Palo Alto firewalls have a neat feature called "DBL" - Dynamic Block List. This feature allows the firewall to grab a list of ip addresses or domains from an http page. You have to format the web page cleanly (https://live.paloaltonetworks.com/t5/Learning-Articles/Working-with-External-Block-List-EBL-Formats-and-Limitations/ta-p/58795), but it allows you to update the web page dynamically, and the
Palo Alto Firewall LDAP Failover
With the default LDAP settings on a Palo Alto firewall, failing over from one LDAP server to another may not work correctly. You need to tune the LDAP timers and retry intervals down to a lower level. The settings I used are:
Time Limit: 3
Bind Time Limit: 4
Retry Interval: 900
The official doc is found here: https://live.
Palo Alto Firewall HA PAN-OS Upgrade
Below are the steps I used to perform an PAN-OS upgrade from 6.0.4 to 6.0.6 successfully.
- On the active fw (fw1), log into the cli and enter:
request high-availability state suspend
. This will force a failover to the secondary firewall (fw2). I lost 2 pings during the failover. - Install the new PAN-OS on fw1, and reboot
Palo Alto Firewall HA CLI Commands
>show high-availability all
>show high-availability state
>show high-availability link-monitoring
>show high-availability path-monitoring
Configuring High Availability: https://live.paloaltonetworks.com/docs/DOC-2926
After enabling HA, the interfaces on the firewall will switch from using the interface MAC address to a virtual MAC address. In my case, the Palo Alto updated the MAC address to connected devices, except
Palo Alto GlobalProtect VPN Users
Two quick cli commands to see who is currently logged in, and who logged in previously:
show global-protect-gateway current-user
show global-protect-gateway previous-user
You can also specify the username with each command to see specific results.
If want want to force a user logout (from my testing, the user will not see a notification they have been logged out):
request global-protect-gateway
Palo Alto Firewall AD Group Mapping
These commands will help troubleshoot and resolve issues with Active Directory groups on your PAN firewall.
1. Shows every AD group added to the PAN firewall:
show user group list
2. Shows the user and IP address mapping (or specific user):
show user ip-user-mapping all
3. Gives more detailed statistics of the command above:
show user group-mapping state all
4.