
- Local FW cli:
show routing route
- Policy > Nat > Pre-rules:
- from/to zones.
source-translation static-ip translated-addr ess <object>+bi-directional yes
- Then if, eg, we want to allow inbound through that natted IP:
- policyes > security > prerules
- inside and outside ranges and zones and destination as the natted ip defined before
