Editing PAN-OS

Jump to navigation Jump to search

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
[[wikipedia:PAN-OS]] is software running on [[Firewall/Palo Alto PA-Series|Palo Alto firewalls]].<ref>https://docs.paloaltonetworks.com/pan-os</ref>.
+
PAN-OS is software running on [[Firewall/Palo Alto PA-Series|Palo Alto firewalls]].<ref>https://docs.paloaltonetworks.com/pan-os</ref> providing [[Firewall]] capabilities, [[QoS]], [[URL Filtering]], [[packet inspection]] and [[threat prevention]] (WildFire).
  
 
+
* Threat prevention ([[WildFire]]). Features: https://docs.paloaltonetworks.com/wildfire/u-v/wildfire-whats-new/wildfire-features-in-panos-90.html
== Features ==
+
* PAN-OS daemons: [[RASMGR]], [[SSLMGR]], [[SATD]], [[IDE]], [[Route]] and [[IKE]]
* [[Firewall]] capabilities: [[Flood protection]]
 
* [[QoS]]
 
* [[URL Filtering]] (License based)
 
* [[File blocking]]
 
* [[GlobalProtect]] Gateway ([[VPN]]) (License based)
 
* [[packet inspection]]
 
* [[Threat prevention]] ([[WildFire]]) (License based), features: https://docs.paloaltonetworks.com/wildfire/u-v/wildfire-whats-new/wildfire-features-in-panos-90.html
 
 
* PAN-OS authentication methods: [[Kerberos]], [[RADIUS]], [[LDAP]], [[SAML]] 2.0, client certificates, biometric sign-in, and a local user database
 
* PAN-OS authentication methods: [[Kerberos]], [[RADIUS]], [[LDAP]], [[SAML]] 2.0, client certificates, biometric sign-in, and a local user database
* PAN-OS daemons: [[RASMGR]], [[SSLMGR]], [[SATD]], [[IDE]], [[Route]] and [[IKE]]
 
 
  
 
== PAN-OS CLI ==
 
== PAN-OS CLI ==
 
* <code>configure</code>
 
* <code>configure</code>
 
* <code>commit</code>
 
* <code>commit</code>
* <code>find command</code>
 
 
* <code>show</code>
 
* <code>show</code>
* <code>[[show session all]]</code>
+
* <code>show system info</code>
* <code>[[show session info]]</code>
+
* <code>show system state</code>
* <code>[[show system info]]</code> (Includes <code>sw-version</code> output and [[serial]])
 
* <code>[[show system state]]</code>
 
* <code>[[show system resources]]</code>
 
 
* <code>show system disk-space files</code>
 
* <code>show system disk-space files</code>
 
* <code>less mp-log authd.log</code>
 
* <code>less mp-log authd.log</code>
 
* <code>[[show routing route]]</code>
 
* <code>[[show routing route]]</code>
* <code>[[show running]] [[nat]]-policy</code> (See also: https://en.wikiversity.org/wiki/Cisco_Networking/CCENT/Network_Services#NAT_Configuration)
+
* <code>show running [[nat]]-policy</code> (See also: https://en.wikiversity.org/wiki/Cisco_Networking/CCENT/Network_Services#NAT_Configuration)
* <code>[[show running security-policy]]</code>
+
* <code>show running security-policy</code>
* <code>[[show counter]] global filter delta yes packet-filter yes</code>
 
 
* <code>show jobs id x</code>
 
* <code>show jobs id x</code>
 
* <code>edit rulebase security</code>
 
* <code>edit rulebase security</code>
 
* <code>edit rulebase nat</code>
 
* <code>edit rulebase nat</code>
  
 
+
[[VPN]]
===[[VPN]]===
 
 
{{show vpn TOC}}
 
{{show vpn TOC}}
  
 
[[PVST+]] commands
 
[[PVST+]] commands
  
===Troubleshooting===
+
Troubleshooting
 
*<code>[[ping]] host <destination-ip-address></code>
 
*<code>[[ping]] host <destination-ip-address></code>
 
*<code>ping source <ip-address-on-dataplane> host <destination-ip-address></code>
 
*<code>ping source <ip-address-on-dataplane> host <destination-ip-address></code>
 
*<code>show [[netstat]] statistics yes</code>
 
*<code>show [[netstat]] statistics yes</code>
*<code>test authentication authentication-profile <AUTHENTICATION-PROFILE-NAME> username <USERNAME> password</code>
 
  
===[[Panorama]]===
+
[[Panorama]]
 
*<code>show log-collector preference-list</code>
 
*<code>show log-collector preference-list</code>
 
*<code>show logging-status device <firewall-serial-number></code>
 
*<code>show logging-status device <firewall-serial-number></code>
  
===Logs===
+
Logs
 
* <code>[[show log config]]</code>
 
* <code>[[show log config]]</code>
** <code>[[show log config cmd equal commit]]</code>
 
** <code>[[show log config csv-output equal yes]]</code>
 
 
* <code>[[show log system]]</code>
 
* <code>[[show log system]]</code>
  
===[[Wildfire]]===
+
[[Wildfire]]
 
* <code>[[show wildfire]] wf-vm-pe-utilization</code>
 
* <code>[[show wildfire]] wf-vm-pe-utilization</code>
 
* <code>show wildfire wf-vm-doc-utilization</code>
 
* <code>show wildfire wf-vm-doc-utilization</code>
Line 75: Line 57:
 
* <code>delete rulebase nat rules YOUR_RULE_NAME</code>
 
* <code>delete rulebase nat rules YOUR_RULE_NAME</code>
  
=== [[GlobalProtect]] ===
+
==Manage Configuration Backups==
{{GlobalProtect commands}}
+
The candidate configuration is a copy of the running configuration plus any inactive changes that you made after the
 +
last commit. Backing up versions of the running or candidate configuration enables you to later restore
 +
those versions on the firewall.
 +
 
 +
===Back Up a Configuration===
 +
Creating configuration backups enables you to later Restore a Configuration. This is useful when you want
 +
to revert the firewall to all the settings of an earlier configuration because you can perform the restoration
 +
as a single operation instead of manually reconfiguring each setting in the current configuration.
 +
 
 +
Note: When you edit a setting and click OK, the firewall updates the candidate configuration but
 +
does not save a backup snapshot.
 +
 
 +
'''<u>STEP 1</u>'''
 +
 
 +
Save a local backup snapshot of the candidate configuration if it contains changes that you
 +
want to preserve in the event the firewall reboots.
 +
These are changes you are not ready to commit—for example, changes you cannot finish in the current
 +
login session.
 +
 
 +
Perform one of the following tasks based on whether you want to overwrite the default snapshot
 +
(.snapshot.xml) or create a snapshot with a custom name:
  
 +
1. Overwrite the default snapshot—Click '''Save''' at the top of the web interface.
  
=== [[License]] ===
+
2. Create a custom-named snapshot:
* <code>[[request license info]]</code>
+
*Select '''Device > Setup > Operations''' and Save named configuration snapshot.
 +
*Enter a Name for the snapshot or select an existing snapshot to overwrite.
 +
*Click '''OK''' and '''Close'''.
  
=== Others ===
+
'''<u>STEP 2</u>'''
* <code>[[set]] cli [[pager]] off</code>
+
 
 +
Export a candidate configuration, a running configuration, or the firewall state information to a
 +
host external to the firewall.
 +
 
 +
Select '''Device > Setup > Operations''' and click an export option:
 +
 
 +
'''Export named configuration snapshot''' —Export the current running configuration, a named candidate
 +
configuration snapshot, or a previously imported configuration (candidate or running). The firewall
 +
exports the configuration as an XML file with the Name you specify.
 +
 
 +
'''Export configuration version''' —Select a Version of the running configuration to export as an XML file.
 +
The firewall creates a version whenever you commit configuration changes.
 +
 
 +
'''Export device state''' —Export the firewall state information as a bundle. Besides the running
 +
configuration, the state information includes device group and template settings pushed from
 +
Panorama. If the firewall is a GlobalProtect portal, the information also includes certificate
 +
information, a list of satellites, and satellite authentication information. If you replace a firewall or
 +
portal, you can restore the exported information on the replacement by importing the state bundle.
 +
 
 +
===Restore a Configuration===
 +
This is useful when you want to revert all firewall settings used in an earlier configuration;
 +
you can perform this restoration as a single operation instead of manually reconfiguring each setting in the
 +
current configuration.
 +
 
 +
The firewall automatically saves a new version of the running configuration whenever you commit changes
 +
and you can restore any of those versions. However, you must manually save a candidate configuration to
 +
later restore it.
 +
 
 +
1. Restore the current running configuration.
 +
This operation undoes all the changes you made to the candidate configuration since the last commit.
 +
* Select '''Device > Setup > Operations''' and Revert to running configuration.
 +
* Click '''Yes''' to confirm the operation.
 +
 
 +
2. Restore the default snapshot of the candidate configuration.
 +
This is the snapshot that you create or overwrite when you click '''Save''' at the top right of the web
 +
interface.
 +
*Select '''Device > Setup > Operations''' and Revert to last saved configuration.
 +
*Click '''Yes''' to confirm the operation.
 +
*(Optional) Click Commit to overwrite the running configuration with the snapshot.
 +
 
 +
3. Restore a previous version of the running configuration that is stored on the firewall.
 +
The firewall creates a version whenever you commit configuration changes.
 +
 
 +
*Select ''''Device > Setup > Operations'''' and Load configuration version.
 +
*Select a configuration Version and click '''OK.'''
 +
*(Optional) Click Commit to overwrite the running configuration with the version you just restored.
 +
 
 +
4. Restore one of the following:
 +
5. Current running configuration (named running-config.xml)
 +
6. Custom-named version of the running configuration that you previously imported
 +
7. Custom-named candidate configuration snapshot (instead of the default snapshot)
 +
*'''Select Device > Setup > Operations''' and click Load named configuration snapshot.
 +
*Select the snapshot '''Name''' and click '''OK.'''
 +
*(Optional) Click Commit to overwrite the running configuration with the snapshot.
 +
 
 +
8. Restore a running or candidate configuration that you previously exported to an external host.
 +
*Select '''Device > Setup > Operations''', click Import named configuration snapshot, Browse to the configuration file on the external host, and click OK.
 +
*Click '''Load named configuration snapshot,''' select the Name of the configuration file you just imported, and click '''OK.'''
 +
*(Optional) Click Commit to overwrite the running configuration with the snapshot you just imported.
 +
 
 +
9. Restore state information that you exported from a firewall.
 +
Besides the running configuration, the state information includes device group and template settings
 +
pushed from Panorama. If the firewall is a GlobalProtect portal, the information also includes certificate
 +
information, a list of satellites, and satellite authentication information. If you replace a firewall or portal,
 +
you can restore the information on the replacement by importing the state bundle.
 +
Import state information:
 +
*Select '''Device > Setup > Operations,''' click '''Import device state,''' Browse to the state bundle, and click '''OK.'''
 +
*(Optional) Click Commit to apply the imported state information to the running configuration.
  
 
== Activities ==
 
== Activities ==
 
=== Basic ===
 
=== Basic ===
 
* Review additional PAN-OS examples: https://www.thegeekstuff.com/2019/06/paloalto-cli-security-nat-policy/
 
* Review additional PAN-OS examples: https://www.thegeekstuff.com/2019/06/paloalto-cli-security-nat-policy/
* Create a [[backup]] of your configuration: https://docs.paloaltonetworks.com/content/techdocs/en_US/pan-os/9-1/pan-os-admin/firewall-administration/manage-configuration-backups.html
+
* Create a backup of your configuration: https://docs.paloaltonetworks.com/content/techdocs/en_US/pan-os/9-0/pan-os-admin/firewall-administration/manage-configuration-backups.html
 
* Read PAN-OS 9.0 Administration guide:
 
* Read PAN-OS 9.0 Administration guide:
 
** https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/pan-os/9-0/pan-os-admin/pan-os-admin.pdf
 
** https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/pan-os/9-0/pan-os-admin/pan-os-admin.pdf
Line 96: Line 168:
 
* Review PAN-OS CLI Quick Start: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-cli-quick-start/cli-cheat-sheets.html
 
* Review PAN-OS CLI Quick Start: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-cli-quick-start/cli-cheat-sheets.html
 
* Read Palo Alto basics of [[Palo Alto traffic monitoring filtering]]: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSlCAK
 
* Read Palo Alto basics of [[Palo Alto traffic monitoring filtering]]: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSlCAK
* Review https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/pan-os/9-0/pan-os-cli-quick-start/pan-os-cli-quick-start.pdf
 
* Read https://weberblog.net/cli-commands-for-troubleshooting-palo-alto-firewalls/
 
 
  
 
=== Intermediate ===
 
=== Intermediate ===
 
* Create a [[IPSec]] [[VPN]] access in tunnel mode (transport mode not supported): https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGkCAK
 
* Create a [[IPSec]] [[VPN]] access in tunnel mode (transport mode not supported): https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGkCAK
 
* Configure [[MFA]]: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/authentication/configure-multi-factor-authentication.html
 
* Configure [[MFA]]: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/authentication/configure-multi-factor-authentication.html
* Configure [[PAN-OS syslog]]
+
* Configure [[syslog]] monitoring https://www.manageengine.com/products/firewall/help/configure-paloalto-firewalls.html
* Read [[PAN-OS]] [[Port Scan]] Triggering method in zone protection profile: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CljjCAC
 
 
 
[[NAT]]
 
* General overview: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CllzCAC
 
* Configure Host Destination NAT: https://www.youtube.com/watch?v=ocnNiNW7jDE&list=PLD6FJ8WNiIqWPjNPk5Oi1TxE7SJnoPr-D#action=share
 
* Destination Host example: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping
 
* Destination host with port: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-with-port-translation-example.html
 
* Configure ssh [[Port forwarding]] https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMwKCAW
 
* [[PAN-OS Packet Capture]]
 
 
 
== Related terms ==
 
* [[Mobile Device Management (MDM)]]
 
* [[HIP]]
 
* <code>[[neq]]</code>
 
* [[less]] mp-log authd.lo</code>
 
* <code>[[ansible-galaxy collection install paloaltonetworks.panos]]</code>
 
* [[PAN-OS reports]]
 
* [[External Dynamic List (EDL)]]
 
  
 
== See also ==
 
== See also ==

Please note that all contributions to wikieduonline may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see Wikieduonline:Copyrights for details). Do not submit copyrighted work without permission!

Cancel Editing help (opens in new window)

Templates used on this page:

Retrieved from "https://www.wikieduonline.com/wiki/PAN-OS"

Advertising: