Monday, June 12, 2023

Palo Alto Power Cycle or power outage cause HA down

After done power cycle or power outage for PA 5220 (Active / Active or Active / Passive), once it boot up but the data plane failed

with error dataplane down : path monitor failure or Policy push to dataplane failed


Just physical power cycle it 2 ~ 3 times  

herewith  KB

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCcXCAW 







Posted by at No comments:

Tuesday, April 4, 2023

Palo Alto Failed to find begining of certificate. Make sure certificate starts with BEGIN CERTIFICATE tag.

Don't hesitate just use another browser, problem resolved

Environment
1. PANOS 10.2
2. Panorama
3. Firefox
4. Trying to upload certificate
5. Panicking when migration
6.Engineer ego suspect bug issue

Is a sad TAC case and wasted my company case token is due to silly browser issue.

Yes, you cant find any solution on public KB about this error, according to TAC is from their internal KB. 

And, I tried to reproduce next day but miracle happen it success upload.





So conclude, just switch to another browser or using ultimate weapon RESTART YOUR PC.

Update 05 April 2023

TAC feedback






Posted by at 1 comment:

Wednesday, June 6, 2018

Palo Alto PPPoE with vlan tag, it's stupid setup but it's working !!

Palo Alto is not allow L3 subinterface with PPPoE, but certain ISP require to perform PPPoE with VLAN tagging


at 2018, update from reaper


So I come out this setup. Yes, it is stupid but it work !



Basically, ethernet1/3 setup as Layer 3 with PPPoE

Select interface as Layer 3, virtual router and security zone

Go to IPV4 tab, check PPPoE then configure as request


ethernet 1/4
Create VLAN profile , security zone I left it blank and interface type as L2


Ethernet 1/5, edit select ethernet1/5 at bottom create sub-interface


subinterface configure as TAG (VLAN ID), as Malaysia ISP unifi is using VLAN ID 500, at VLAN must select the previous create VLAN profile at ethernet1/4



p/s by missing VLAN profile at ethernet1/4 and ethernet1/5.500 the packet unable unable reach to modem (laptop as my testing environment)


Tadahhh..................................................

My laptop receive PPPoE discovery broadcast packet with VLAN ID 500 tagged

Although is stupid setup but it work, LOL


alternative setup if with extra switch with VLAN feature


Summary, well Palo Alto is very common implementation via L3 sub-interface PPPoE, okay !
Posted by at 6 comments:

Monday, March 5, 2018

Note for myself (ignore it)

ISE disable AD encryption for query tshoot

TROUBLESHOOTING.EncryptionOffPeriod
30
test



ProxySG

Enable full coredump
https://support.symantec.com/en_US/article.TECH244735.html

Force Coredump
https://support.symantec.com/en_US/article.TECH241718.html

SSLVPN - timestamp formula

(((A1/60)/60)/24)+DATE(1970,1,1), 

Posted by at No comments:
Labels:

Friday, May 12, 2017

Note - Fortianlyzer generate top sent byte

This topic is for my own reference/note only

Dataset to generate report which top user

select srcip, dstip, dstport, action, service, sum(sentbyte/1048576) as sent_MBps,sum(rcvdbyte/1048576) as receive_MBps, count(*) as sessions from $log where logid_to_int(logid) not in (4, 7, 14) GROUP BY srcip, dstip, dstport, action, service ORDER BY sent_MBps DESC

Posted by at 24 comments:

Monday, May 1, 2017

Note - Forti Analyzer Report

This topic is for my own reference/note only

Dataset to generate report which hit policy id xxxx

select srcip, dstip, dstport, policyid, action, service, count(*) as sessions from $log where policyid = xxxx GROUP BY srcip, dstip, dstport,policyid, action, service


Posted by at No comments:
Labels:

Thursday, January 26, 2017

Fortianalyzer with gmail setup

If you tried to setup Fortianalyzer sending alert via gmail but kept fail

p/s  if you tried setup with 3th party apps for send notification via gmail, this guide might suit too.


Current my analyzer running 5.2.5

Herewith the steps

1. Setup on Fortianalyzer mail server setup



for information about gmail setting
https://support.google.com/a/answer/176600?hl=en


2. SSH to Fortianalyzer , configure the secure option, this command make sure using starttls.

Example

config system mail
    edit "Gmail"
        set secure-option starttls
   next
end

below is the wireshark capture  using starttls, as the red arrow indicate the SSL handshake start


3. Login into your gmail account

4. Access the url https://www.google.com/settings/security/lesssecureapps , turn it on



You can skip steps 5 and 6 if you 1st time setup gmail smtp server, else continue

5. Access the url https://accounts.google.com/DisplayUnlockCaptcha, click continue


6. You will come to this page below



6. Let test the email setup, right click the email setup and key in the recipient email


7. You should successfully send the email

Posted by at 6 comments:
Labels: , ,
Subscribe to: Posts (Atom)