Palo Alto – Backup The Configuration For Restore

Recently I needed to get a hold of the configuration file that we were able to easily restore to another device in the event of a hardware failure. To perform this task we tried using RANCID but all it does is capture the output of

user@hostname> set cli config-output-format default
user@hostname> show config running

or

user@hostname> set cli config-output-format xml
user@hostname> show config running

Unfortunately the output of these commands are not easily restored to another device in the event of a hardware failure.

To get a configuration backup that you can reload easily on a new/existing device you need to get a copy of the proper XML configuration file. The way to get this is with the following command:

user@hostname> tftp export configuration from running-config.xml to <TFTP Server>

Once you have this you are able to load it back onto a device with no fuss or messing about.

Update: I did eventually get RANCID backing up the XML file that’s TFTP’d from the device with some custom scripts that I wrote, it’s a bit of a fudge but it works.

Advertisements

Palo Alto – Find Processes Hogging The CPU

Update 07/11/2016: Update for PAN OS v7.1.

To show the CPU usage of all processes on the Palo Alto use the following command.

user@hostname> show system resource follow

When run the output will be that of the Linux top command.

For example if the process “logrcvr” was taking up all the CPU time, you can restart the process with the command:

user@hostname> debug software restart log-receiver

For PAN OS v7.1 the syntax has altered slightly and is now.

user@hostname> debug software restart process log-receiver

Palo Alto – Restart The Management Plane

Update 07/11/2016: Update for PAN OS v7.1.

To restart the management plane on a Palo Alto you need to run the following commands from the CLI.

user@hostname> debug software restart device-server
user@hostname> debug software restart management-server

For PAN OS v7.1 the syntax has altered slightly and is now.

user@hostname> debug software restart process device-server
user@hostname> debug software restart process management-server

Note: This only restarts the management plane, the data plane still carries on filtering and forwarding packets.

Palo Alto – Change A URL Category

The Palo Alto firewall uses bright cloud service for it’s URL categorisation. If a URL is incorrectly categorised you can submit a category change request at the URL below:

http://www.brightcloud.com/tools/change-request-url-ip.php

When submitting a change request select “I would like to receive notifications regarding this change” to receive notifications on the request, I personally alway select this so I receive a notification of what they’ve changed the category too (they don’t always use the category you selected)

In the notification you’ll recieve will be a database version number, this relates to the version number in the PaloAlto web interface.

If the database version is correct and the the URL is still being incorrectly categorized, run the following from the CLI:

user@hostname> clear url-cache

This will clear the URL cache on the device so on the next visit to the website it re-evaluates against the new database.

SRX – Cluster Firmware Upgrade

Before performing a firmware upgrade ensure that you have got a backup of the configuration on the device.

The USB slot in SRX series can be used to copy from/to USB storage to internal flash memory when upgrading or troubleshooting.

  • SRX100 : 1 slot
  • SRX210/240 : 2 slots
  • SRX650 : 2 slot on SRE
  • SRX3400/3600 : 2 slots on SFB and 2 slots on each RE
  • SRX5600/5800 : 2 slots on each RE

In order to copy JUNOS software installation package (e.g., junos-srxxxx-xxx.tgz) from the USB storage to internal flash memory, follow the steps below:

  1. Backup the configuration.
  2. Insert a USB flash drive into your PC.
  3. Copy the JUNOS install package (e.g. “junos-srxxxxx-xxx.tgz”) from the PC to the USB stick. The USB flash drive must be formatted in FAT16 or FAT32.
  4. Insert the USB flash drive into one of the USB slots in the SRX.
  5. Logon to the SRX and run the following command to become the “root” user on the device. You will need to enter the root password for the device.

    user@hostname> start shell user root
    Password:

  6. Mount the USB flash drive.

    root@hostname% mkdir /var/tmp/usb
    root@hostname% mount -t msdos /dev/da[N]s1 /var/tmp/usb

    Note: Any directory name can be used as a mount point.
    [N] = most of the time is 1.

  7. Verify the contents of the USB flash drive.

    root@hostname% cd /var/tmp/usb
    root@hostname% ls
    junos-srxxxx-xxx.tgz
    root@hostname%

  8. Copy the the file from the USB flash drive to the internal storage.

    root@hostname% cp /var/tmp/usr/junos-srxxxx-xxx.tgz /root/.

  9. Perform the software upgrade.

    root@hostname% request system software add no-copy unlink /root/junos-srxxxx-xxx.tgz

    Note: It is possible to perform the upgrade directly from the USB flash drive.

  10. Swap to the secondary node, then repeat steps 4 – 9 on this node.

    root@hostname% request routing-engine login node 1

  11. Once the upgrade is complete on all nodes reboot all the nodes simultaneously.

    user@hostname% request system reboot

  12. Once the system is back on-line the firmware upgrade is complete.