PAN-OS

From wikieduonline
Jump to navigation Jump to search

PAN-OS is software running on Palo Alto firewalls.[1] providing Firewall capabilities, QoS, URL Filtering, packet inspection and threat prevention (WildFire).

PAN-OS CLI[edit]

VPN

PVST+ commands

Troubleshooting

  • ping host <destination-ip-address>
  • ping source <ip-address-on-dataplane> host <destination-ip-address>
  • show netstat statistics yes

Panorama

  • show log-collector preference-list
  • show logging-status device <firewall-serial-number>

Logs

Wildfire

  • show wildfire wf-vm-pe-utilization
  • show wildfire wf-vm-doc-utilization
  • show wildfire wf-vm-elinkda-utilization
  • show wildfire wf-vm-archive-utilization
  • show wildfire global sample-device-lookup sha256 equal <SHA_256>.
  • show wildfire local sample-processed {time [last-12-hrs | last-15-minutes | last-1-hr | last-24-hrs | last-30-days | last-7-days | last-calender-day | last-calender-month] \ count <number_of_samples>}.

Rules[edit]

  • set rulebase security rules YOUR_RULES_NAMES from Untrust to Trust source any destination any application any service any action allow
  • move rulebase security rules YOUR_RULE_NAME top
  • move rulebase security rules YOUR_RULE_NAME before YOUR_OTHER_RULE_NAME
  • delete rulebase security rules YOUR_RULE_NAME

NAT (Valid actions: top, bottom, before, after)

  • set rulebase nat rules YOUR_RULE_NAME source-translation dynamic-ip-and-port interface-address interface ethernet1/2
  • move rulebase nat rules YOUR_RULE_NAME top
  • delete rulebase nat rules YOUR_RULE_NAME

Manage Configuration Backups[edit]

The candidate configuration is a copy of the running configuration plus any inactive changes that you made after the last commit. Backing up versions of the running or candidate configuration enables you to later restore those versions on the firewall.

Back Up a Configuration[edit]

Creating configuration backups enables you to later Restore a Configuration. This is useful when you want to revert the firewall to all the settings of an earlier configuration because you can perform the restoration as a single operation instead of manually reconfiguring each setting in the current configuration.

Note: When you edit a setting and click OK, the firewall updates the candidate configuration but does not save a backup snapshot.

STEP 1

Save a local backup snapshot of the candidate configuration if it contains changes that you want to preserve in the event the firewall reboots. These are changes you are not ready to commit—for example, changes you cannot finish in the current login session.

Perform one of the following tasks based on whether you want to overwrite the default snapshot (.snapshot.xml) or create a snapshot with a custom name:

1. Overwrite the default snapshot—Click Save at the top of the web interface.

2. Create a custom-named snapshot:

  • Select Device > Setup > Operations and Save named configuration snapshot.
  • Enter a Name for the snapshot or select an existing snapshot to overwrite.
  • Click OK and Close.

STEP 2

Export a candidate configuration, a running configuration, or the firewall state information to a host external to the firewall.

Select Device > Setup > Operations and click an export option:

Export named configuration snapshot —Export the current running configuration, a named candidate configuration snapshot, or a previously imported configuration (candidate or running). The firewall exports the configuration as an XML file with the Name you specify.

Export configuration version —Select a Version of the running configuration to export as an XML file. The firewall creates a version whenever you commit configuration changes.

Export device state —Export the firewall state information as a bundle. Besides the running configuration, the state information includes device group and template settings pushed from Panorama. If the firewall is a GlobalProtect portal, the information also includes certificate information, a list of satellites, and satellite authentication information. If you replace a firewall or portal, you can restore the exported information on the replacement by importing the state bundle.

Restore a Configuration[edit]

This is useful when you want to revert all firewall settings used in an earlier configuration; you can perform this restoration as a single operation instead of manually reconfiguring each setting in the current configuration.

The firewall automatically saves a new version of the running configuration whenever you commit changes and you can restore any of those versions. However, you must manually save a candidate configuration to later restore it.

1. Restore the current running configuration. This operation undoes all the changes you made to the candidate configuration since the last commit.

  • Select Device > Setup > Operations and Revert to running configuration.
  • Click Yes to confirm the operation.

2. Restore the default snapshot of the candidate configuration. This is the snapshot that you create or overwrite when you click Save at the top right of the web interface.

  • Select Device > Setup > Operations and Revert to last saved configuration.
  • Click Yes to confirm the operation.
  • (Optional) Click Commit to overwrite the running configuration with the snapshot.

3. Restore a previous version of the running configuration that is stored on the firewall. The firewall creates a version whenever you commit configuration changes.

  • Select 'Device > Setup > Operations' and Load configuration version.
  • Select a configuration Version and click OK.
  • (Optional) Click Commit to overwrite the running configuration with the version you just restored.

4. Restore one of the following: 5. Current running configuration (named running-config.xml) 6. Custom-named version of the running configuration that you previously imported 7. Custom-named candidate configuration snapshot (instead of the default snapshot)

  • Select Device > Setup > Operations and click Load named configuration snapshot.
  • Select the snapshot Name and click OK.
  • (Optional) Click Commit to overwrite the running configuration with the snapshot.

8. Restore a running or candidate configuration that you previously exported to an external host.

  • Select Device > Setup > Operations, click Import named configuration snapshot, Browse to the configuration file on the external host, and click OK.
  • Click Load named configuration snapshot, select the Name of the configuration file you just imported, and click OK.
  • (Optional) Click Commit to overwrite the running configuration with the snapshot you just imported.

9. Restore state information that you exported from a firewall. Besides the running configuration, the state information includes device group and template settings pushed from Panorama. If the firewall is a GlobalProtect portal, the information also includes certificate information, a list of satellites, and satellite authentication information. If you replace a firewall or portal, you can restore the information on the replacement by importing the state bundle. Import state information:

  • Select Device > Setup > Operations, click Import device state, Browse to the state bundle, and click OK.
  • (Optional) Click Commit to apply the imported state information to the running configuration.

Activities[edit]

Basic[edit]

Intermediate[edit]

See also[edit]

Manual: https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin.html

Draft - Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. By using this site, you agree to the Terms of Use and Privacy Policy. https://en.wikiversity.org/wiki/Draft:Firewall/Palo_Alto_PA-Series/PAN-OS