• Troubleshooting Enablement
• Troubleshooting Tools
• Troubleshooting Skills
• Troubleshooting Knowledge
• Options For Information and Support
• Online Resources: Fuel User Group
• Online Resources: LIVE Community
• Customer Support Portal
• Enabling Notifications
• Contact Technical Support or Account Manager?
• Support Section Within the Firewall
• Status Monitoring Tools
• Health Indicators to Check
• Dashboard Indicators
• Application Control Center (ACC)
• Pan(w)achrome Browser Extension (Third Party)
• Logs in the Web Interface
• Diagnostic Tools for Policy and Connectivity Analysis
• Why Learn About the CLI?
• Packet-Level Tracing
• Maintenance Mode
• Entering Maintenance Mode
• Welcome to the Maintenance Recovery Tool
• Maintenance Mode Entry Reason
• Obtaining System Information
• Factory Reset
• Revert or Reload PAN-OS Software
• Set the Management IP Address
• Load Configuration
• Run Diagnostics
• (Optional) Use the CLI to Export a Tech Support File Lab
• CLI Fundamentals Lab (Content in Appendix A)

Lab 1: Tech Support Files

• Connect to Your Student Firewall
• Validate the Basic Functionality of the System
• Use the Web Interface to Get a Tech Support File
• Decompress the Contents of the Tech Support File
• Explore the Tech Support File
• Use the CLI to Export a Tech Support File
• Use the CLI to Generate a Tech Support File
• Use the CLI to Export a Tech Support File
• Validate the Exported Tech Support File
• Reference Information

• Sessions and States
• How Does Network Communication Work?
• Session-Based Processing
• Why Review the Concept of a Session?
• What Is a Palo Alto Networks Firewall Session?
• Basic Session Information
• What Is a Session?
• show session info Command
• Session Management and Traffic Flow
• Session States
• Display of Session Details in the Session Browser
• show session all Command
• show session id Command
• Traffic Log: Session Details
• Session End Reasons
• Traffic Log
• Flow Logic
• How to Get a Clear and Relevant View of the Flow Logic
• Hardware Terms for Data-Plane Troubleshooting
• Software Terms for Data-Plane Troubleshooting
• Data-Plane Processing
• Data-Plane Packet Flow
• Ingress Stage
• Session Matching
• After Initial Packet Parsing…
• Session Setup (“slowpath”) Stage
• Security Processing (“fastpath”) Stage
• App-ID Applied
• Content-ID/Content Inspection Applied
• Content Inspection
• Egress Stage

Lab 2: CLI Fundamentals

• Import, Load, and Commit a Configuration File
• Confirm the Current Device Configuration
• Explore Options for Changing Other Device Settings
• Change the Current Device Configuration
• Clean Up Your Lab Environment
• Lab (Optional): Use the CLI to Modify Policy Objects
• Review the Existing Policy Configuration
• Use the CLI to Examine a Configuration and Discover Options for How to Modify It
• Modify Object Parameters
• Review Changes and Commit the Configuration
• (Optional) Test URL Filtering Profile Changes
• Reference Information

• Packet Capture Concepts
• Troubleshooting with Packet Captures
• Packet Filters
• Types of Firewall Packet Captures
• Packet Capture Stages
• Using Packet Capture Stages
• Which Capture Stages to Examine?
• Configuring Packet Captures
• Packet Capture Using the Web Interface
• Packet Capture on CLI
• Packet Capture Recommendations
• Viewing Pcaps in the CLI
• Options for Viewing Pcaps in the CLI
• Debug-Log Packet Diagnostics Features (Data Plane)
• Debug-Log Packet Diagnostics 10.1 Improvements (Data Plane)
• Daemon Packet Captures: CLI Only (Management Plane)

Lab 3: Tracing Data-Plane Packet Flow

• Open the Packet-Diagnostics File
• Trace the First Packet Through the Firewall
• Trace the Second Packet
• Trace the Content Inspection of a Packet
• Identify Firewall-Generated Packets
• Identify Other Dropped Packets and the Session End
• Reference Information

• Data-Plane Flow Logging Options
• Using the Flow-Basic Feature
• Visibility Provided by Flow-Basic Logs
• The Scope of Flow-Basic Log Output
• To Enhance Visibility
• Recommendations
• Steps for Using Flow Basic: Overview
• Using Flow Basic
• Interpreting Flow-Basic Output
• Interpreting Flow-Basic Logs
• Packet-Diagnostics Configuration: show setting Option
• Packet Correlation: view-pcap Command
• Flow Basic: Ingress Stage
• Flow Basic: Session Setup (slowpath)
• Flow Basic: Security Processing (fastpath)
• Flow Basic: Egress Stage (forwarding)
• Flow Basic: Block Page, Close Session
• Flow Basic: Block Page Responses
• Hardware Assistance and Offloading
• Hardware Session Offload to the Network Processor
• Which Traffic Can Be Offloaded?
• Troubleshooting Offloaded Traffic

Lab 4: Packet Capture

• Configure a Packet Filter
• Test Session Marking
• Configure Capture Stages
• Clear Marked Sessions
• Turn On Packet Capture and Capture Packets
• Analyze the Pcaps
• Add a Security Policy Configuration to Drop Traffic
• Reconfigure the Filter
• Capture a New Session and Download the Pcaps
• Analyze the Pcaps
• Reference Information

• What Is Host-Inbound Traffic?
• Problem Identification: Probing Questions
• Validate the Problem
• Problem Validation Method – Example: SNMP
• Host-Inbound Traffic Troubleshooting Approach
• General Approach for Feature-Specific Diagnostics
• Troubleshooting Example: VPN Traffic
• End Users Report Trouble
• Which Features Are Involved?
• VPN Troubleshooting
• Tunnel Does Not Get Established
• Tunnel Established, but There Is No Traffic
• Tunnel Establishment: Background
• System Logs
• Reading VPN Error Messages (System Log)
• System Log Errors: Prefer to Troubleshoot the Responder
• Troubleshooting from the Responder
• Troubleshooting VPN Tunnels
• Troubleshooting Example Continued: IKE
• Troubleshooting IKE Information: Web Interface
• Troubleshooting IKE Information: CLI
• Troubleshooting IKE
• Data-Plane Packet Capture for IKE (ikemgr)
• Management Plane IKE (ikemgr) Pcap
• Example Output of ikemgr.log for Phase 1 at Debug Level
• Troubleshooting Example Continued: Ipsec
• IPsec Tunnel Status: Confirm the VPN Configuration Exists
• IPsec Tunnel Status: Check Connectivity
• Phase 2 and Tunnel Status
• Troubleshooting a Specific IPsec Tunnel
• New Sample Output for IKE Phase 2 from ikmgr.log at Debug Level
• Additional CLI Commands
• Verifying Tunnels and Tunneled Traffic
• Testing the VPN
• Confirmation of VPN
• Verify Tunnel Session
• Tunneled Traffic Session
• Decrypt IKE and ESP Packets

Lab 5: Flow Basic

• Load the Lab Config File and Start the FTP Server
• Verify External Connectivity to the FTP Server
• Verify the Problem with the Internal Client
• Examine Firewall Traffic Logs and Threat Logs
• Configure the Capture Filter
• Check Counters
• Configure Packet Capture and Enable Flow Basic
• Run Packet Capture and Flow Basic Diagnostic Logging
• Interpret the Flow Basic Log and Pcaps
• Implement a Solution and Verify
• Check Logs and Enable Logging for Increased Visibility

• Identify the Traffic Type
• What Is Transit Traffic?
• Methodology
• Probing Questions
• Isolate the Problem
• Problem Resolution
• Transit Traffic Troubleshooting Progression
• Collect Information
• Monday Morning…
• First: Review the Logs
• Using Traffic Logs to Diagnose Common Issues
• Traffic Log Details
• Incorrect Application Information
• Incorrect IP and Port Addressing
• How application-default Affects Policy Matching
• Rule-Match Troubleshooting
• Applying Traffic Log Findings
• An Alternative: The Unified Log View
• Next: Session Browser
• Short Sessions
• Have Sessions but No Logs
• Getting Traffic Logs
• Use Counters
• Receiving Traffic but Have No Sessions
• What to Look for in Global Counters
• Using the Packet Filter with Global Counters
• Using the Delta Option with Global Counters
• Filter Global Counters with a String
• Example Scenarios
• Use PCAPs and Packet Diagnostics
• Need Proof of Traffic or Additional Information

Lab 6: Host-Inbound Traffic

• VPN Traffic—Case A
• Verify the Problem
• Check Routing and Security Policy Rules
• Stop! Try a Top-Down Approach Instead
• Check the Health of the VPN Tunnel
• Initiate the VPN Connection from the Remote Network
• Troubleshoot the VPN Connection as the Responder
• Check Proxy ID Settings and Correct the Problem
• Verify the Solution
• Host-Inbound VPN Traffic—Case B
• Apply a Baseline Configuration to the Firewall
• Verify the Problem with SFTP Access to the Web Server
• Review the Traffic and System Logs
• Check the High-Level Health Indicators for the Tunnel
• Troubleshoot as the Responder
• Reset the Pre-Shared Key and Verify Functionality
• (Optional) Cause the Firewall to Initiate the Connection

• What Are Performance Issues?
• Probing Questions for Performance Issues
• Performance Troubleshooting Progression
• Baseline Service Performance
• System Counters
• Overview of System Services (Daemons)
• System Services (Daemons)
• Example Service Log Listing (PA-220)
• Management-Plane Services
• Service (Daemon) Log Data
• Debug Log Levels
• Show Current Log Levels
• Example Debug Log Levels
• Setting Debug Log Levels
• Why Change the Log Level of a Service?
• To Reset Debug Log Levels
• Gathering More Data
• How to Monitor Daemons
• Web Interface Tools: Dashboard and System Logs
• To Review Service Log Files
• Display Statistics on the Management Plane
• Using the show system resources follow Command
• Restarting Processes (Daemons)
• Data-Plane Crash

Lab 7: Transit Traffic—App-ID and Torrents

• Attempt to Connect to Torrent Sites
• Examine Traffic Logs and App-ID Results
• Enable Traffic
• Set the Matching Policy Rule to “Deny” and Test
• Create a Policy Rule to Block Torrents
• Add File Blocking to the Security Profile Setting
• Transit Traffic—Blocking Tor
• Lab Challenge and Checklist
• Lab Solution: Security Policy to Block Tor App-ID
• Lab Solution: Use Application Filters
• Lab Solution: Block Risky URL Categories
• Lab Solution: Deny Unknown Applications
• Lab Solution: Blocking Untrusted and Expired Certificates with a Decryption Profile
• Lab Solution: Create Decryption Profile for Decrypted Traffic
• Lab Solution: Use an External Dynamic List (EDL)

• Troubleshooting SSL Decryption
• Decryption Policy Rule Types
• Review of SSL Decryption Configuration
• That Monday Morning Phone Call…
• Probing Questions
• Troubleshooting Progression for SSL Decryption
• Troubleshoot SSL Session Terminations
• SSL Decryption Troubleshooting
• Displaying Troubleshooting Statistics
• Basic Decryption Troubleshooting Steps
• Troubleshoot Potential Performance Issues
• Decryption Failures and Unsupported Applications
• SSL Decryption Exclusion List
• Decryption Failures
• Unsupported Mode and Failure Checks
• External Factors That Complicate SSL Decryption
• Certificate Pinning (HPKP)
• ECDHE Application and Security Impact
• App-ID-Based Issues

Lab 8: System Services

• Check Running Services
• Review the Logs for a Specific Service
• Change the Debug Level for a Service
• Restart a Service
• Restart a Service and Monitor a Data-Plane Session
• Investigate the Event

• User-ID Mapping Flow
• User-ID Purpose
• User-ID Components
• User Mapping Methods
• User-ID Agent Flow
• User-ID Troubleshooting Progression
• User-ID Agent
• Troubleshooting Connectivity: Logs
• User-ID Agents Connection Status: Firewall Web Interface
• User-ID Agent Connection Status: Firewall CLI
• User-ID Agent Connection Status: Local User Interface
• Enable Debug-Level Logging on the User-ID Agent
• User-ID Agent Debug Log
• Forwarding User-ID Agent Logs
• User Mappings Not Present
• No Source User in Sessions
• Requirements for Extracting Server Information
• User-ID Agent User Identification Timeout
• User-ID Agent Client Probing
• Reminder: AD Versus LDAP
• User Mappings
• IP-to-User Source Mapping Type
• IP-to-User Mapping for AD
• IP-to-User Mapping
• debug user-id reset Commands
• Modifying the User Cache
• View IP Mappings on the Agent
• Group Mapping
• Display User-Group Mapping State
• Display User-Group List
• Display User-Group Membership
• Display User-Group Relationship
• Display User Username and Group Mappings
• Debug Commands for Group Mapping
• Group Mapping Statistics
• User-ID Group Recommendations
• Multiple Domain Configuration
• Integrated User-ID Agent
• User-ID Log Files
• To Enable IP-to-User mapping
• Integrated Agent Connection Status: Web Interface
• Integrated Agents Connection Status: CLI
• Potential User-ID Agent Configuration Issues
• User-ID Agent Best Practices
• Authentication Policy
• Configuration Checklist
• Authentication Policy Troubleshooting Progression
• User-ID Troubleshooting Steps
• Authentication Policy
• Verify Authentication Policy
• Test User Authentication
• Use Captive Portal Redirect Mode When Possible
• RADIUS and Captive Portal
• Multi-Factor Authentication
• Authentication Logs for MFA
• CLI Test for MFA Vendor Connectivity
• Example IP-User Mapping for MFA-Enabled Authentication Policy
• Example authd.log Events for MFA
• Diagnostic Information via the Automated Correlation Engine*

Lab 9: SSL Decryption

• Verify the Functionality of SSL Decryption
• Create a Tag and a Dynamic Address Group
• Create a Decryption Policy Rule
• Create Custom Vulnerability Signatures
• Configure a Log Forwarding Profile
• Configure a Vulnerability Protection Profile to Generate Alerts
• Add the Log Forwarding Profile to a Security Policy Rule
• Test the Configuration and Confirm Results

• Common GlobalProtect Issues
• GlobalProtect Troubleshooting
• Probing Questions
• GlobalProtect Troubleshooting Progression
• Configuration Checklist
• GlobalProtect Logs and Certificates
• GlobalProtect Logs
• CLI GlobalProtect Commands
• Troubleshooting Authentication
• Verify Connection via CLI
• User GlobalProtect Agent Logs: Collecting Logs
• GlobalProtect Agent Log Collection
• GlobalProtect Certificates

Lab 10 – No User-ID Names in Logs

• Diagnose and Fix the Problem
• Reference Information
• Lab Solution: Enable User-ID on the Correct Zone
• Lab Solution: Fix the LDAP Server Profile
• Lab Solution: Verify the Solution with Traffic Logs

• Case Management
• Essential Case Information
• Create Your Case Online
• Severity Level Definitions
• Opening a Support Case: Customer Support Portal
• Opening a Support Case: LIVE Community
• Support Section Within the Firewall
• Support Entitlement Summary
• Opening a Support Case: Step 1
• Opening a Support Case: Step 2
• Opening a Support Case: Step 3
• Opening a Support Case: Step 4
• Opening a Support Case: Step 5
• Hardware failure and return merchandise authorizations (RMAs)
• RMA Process
• Dead on Arrival (DOA)
• Field-Replaceable Units (FRUs)
• Escalation and Support Events
• Contact Technical Support or Account Manager?
• Request a Support Event

Lab 11: Troubleshooting GlobalProtect

• Download the GlobalProtect Agent
• Connect to the External Gateway
• Disconnect the Connected User

Appendix A – CLI Primer

• Scope and Structure of the CLI Objectives
• Functional Introduction to the CLI
• CLI Command Modes
• Autocomplete
• Other Shortcuts
• Exploring Command Parameters
• Operational Mode: Types of Commands
• Searching for Commands
• Configuration Mode: Navigation of the Configuration Hierarchy
• Configuration Mode: Using edit, set, and delete
• Configuration Mode: edit Examples
• Configuration Mode: set, show, delete Examples
• Invalid Syntax
• Displaying and Navigating Data Objectives
• Filtering the Display of Data
• Data Displayed Through less
• Tips for the less Command
• CLI Configuration Display Formats
• Copy and Paste set Commands to Replicate Configuration Elements
• Common CLI Tasks
• Reference Guide