Scribd
Upload
56 views44 pages

EDU 311 80a MOD 04 Admin Troubleshooting

Uploaded by

anhtuan29
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
56 views44 pages

EDU 311 80a MOD 04 Admin Troubleshooting

Uploaded by

anhtuan29
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 44

Administration Troubleshooting

EDU-311
PAN-OS® 8.0
Courseware Version A

1 | ©2017, Palo Alto Networks, Inc.


Agenda
§ Initial configurations:
• MGT interface
• Interface Management Profile
• Firewall users and roles
• Authentication profiles

§ RADIUS troubleshooting

§ LDAP troubleshooting

§ Maintenance mode

2 | ©2017, Palo Alto Networks, Inc.


Initial Configurations

3 | ©2017, Palo Alto Networks, Inc.


Management (MGT) Interface Settings
Device > Setup > Interfaces > Management

If you add one or more addresses,


only listed IP addresses will be able
to connect to the MGT port.

Connections to the MGT


port are limited to the
services you select.

4 | ©2017, Palo Alto Networks, Inc.


Interface Management Profile
Network > Network Profiles > Interface Mgmt > [name]

§ Enables the selected


management services on
interfaces other than the
MGT interface

§ Enables services not


available on the MGT
interface

5 | ©2017, Palo Alto Networks, Inc.


Service Route Configuration
Verify firewall server and service configuration

Device > Setup > Services

6 | ©2017, Palo Alto Networks, Inc.


Verify Account Settings
Device > Administrators

7 | ©2017, Palo Alto Networks, Inc.


Admin Roles: Web UI and XML API Permissions
§ Verify permissions Device > Admin Roles > Add
for:
• Web UI elements
• XML API functions
• CLI access level

§ Set specific
permissions to
Enable,
Read Only, or
Disable

8 | ©2017, Palo Alto Networks, Inc.


Admin Roles: CLI Permissions
Options for assigning CLI rights are
Device > Admin Roles > Command Line
restricted to a set of predefined
user types:
§ None
§ superuser
§ superreader
§ deviceadmin
§ devicereader
§ vsysadmin*
§ vsysreader*
* Multi-virtual system-capable firewalls only

9 | ©2017, Palo Alto Networks, Inc.


Authentication Profiles
Device > Authentication Profile > Authentication

Restricts access to
specified users or groups
Defaults to “all”

10 | ©2017, Palo Alto Networks, Inc.


RADIUS Troubleshooting

11 | ©2017, Palo Alto Networks, Inc.


RADIUS Authentication Configuration
Device > Server Profiles > RADIUS
§ Common reasons why
RADIUS authentication
might fail:
• Wrong RADIUS server IP
address
• Wrong shared secret
• Using old UDP port 1645
• Timeout value is too low
• Accessing the wrong
RADIUS server

12 | ©2017, Palo Alto Networks, Inc.


PAN-OS® RADIUS Dictionary
#
# dictionary.paloalto
#
#
VENDOR PaloAlto 25461
ATTRIBUTE PaloAlto-Admin-
Role 1 string PaloAlto
# PaloAlto-Admin-Role is the name of the role for the user
# it can be the name of a custom Admin role profile configured on the
https://live.paloaltonetworks.com/docs # Palo Alto Networks device or one of the following predefined roles
# superuser : Superuser

/DOC-3189 # superreader : Superuser (read-only)


# deviceadmin : Device administrator
# devicereader : Device administrator (read-only)
# vsysadmin : Virtual system administrator
# vsysreader : Virtual system administrator (read-only)
ATTRIBUTE PaloAlto-Admin-Access-
Domain 2 string PaloAlto
# PaloAlto-Admin-Access-Domain is the name of the access domain object defined
# on the Palo Alto Networks device
ATTRIBUTE PaloAlto-Panorama-Admin-
Role 3 string PaloAlto
# PaloAlto-Panorama-Admin-Role is the name of the role for the user
# it can be the name of a custom Admin role profile configured on the
# Panorama server or one of the following predefined roles
# superuser : Superuser
# superreader : Superuser (read-only)
# panorama-admin : Panorama administrator
ATTRIBUTE PaloAlto-Panorama-Admin-Access-
Domain 4 string PaloAlto
# PaloAlto-Panorama-Admin-Access-Domain is the name of the access domain
# object defined on the Panorama server
ATTRIBUTE PaloAlto-User-Group 5 string PaloAlto
# PaloAlto-User-Group is the name of the group of users that can be used in
# allow lists in authentication profiles for access control purposes

13 | ©2017, Palo Alto Networks, Inc.


RADIUS Authentication Troubleshooting
§ Begin by looking in the system log. Look for the error message, “User is not in
allowlist From: <server-ip-address>”.
Monitor > Logs > System

§ To see the groups the firewall associates with the user, run:
> show user user-IDs

…then search for the username (type a “/” followed by the username)
to determine which groups the firewall associates with the user.

14 | ©2017, Palo Alto Networks, Inc.


Wrong IP Address
System Log

Authd.log

No entry will show in the Authentication logs in the WebUI monitor.

15 | ©2017, Palo Alto Networks, Inc.


Wrong Shared Secret
Same errors in
system log and
authd.log

Refers to the
RADIUS password,
not to the user
password

16 | ©2017, Palo Alto Networks, Inc.


Wrong IP Address in Client Config on Windows Server
Same errors in the system log and authd.log

17 | ©2017, Palo Alto Networks, Inc.


Invalid RADIUS Policy
Same system log entry, but the authd.log is different

18 | ©2017, Palo Alto Networks, Inc.


Invalid RADIUS Policy (Cont.)
Event viewer output

Error indicates the user is


not a domain member or
in the allowed user group.

19 | ©2017, Palo Alto Networks, Inc.


RADIUS Success Messages

authd.log info

RADIUS logs – in this case


from IAS RADIUS on a
Windows Server

20 | ©2017, Palo Alto Networks, Inc.


LDAP Troubleshooting

21 | ©2017, Palo Alto Networks, Inc.


LDAP Authentication Configuration
Device > Server Profiles > LDAP
Why LDAP authentication
commonly fails:
§ Incorrect IP address of
the LDAP server
§ Incorrect Base DN value
§ Incorrect Bind DN value
§ Incorrect Bind password

22 | ©2017, Palo Alto Networks, Inc.


LDAP Troubleshooting
Run:
> show user group-mapping state all
> show user user-id-agent state all

To verify firewall connections to the LDAP server and display:


§ Username

§ Password
§ IP address

§ Port

23 | ©2017, Palo Alto Networks, Inc.


Troubleshooting Active Directory Structure
For this example, the groups to authorize have the following values:

cn=admin,cn=users,dc=pantac2,dc=org
cn=username,ou=outest2,ou=outest,dc=pantac2,dc=org

24 | ©2017, Palo Alto Networks, Inc.


Troubleshooting the Base DN
§ The Base DN is where the firewall
starts to search the directory structure.

§ The Bind DN is the username used to


authenticate and perform a search.

§ In Active Directory, a plain folder icon


represents a container (CN) and a
folder-with-image icon represents an
organizational unit (OU).
Base DN: dc=pantac2,dc=org

25 | ©2017, Palo Alto Networks, Inc.


Troubleshooting a User Bind DN
Assuming that the admin account is in the Users container, the Bind DN would be:

Base DN: cn=admin,cn=users,dc=pantac2,dc=org

26 | ©2017, Palo Alto Networks, Inc.


Troubleshooting a User Bind DN (Cont.)
Assume that the test1 account is in the OUtest2 OU, which in turn is in the OU
OUtest.

Base DN: cn=test1,cn=outest2,cn=outset,dc=pantac2,dc=org

27 | ©2017, Palo Alto Networks, Inc.


Troubleshooting Organizational Units
Assume that the test1 account is in the Users OU:

28 | ©2017, Palo Alto Networks, Inc.


LDAP Authentication Troubleshooting
§ Begin by looking in the system log. Look for the error message, “User is not in
allowlist From: <server-ip-address>”.

Monitor > Logs > System

§ To see the groups the firewall associates with the user, run:
> show user user-IDs

…then search for the username (type a “/” followed by the username)
to determine which groups the firewall associates with the user.

29 | ©2017, Palo Alto Networks, Inc.


LDAP – Invalid Bind Account Information
For incorrect password, account name, or incorrect location in the LDAP tree,
check connection status with the following commands:
> show user group-mapping state all admin@PA-5250> show user group-mapping state all

> show user user-id-agent state all

> less mp-log useridd.log

30 | ©2017, Palo Alto Networks, Inc.


LDAP User Log In Failure Messages
Invalid username or password:
> less mp-log authd.log

31 | ©2017, Palo Alto Networks, Inc.


Maintenance Mode

32 | ©2017, Palo Alto Networks, Inc.


Introducing Maintenance Mode
Use a console or SSH connection to connect to the Maintenance Recovery Tool

33 | ©2017, Palo Alto Networks, Inc.


Entering Maintenance Mode with the maint Command
Requires serial-console
access:
§ Physical port (RJ-45)
§ 9600-N-8-1 serial
connection
During the boot process,
look for and enter the
maint command option.

34 | ©2017, Palo Alto Networks, Inc.


Welcome to the Maintenance Recovery Tool
When prompted, press Enter to select continue.

Welcome to the Maintenance Recovery Tool

Welcome to maintenance mode. For support please contact Palo Alto


Networks.

866-898-9087 or [email protected]

< Continue >

Q=Quit, Up/Down=Navigate, ENTER=Select, ESC=Back

35 | ©2017, Palo Alto Networks, Inc.


Maintenance Mode
Set IP Address: Sets the MGT interface IP address and default gateway.

Welcome to the Maintenance Recovery Tool

< Maintenance Entry Reason >


< Get System Info >
< Factory Reset >
< Set FIPS-CC Mode >
< FSCK (Disk Check) >
< Log Files >
< Disk Image >
< Select Running Config >
< Content Rollback >
< Set IP Address >
< Diagnostics >
< Debug Reboot >
< Reboot >

Q=Quit, Up/Down=Navigate, ENTER=Select, ESC=Back

36 | ©2017, Palo Alto Networks, Inc.


Maintenance Mode Entry Example

Maintenance Entry Reason

Entry Reason:

System start failed multiple times. Caused by service: devsrvr

Corrective Action:

Check 'Log Files' for failure reason. the 'Disk Image' or 'Content Rollback'
commands may be required.

Q=Quit, Up/Down=Navigate, ENTER=Select, ESC=Back

37 | ©2017, Palo Alto Networks, Inc.


Factory Reset
§ Conducted from maintenance mode
§ Resets the firewall to factory default settings
§ All license and configuration data are removed and will need to be reloaded.
Welcome to the Maintenance Recovery Tool

< Maintenance Entry Reason >


< Get System Info >
< Factory Reset >
< Set FIPS-CC Mode >
< FSCK (Disk Check) >
< Log Files >
< Disk Image >
< Select Running Config >
< Content Rollback >
< Set IP Address >
< Diagnostics >
< Debug Reboot >
< Reboot >

Q=Quit, Up/Down=Navigate, ENTER=Select, ESC=Back

38 | ©2017, Palo Alto Networks, Inc.


Diagnostics
Maintenance mode provides a limited set of diagnostic utilities. Though the
utilities are helpful, they are not typically requested by the TAC.

Welcome to the Maintenance Recovery Tool

< Maintenance Entry Reason >


< Get System Info >
< Factory Reset >
< Set FIPS-CC Mode >
< FSCK (Disk Check) >
< Log Files Diagnostics >
< Disk Image >
< Select Running Config >
< Content Rollback < DP Memory Test > >
< Set IP Address >
< Diagnostics < Test Disk Performance > >
< Debug Reboot >
< Reboot >

Q=Quit, Up/Down=Navigate, ENTER=Select, ESC=Back

39 | ©2017, Palo Alto Networks, Inc.


Password Recovery
This process requires that you have a saved configuration file, with a password
that you know. If not, a factory reset will be required.

Welcome to the Maintenance Recovery Tool

< Maintenance Entry Reason >


< Get System Info >
< Factory Reset >
< Set FIPS-CC Mode >
< FSCK (Disk Check) >
< Log Files >
Select Running Config
< Disk Image >
< Select Running Config Select config to load to running config: >
< Content Rollback >
< Set IP Address Name Version>
< Diagnostics < policy-optimize-0170118.xml : 8.0.1 > >
< Debug Reboot < before-policy-review-170115.xml : 8.0.1 > >
< Reboot >

Q=Quit, Up/Down=Navigate, ENTER=Select, ESC=Back

40 | ©2017, Palo Alto Networks, Inc.


Reverting PAN-OS® Software
§ The PAN-OS® software can be loaded or reloaded with a different
version while in maintenance mode.
§ The PAN-OS® version can be changed without rebooting the firewall.
Welcome to the Maintenance Recovery Tool

< Maintenance Entry Reason >


< Get System Info >
< Factory Reset >
< Set FIPS-CC Mode Disk Image >
< FSCK (Disk Check) >
< Log Files Currently active version: 8.0.1 >
< Disk Image >
< Select Running Config < Reinstall 8.0.1 > >
< Content Rollback >
< Set IP Address Currently revertable version: 7.1.14 >
< Diagnostics >
< Debug Reboot < Revert to 7.1.14 > >
< Reboot >

Q=Quit, Up/Down=Navigate, ENTER=Select, ESC=Back

41 | ©2017, Palo Alto Networks, Inc.


Obtaining System Information
Welcome to the Maintenance Recovery Tool

< Maintenance Entry Reason Diag System Information >


< Get System Info >
< Factory Reset >
< Set FIPS-CC Mode Extracted System Information: >
< FSCK (Disk Check) >
< Log Files Platform: 820 >
< Disk Image Model: PA-820 >
< Select Running Config Serial Number: 0153B0034810 >
< Content Rollback Revision Version: 1.0 >
< Set IP Address Active Sysroot: sysroot0 >
< Diagnostics Active Version: 8.0.0 >
< Debug Reboot IP address: 172.31.254.10 >
< Reboot Netmask: 255.255.255.0 >
Default GW: 172.31.254.1
Current Pan App Content Version: 627-3633
Date: Fri Jan 27 ENTER=Select,
Q=Quit, Up/Down=Navigate, 18:55:01 PST 2017
ESC=Back
All information extracted

< Back >

42 | ©2017, Palo Alto Networks, Inc.


Questions?

43 | ©2017, Palo Alto Networks, Inc.


Secures the Network

44 | ©2017, Palo Alto Networks, Inc.

You might also like