palo alto networks

Palo Alto firewalls have a neat feature called "DBL" - Dynamic Block List. This feature allows the firewall to grab a list of ip addresses or domains from an http page. You have to format the web page cleanly (https://live.paloaltonetworks.com/t5/Learning-Articles/Working-with-External-Block-List-EBL-Formats-and-Limitations/ta-p/58795), but it allows you to update the web page dynamically, and the

With the default LDAP settings on a Palo Alto firewall, failing over from one LDAP server to another may not work correctly.  You need to tune the LDAP timers and retry intervals down to a lower level.  The settings I used are:

Time Limit: 3
Bind Time Limit: 4
Retry Interval: 900

The official doc is found here: https://live.

Below are the steps I used to perform an PAN-OS upgrade from 6.0.4 to 6.0.6 successfully.

1. On the active fw (fw1), log into the cli and enter: request high-availability state suspend.  This will force a failover to the secondary firewall (fw2).  I lost 2 pings during the failover.
2. Install the new PAN-OS on fw1, and reboot

>show high-availability all
>show high-availability state
>show high-availability link-monitoring
>show high-availability path-monitoring

Configuring High Availability: https://live.paloaltonetworks.com/docs/DOC-2926

After enabling HA, the interfaces on the firewall will switch from using the interface MAC address to a virtual MAC address.  In my case, the Palo Alto updated the MAC address to connected devices, except

Two quick cli commands to see who is currently logged in, and who logged in previously:

show global-protect-gateway current-user

show global-protect-gateway previous-user

You can also specify the username with each command to see specific results.

If want want to force a user logout (from my testing, the user will not see a notification they have been logged out):

request global-protect-gateway