Tag Archives: Palo Alto

Palo Alto – Backup The Configuration For Restore

Posted by maddog2050 on

Recently I needed to get a hold of the configuration file that we were able to easily restore to another device in the event of a hardware failure. To perform this task we tried using RANCID but all it does is capture the output of

user@hostname> set cli config-output-format default
user@hostname> show config running

or

user@hostname> set cli config-output-format xml
user@hostname> show config running

Unfortunately the output of these commands are not easily restored to another device in the event of a hardware failure.

To get a configuration backup that you can reload easily on a new/existing device you need to get a copy of the proper XML configuration file. The way to get this is with the following command:

user@hostname> tftp export configuration from running-config.xml to <TFTP Server>

Once you have this you are able to load it back onto a device with no fuss or messing about.

Update: I did eventually get RANCID backing up the XML file that’s TFTP’d from the device with some custom scripts that I wrote, it’s a bit of a fudge but it works.

Palo Alto – Find Processes Hogging The CPU

Posted by maddog2050 on

Update 07/11/2016: Update for PAN OS v7.1.

To show the CPU usage of all processes on the Palo Alto use the following command.

user@hostname> show system resource follow

When run the output will be that of the Linux top command.

For example if the process “logrcvr” was taking up all the CPU time, you can restart the process with the command:

user@hostname> debug software restart log-receiver

For PAN OS v7.1 the syntax has altered slightly and is now.

user@hostname> debug software restart process log-receiver

Palo Alto – Restart The Management Plane

Posted by maddog2050 on

Update 07/11/2016: Update for PAN OS v7.1.

To restart the management plane on a Palo Alto you need to run the following commands from the CLI.

user@hostname> debug software restart device-server
user@hostname> debug software restart management-server

For PAN OS v7.1 the syntax has altered slightly and is now.

user@hostname> debug software restart process device-server
user@hostname> debug software restart process management-server

Note: This only restarts the management plane, the data plane still carries on filtering and forwarding packets.

Palo Alto – Change A URL Category

Posted by maddog2050 on

The Palo Alto firewall uses bright cloud service for it’s URL categorisation. If a URL is incorrectly categorised you can submit a category change request at the URL below:

http://www.brightcloud.com/tools/change-request-url-ip.php

When submitting a change request select “I would like to receive notifications regarding this change” to receive notifications on the request, I personally alway select this so I receive a notification of what they’ve changed the category too (they don’t always use the category you selected)

In the notification you’ll recieve will be a database version number, this relates to the version number in the PaloAlto web interface.

If the database version is correct and the the URL is still being incorrectly categorized, run the following from the CLI:

user@hostname> clear url-cache

This will clear the URL cache on the device so on the next visit to the website it re-evaluates against the new database.