https://www.staffordnet.uk/ 2026-04-05T20:05:22+00:00 https://www.staffordnet.uk/ https://www.staffordnet.uk/lib/exe/fetch.php?media=favicon.ico text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:troubleshooting:certificates&rev=1669207782&do=diff Certificates Request New Device Certificate request certificate fetch text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:troubleshooting:decryption&rev=1669207782&do=diff Troubleshooting Decryption decrypt-cert-validation Remember, if you block users from accessing sites with expired certificates (even if this is just set in the “no-decrypt” section), you will get ( session_end_reason eq decrypt-cert-validation ) text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:troubleshooting:disk_space&rev=1669207782&do=diff Disk Space Maintenance Show Disk Space You can verify how much disk space is free with this command show system disk-space Delete Saved Configuration Files To delete a named configuration on PAN-OS, SSH in to the CLI and run the following command text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:troubleshooting:firewall_resources&rev=1669207782&do=diff Troubleshooting Firewall Performance CPU Spikes Could be caused by genindex.sh. Could be caused by IPsec tunnels. Performance Issues Possible but in PAN-OS 10.0.6 but we have seen a case where disabling “Forward segments exceeding TCP content inspection queue” cause massive throughput hit. text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:troubleshooting:flow_basic&rev=1669207782&do=diff Flow Basic Steps Apply the filters from 'Monitor > Packet Capture' Filters: * Source=Client IP - Destination=Server IP * Source=Server IP - Destination= Client IP * Source=NAT IP - Destination=Server IP * Source=Server IP - Destination=NAT IP text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:troubleshooting:global_protect&rev=1669207782&do=diff Troubleshooting GlobalProtect Client Logs * PanGP Agent logs are for the GlobalProtect UI program * PanGP Service logs are for the GlobalProtect service/daemon program. Use this one. PanGP Service Logs Sections of Service Logs * ----portal processing starts text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:troubleshooting:logs&rev=1669207782&do=diff Troubleshooting Logs View Daemon Logs To view the PHP web server logs on a Palo tail follow yes mp-log php.debug.log To view the VPN logs on a Palo tail follow yes mp-log ikemgr.log Logging Rates See here. Show firewall logging rate debug log-receiver statistics text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:troubleshooting:misc&rev=1669207782&do=diff PAN-OS Misc Troubleshooting Memory Error I once had an issue where a Palo would commit fine until I started using the certificates it had installed. (e.g. added a GlobalProtect Portal). At that point I would fail to commit with the message Error: Certificate 'cert name' failed to load: Internal memory error. text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:troubleshooting:packet_captures&rev=1669207782&do=diff Packet Captures Packet Capture Types * RX - Pre-decryption, pre-NAT * FW - Post-decryption, pre-NAT * TX - Post-decryption, post-NAT * DR - Dropped packets Putting RX and TX into the same file will, if NAT is involved, result in the packet capture putting both the pre-NAT packet and the post-NAT packet in the PCAP. Including the FW stream will result in duplicate errors as it will clash with RX. text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:troubleshooting:restart_panos&rev=1669207782&do=diff Restart Software Restart Entire Device request restart system request shutdown system Restart Management Plane Only debug software restart device-server debug software restart management-server Later versions of code use: debug software restart process management-server text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:troubleshooting:sip&rev=1669207782&do=diff SIP This link is very good. * Create a custom app that is TCP/UDP 5060. * Create and App-ID override policy for TCP 5060 and set it to this app. * Create and App-ID override policy for UDP 5060 and set it to this app. I have seen this fix an issue where the call was made but audio didn't work for 10 seconds (also, dial back wasn't audible during calling). text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:troubleshooting:stats_dump&rev=1669207782&do=diff Stats Dump scp export stats-dump start-time equal 2017/04/04@00:00:00 end-time equal 2017/MONTH/DAY@00:00:00 to USERNME@IPADDRESS:/PATH/FILENAME or tftp export stats-dump start-time equal 2011/11/15@00:00:00 end-time equal 2011/12/05@00:00:00 to YOUR_PC_IP_ADDR text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:troubleshooting:technical_support_file&rev=1669207782&do=diff Technical Support File Device State File Device Group Data device_state_cfg\device_state_cfg\sp\vsys1\sp-config.xml Template Data device_state_cfg\device_state_cfg\template\template-config.xml Local Data <code>device_state_cfg\device_state_cfg\running-config.xml<code> text/html 2023-01-21T16:54:49+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:troubleshooting:testing_panos&rev=1674320089&do=diff Testing PAN-OS This page lists various methods for testing configuration on a Palo Alto Networks firewall Set VSYS If you are working on a multi-vsys appliance, use the following command to switch to the appropriate vsys. set system setting target-vsys <vsys-name> text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:troubleshooting:unlock_accounts&rev=1669207782&do=diff Unlock Accounts You can unlock an account on the CLI request authentication unlock-admin user <value> text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:troubleshooting:vpn&rev=1669207782&do=diff IPSec VPN Troublshooting Remember, VM Series firewalls can only handle 300Mbps each way (600Mbps total) per Ipsec tunnel. This is due to the PAN-OS archtiecture. This does not affect hardware firewalls. More info here and here. Test All VPN Connections test vpn ipsec-sa text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:troubleshooting:web_ui&rev=1669207782&do=diff PAN-OS Web UI In the PAN-OS Web GUI, type CTRL+ALT+X to bring up the debug window.