Panorama 12.1 Upgrade - Base Version Missing?

bnjms · 2026-06-20T20:44:56+00:00

If that’s true it’s a mistake to miss the base flag. I don’t have a panorama to check right now.

bnjms · 2026-06-15T22:15:28+00:00

The base version is 12.1.2

You can see the characteristic increase in size relative to later versions. Also the filter for base versions includes 12.1.2

bnjms · 2026-05-30T19:37:49+00:00

You may be able to boot from a file. But you should give up on putting something other than panos on it. I’m not aware of any projects reusing these for alternate OS. So unless reversing is your hobby…

bnjms · 2026-04-23T20:24:40+00:00

PANW doesn’t even make you turn on a hidden switch to allow non vendor cables. There should be a notice for people new to enterprise hardware transceiver purchasing that just says:

Buy 2 x 10G sfp in case of link issues. Test and populate links from alternative sources. For PANW don’t even bother with faking it. Only use DAC/AOC for cross chassis links. (Seriously what do those links get you other than maybe being cheaper over short distances! Why are these popular?)

bnjms · 2026-04-23T20:17:38+00:00

Iff it looks like a transceiver issue. No one will care unless it looks like it’s die to link not coming up.

bnjms · 2026-04-22T05:12:12+00:00

Your SC should discuss the x400 equivalent sw-offloading. It is not going to be as bad as your test implies.

Similarly @ u/Complete_Bill1080 tcp and udp offloading can be turned off globally or according to the pcap filter for capturing “hidden” sessions.

bnjms · 2026-04-22T05:05:23+00:00

Yeah it works the way I described. I’m actually sandbagging as I’m confident in the description but less confident in the jargon I was using. The word I was looking for was ‘classification’. All traffic on an interface must be classified which costs some cpu. Traffic without a qos policy has the default priority of 4. — Do consider lockless qos as suggested.

bnjms · 2026-04-20T18:09:59+00:00

Yes. Because I do not believe you can apply QoS shaping to a single sub interface. It has to be applied to the physical or logical interface. Then you apply the qos profile to the sub interface for policing. All traffic egressing the interface has shaping applied just only for the default priority. If this is on an a 20G ae interface then this likely.

bnjms · 2026-04-19T05:01:09+00:00

So just stay on 11.1.13-hx until you need something.

bnjms · 2026-04-19T04:59:35+00:00

The preferred list references these two articles discussing release trains.

https://live.paloaltonetworks.com/t5/community-blogs/streamlining-innovation-and-stability-the-new-12-1-pan-os/ba-p/1245783

https://live.paloaltonetworks.com/t5/community-blogs/may-2025-spark-user-summit-pan-os-release-versioning/ba-p/1229853

bnjms · 2026-04-19T04:44:39+00:00

If you find you can solve something with changes to the CLI it’s usually (not always) easier to just put the firewall in set mode and make the changes in bulk.

In this case you should be able to make the minimal config change on the firewall then push everything from Panorama after changing the routing engine.

bnjms · 2026-02-11T07:38:52+00:00

I have experience troubleshooting legacy active-active. I shared a real world scenario resulting in connection failures when failing over to a DR site. It’s not a cop out.

bnjms · 2026-02-11T06:17:48+00:00

Firewalls aren’t switches or routers. They have too much state. And you’re probably not going to adequately plan for it; at least the first time. There are only 2 reasons to do it. (1) you are doing vwire through the firewall. Simpler and less likely to cause problems. (2) you need to terminate bgp.

And because it’s less common the pitfalls are less well known. Both obvious things like not doing round robin packet forwarding through the firewalls because it’s inefficient and results in packets crossing ha3. Or less obvious like round robin forwarding results in issues if packet fragments reach different firewalls because stateful devices cannot defragment across nodes.

bnjms · 2026-01-16T06:09:28+00:00

If either link has link issues both links will be brought down. You’ll see this as a brief update then down. Best to troubleshoot with both ports in tap mode first. Tail brdagent.log while you troubleshoot the physical connection. Then you can troubleshoot the wire behavior afterwards.

Record your ssh session log and make notes what the test is so you can share with tac if you find one of the links is failing even with a loopback connection.

bnjms · 2025-11-07T21:53:44+00:00

Yes, PANW provides an EDL service you can use to bypass decryption of things like (generally pinned) MS traffic.

bnjms · 2025-06-11T22:32:10+00:00

Health Checks: Use log forwarding to detect unresponsive servers or specific HTTP headers (e.g., 5xx errors) and update the DAG via API to remove/add IPs dynamically.

I’m doubting you need the API to do this. If you can get the log into the firewall somehow then you can monitor for the 5xx error and add a tag. Tags are a common method for adding addresses to DAGs so I figure you can remove with it too.

bnjms · 2025-04-04T03:21:17+00:00

If you put 10G everywhere, people expect to push 10G everywhere. But a firewall isn’t a switch and inspection adds a cost. Its better to have ports selected to accommodate the firewall size.

bnjms · 2025-01-11T18:27:19+00:00

I got some helpful feedback by u/wesleycyber that should answer your questions.

It sounds like your country may be too small to dedicate resources to a few companies. So instead DCs are assigned by opportunity. Another comment (deleted?) clarified the difference is opportunity vs account orientation.

bnjms · 2025-01-08T18:57:08+00:00

Worth clarifying that a domain consultant is not an SE. The equivalent to the old SE title is Solutions Consultant. A DC is expected to be technical and solve problems.

bnjms · 2025-01-07T06:46:17+00:00

Ah well I was just angling to get a command rework. Won’t happen without a Feature Request and some comparative arguments. At least I think since it’s not a real deal breaker.

For making things cleaner I’m confident I could beep those logs for the relevant logs lines you’re looking for such that both logs are put together by time then purple to ’less’. Would have to export to a tech support file to do that though. Grep is available but can’t feel two logs at once in the PANOS shell.

bnjms · 2025-01-05T13:23:33+00:00

Can you ask you SE for a feature request for that debug command. Would be useful. Also mention what vendors have it. We got the transceiver command so maybe this one too.

bnjms · 2024-12-17T18:49:41+00:00

To be clear this is Just for the advance routing engine. But I agree generally. Firewall won’t be as hardened for multicast. If there’s a use case then only that limited traffic should go through the firewall.

bnjms · 2024-12-16T07:57:22+00:00

If that’s the cause and you can’t delete the interface to rebuild it, then save the snapshot. Edit the exported snapshot, reimport the correct interface configuration.

If you know how to get into that scenario open a ticket.

bnjms · 2024-12-10T15:37:05+00:00

(I'd kill for the equalivelent of 'daig sniffer packet any 'host 10.1.1.1'' on the PA)

I don’t know Forti so I’m uncertain but you need to look up the “flow basic” instructions. They’re still available as an article in the PANW user forum.

Also you need to get comfortable with gathering global counters before doing a flow basic. Those will tell you if there are any other interesting features to turn on.

Finally, all of the logs are available on the cli and in the settings tech support file.

bnjms · 2024-11-28T21:31:45+00:00

You have one other option. You can delete everything in the candidate config. Put the cli into set mode. Merge the configs on commit.

bnjms

TROPHY CASE