==
Home » Uncategories » Palo Alto Troubleshooting 2

Palo Alto Troubleshooting 2

 Troubleshooting
System
Uptime, Serial Number, Software Version, Management IP:
>show system info
>show jobs all
Top
>show system resource follow
If you dont fully remember command syntax
> find command keyword restart
> show system statistics application 
> show system statistics session 
>show counter global
>show conter interface
> netstat listening yes numeric-ports yes
Network
>show arp ethernet1/1
>show mac all
> show routing summary
> show routing route
> show routing route type static
Test routing:
> test routing fib-lookup virtual-router VR-1 ip 8.8.8.8 
> show session all
>show session id 607
> show session all
--------------------------------------------------------------------------------
ID          Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])
Vsys                                          Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
565          ssl            ACTIVE  FLOW  NS   172.18.2.200[1119]/trust/6  (192.168.0.83[53150])
vsys1                                          62.253.72.178[443]/untrust  (62.253.72.178[443])

> traceroute source 192.168.0.83 host www.google.com
>ping host 8.8.8.8
If source is not provided, the firewall will use its management interface by default.
> ping source 192.168.150.199 host 192.168.150.1
Debug routing protocol
> debug routing pcap ospf


Session


Sessions can be filtered by different criteria:
> show session all filter source 172.18.2.200 destination-port 53



For detailed information check session ID from the output above

> show session id 507

Make sure traffic logging is enabled under policy
>show log traffic
Or filter on multiple fields
> show log traffic from equal 172.18.2.200 dport not-equal 53


NAT
Note for destination NAT policy will have same source and destination zone, e.g. Untrust-Untrust
NAT is done after policy lookup. The trick is the that the NAT rule is evaluated before the Policy, but implemented after - note initial packet processing in  flow diagram
Test Commands
>test routing fib-lookup virtual-router default ip
>test vpn ipsec-sa tunnel

Test for policy matching the expression:
>test security-policy-match ?
>test security-policy-match from trans-internet to pa-trust-server source 192.168.86.5 destination 192.168.120.2 protocol 6 application ssl destination-port 443
Note: Protocol  Numbers: 1-icmp, 6-tcp, 17-udp , 47-GRE, 50-esp
Test configure d NAT rule:
> test nat-policy-match destination 192.168.0.100 source 8.8.8.9 protocol 6 destination-port 80
Destination-NAT: Rule matched: DMZ-server-test
192.168.0.100:80 => 172.19.1.100:845
Syslog
> less mp-log reboot.log

> tail follow yes mp-log dnsproxyd.log 



Difference between Save and Commit
There is big difference between saved changes to the configuration file and committed changes to the file.
Palo Alto Networks allows the Admin to make changes and save them for future use. However, if the Admin commits the changes to the configuration file, the changes overwrite the running configuration and become immediately active.
Save/load candidate config
This can be used in cases when making chnages, but saving them for later commit:
# save config
# load config last-save
From GUI:
Device->Setup->Operations->Config Mangement->Save Candidate Config (= Save button at top left corner)
Device->Setup->Operations->Config Mangement->Revert to last saved configuration
Save a config state (e.g. backup before major change):
# save config to PA1-config-20160427-1
From GUI: Device->Setup->Operations->Config Mangement->Save Named Conifugration Snapshot: Select file name
File can be then downloaded to local PC:
Device->Setup->Operations->Config Mangement->Export named Configuration Snapshot
To roll back to previously saved file:
# load config from PA1-config-20160427-1
Device->Setup->Operations->Config Mangement->Load Named Configuration Snapshot
Compare config versions:
# run show config audit info
To compare running and candidate configuration
# run show config diff 
# run diff config num-context-lines 10
Discard uncommited changes:
# load config from running-config.xml 
From GUI: Device->Setup->Operations->Config Mangement->Revert to running configuration
To display cli config as "set"
> set cli config-output-format set
> set cli config-output-format default 
Locks
Config lock - blocks other administrators form making changes before the lock is released
Commit lock - administrators can make changes to candidate config, but can not commit them until all locks have been released
> request config-lock add comment "changes"
> request commit-lock add 
> show config-locks
>show commit-locks 
> request config-lock remove 


Admin

Pro Teknologi dibuat pada 22 Februari 2017. Blog ini adalah harapan saya agar dapat membagi manfaat kepada orang lain,berupa tips-tips Seputar Blog,Internet,Komputer,dan Info-Info Menarik lainnya.

0 Response to "Palo Alto Troubleshooting 2"

Post a Comment

Subscribe to: Post Comments (Atom)