{"id":1598,"date":"2024-09-09T22:56:04","date_gmt":"2024-09-10T03:56:04","guid":{"rendered":"https:\/\/zewwy.ca\/?p=1598"},"modified":"2024-09-09T22:56:39","modified_gmt":"2024-09-10T03:56:39","slug":"pa-vm-in-bazaar-state-by-design","status":"publish","type":"post","link":"https:\/\/zewwy.ca\/index.php\/2024\/09\/09\/pa-vm-in-bazaar-state-by-design\/","title":{"rendered":"PA VM in bazaar state&#8230; by Design"},"content":{"rendered":"<p>So today I had some weird stuff happening (Fedora Download was downloading slow, 300 KB\/s)&#8230; I thought it was the mirror, but no matter what mirror I picked I had the same results, I asked a buddy to verify my findings and they could download Fedora with speed&#8230; Long story short, I thought maybe it was my firewall, and my colleague mentioned the same. Since this is a Lab setup it would be nice to get a perpetual license for learning purposes, but PAN clearly don&#8217;t work like. I was pretty sure my license had expired, so decided to first quick finds out what happens when a license expires: <a href=\"https:\/\/docs.paloaltonetworks.com\/pan-os\/10-1\/pan-os-admin\/subscriptions\/what-happens-when-licenses-expire\">What Happens When Licenses Expire? (paloaltonetworks.com)&#8230;<\/a><\/p>\n<table class=\"table colsep rowsep table-striped\">\n<tbody class=\"tbody\">\n<tr class=\"row rowsep\">\n<td class=\"entry\">\n<div>Threat Prevention<\/div>\n<\/td>\n<td class=\"entry\" colspan=\"2\">\n<div>\n<div>\n<div class=\"p\">\n<div>Alerts appear in the System Log indicating that the license has expired.<\/div>\n<\/div>\n<div class=\"p\">\n<div>\n<div>You can still:<\/div>\n<\/div>\n<\/div>\n<div><\/div>\n<\/div>\n<\/div>\n<ul>\n<li class=\"li\">\n<div>Use signatures that were installed at the time the license expired, unless you install a new Applications-only\u00a0<a class=\"xref\" title=\"\" href=\"https:\/\/docs.paloaltonetworks.com\/pan-os\/10-1\/pan-os-upgrade\/software-and-content-updates\/app-and-threat-content-updates.html\" target=\"_blank\" rel=\"noopener\" data-scope=\"external\" data-format=\"html\" data-type=\"\">content update<\/a>\u00a0either manually or as part of an automatic schedule. If you do, the update will delete your existing threat signatures and you will no longer receive protection against them.<\/div>\n<\/li>\n<\/ul>\n<div>\n<div>\n<div><\/div>\n<\/div>\n<\/div>\n<ul>\n<li class=\"li\">\n<div>Use and modify Custom App-ID\u2122 and threat signatures.<\/div>\n<\/li>\n<\/ul>\n<div>\n<div>\n<div><\/div>\n<div class=\"p\">\n<div>\n<div>You can no longer:<\/div>\n<\/div>\n<\/div>\n<div><\/div>\n<\/div>\n<\/div>\n<ul>\n<li class=\"li\">\n<div>Install new signatures.<\/div>\n<\/li>\n<\/ul>\n<div>\n<div>\n<div><\/div>\n<\/div>\n<\/div>\n<ul>\n<li class=\"li\">\n<div>Roll signatures back to previous versions.<\/div>\n<\/li>\n<\/ul>\n<div>\n<div><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Good to know, nothing that would cause the issue I&#8217;m experiencing&#8230;.<\/p>\n<table class=\"table colsep rowsep table-striped\">\n<tbody class=\"tbody\">\n<tr class=\"row rowsep\">\n<td class=\"entry\">\n<div>DNS Security<\/div>\n<\/td>\n<td class=\"entry\" colspan=\"2\">\n<div>\n<div>\n<div class=\"p\">\n<div>\n<div>You can still:<\/div>\n<\/div>\n<\/div>\n<div><\/div>\n<\/div>\n<\/div>\n<ul>\n<li class=\"li\">\n<div>Use local DNS signatures if you have an active Threat Prevention license.<\/div>\n<\/li>\n<\/ul>\n<div>\n<div>\n<div><\/div>\n<div class=\"p\">\n<div>\n<div>You can no longer:<\/div>\n<\/div>\n<\/div>\n<div><\/div>\n<\/div>\n<\/div>\n<ul>\n<li class=\"li\">\n<div>Get new DNS signatures.<\/div>\n<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>nope&#8230; and&#8230;<\/p>\n<table class=\"table colsep rowsep table-striped\" style=\"height: 2666px;\" width=\"775\">\n<tbody class=\"tbody\">\n<tr class=\"row rowsep\">\n<td class=\"entry\">\n<div>Advanced URL Filtering \/ URL Filtering<\/div>\n<\/td>\n<td class=\"entry\" colspan=\"2\">\n<div>\n<div>\n<div class=\"p\">\n<div>\n<div>You can still:<\/div>\n<\/div>\n<\/div>\n<div><\/div>\n<\/div>\n<\/div>\n<ul>\n<li class=\"li\">\n<div>Enforce policy using custom URL categories.<\/div>\n<\/li>\n<\/ul>\n<div>\n<div>\n<div><\/div>\n<div class=\"p\">\n<div>\n<div>You can no longer:<\/div>\n<\/div>\n<\/div>\n<div><\/div>\n<\/div>\n<\/div>\n<ul>\n<li class=\"li\">\n<div>\n<div class=\"p\">\n<div>Get updates to cached PAN-DB categories.<\/div>\n<\/div>\n<\/div>\n<\/li>\n<\/ul>\n<div>\n<div>\n<div><\/div>\n<\/div>\n<\/div>\n<ul>\n<li class=\"li\">\n<div>\n<div class=\"p\">\n<div>Connect to the PAN-DB URL filtering database.<\/div>\n<\/div>\n<\/div>\n<\/li>\n<\/ul>\n<div>\n<div>\n<div><\/div>\n<\/div>\n<\/div>\n<ul>\n<li class=\"li\">\n<div>\n<div class=\"p\">\n<div>Get PAN-DB URL categories.<\/div>\n<\/div>\n<\/div>\n<\/li>\n<\/ul>\n<div>\n<div>\n<div><\/div>\n<\/div>\n<\/div>\n<ul>\n<li class=\"li\">\n<div>\n<div class=\"p\">\n<div>Analyze URL requests in real-time using advanced URL filtering.<\/div>\n<\/div>\n<\/div>\n<\/li>\n<\/ul>\n<div>\n<div><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<tr class=\"row rowsep\">\n<td class=\"entry\">\n<div>WildFire<\/div>\n<\/td>\n<td class=\"entry\" colspan=\"2\">\n<div>\n<div>\n<div class=\"p\">\n<div>\n<div>You can still:<\/div>\n<\/div>\n<\/div>\n<div><\/div>\n<\/div>\n<\/div>\n<ul>\n<li class=\"li\">\n<div>Forward PEs for analysis.<\/div>\n<\/li>\n<\/ul>\n<div>\n<div>\n<div><\/div>\n<\/div>\n<\/div>\n<ul>\n<li class=\"li\">\n<div>\n<div class=\"p\">\n<div>Get signature updates every 24-48 hours if you have an active Threat Prevention subscription.<\/div>\n<\/div>\n<\/div>\n<\/li>\n<\/ul>\n<div>\n<div>\n<div><\/div>\n<div class=\"p\">\n<div>\n<div>You can no longer:<\/div>\n<\/div>\n<\/div>\n<div><\/div>\n<\/div>\n<\/div>\n<ul>\n<li class=\"li\">\n<div>Get five-minute updates through the WildFire public and private clouds.<\/div>\n<\/li>\n<\/ul>\n<div>\n<div>\n<div><\/div>\n<\/div>\n<\/div>\n<ul>\n<li class=\"li\">\n<div>Forward advanced file types such as APKs, Flash files, PDFs, Microsoft Office files, Java Applets, Java files (.jar and .class), and HTTP\/HTTPS email links contained in SMTP and POP3 email messages.<\/div>\n<\/li>\n<\/ul>\n<div>\n<div>\n<div><\/div>\n<\/div>\n<\/div>\n<ul>\n<li class=\"li\">\n<div>Use the\u00a0<a class=\"xref\" title=\"\" href=\"https:\/\/docs.paloaltonetworks.com\/wildfire\/u-v\/wildfire-api\/submit-files-and-links-through-the-wildfire-api.html\" target=\"_blank\" rel=\"noopener\" data-scope=\"external\" data-format=\"html\" data-type=\"\">WildFire API<\/a>.<\/div>\n<\/li>\n<\/ul>\n<div>\n<div>\n<div><\/div>\n<\/div>\n<\/div>\n<ul>\n<li class=\"li\">\n<div>Use the WildFire appliance to host a\u00a0<a class=\"xref\" title=\"\" href=\"https:\/\/docs.paloaltonetworks.com\/wildfire\/10-1\/wildfire-admin\/wildfire-overview\/wildfire-deployments\/wildfire-private-cloud.html\" target=\"_blank\" rel=\"noopener\" data-scope=\"external\" data-format=\"html\" data-type=\"\">WildFire private cloud<\/a>\u00a0or a\u00a0<a class=\"xref\" title=\"\" href=\"https:\/\/docs.paloaltonetworks.com\/wildfire\/10-1\/wildfire-admin\/wildfire-overview\/wildfire-deployments\/wildfire-hybrid-cloud.html\" target=\"_blank\" rel=\"noopener\" data-scope=\"external\" data-format=\"html\" data-type=\"\">WildFire hybrid cloud<\/a>.<\/div>\n<\/li>\n<\/ul>\n<div>\n<div><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<tr class=\"row rowsep\">\n<td class=\"entry\">\n<div>AutoFocus<\/div>\n<\/td>\n<td class=\"entry\" colspan=\"2\">\n<div>\n<div>\n<div class=\"p\">\n<div>\n<div>You can still:<\/div>\n<\/div>\n<\/div>\n<div><\/div>\n<\/div>\n<\/div>\n<ul>\n<li class=\"li\">\n<div>Use an external dynamic list with AutoFocus data for a grace period of three months.<\/div>\n<\/li>\n<\/ul>\n<div>\n<div>\n<div><\/div>\n<div class=\"p\">\n<div>\n<div>You can no longer:<\/div>\n<\/div>\n<\/div>\n<div><\/div>\n<\/div>\n<\/div>\n<ul>\n<li class=\"li\">\n<div>Access the AutoFocus portal.<\/div>\n<\/li>\n<\/ul>\n<div>\n<div>\n<div><\/div>\n<\/div>\n<\/div>\n<ul>\n<li class=\"li\">\n<div>View the\u00a0<a class=\"xref\" title=\"\" href=\"https:\/\/docs.paloaltonetworks.com\/pan-os\/10-1\/pan-os-admin\/threat-prevention\/learn-more-about-and-assess-threats\/assess-firewall-artifacts-with-autofocus\/autofocus-intelligence-summary.html#\" target=\"_blank\" rel=\"noopener\" data-scope=\"external\" data-format=\"html\" data-type=\"\">AutoFocus Intelligence Summary<\/a>\u00a0for Monitor log or ACC artifacts.<\/div>\n<\/li>\n<\/ul>\n<div>\n<div><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<tr class=\"row rowsep\">\n<td class=\"entry\">\n<div>Cortex Data Lake<\/div>\n<\/td>\n<td class=\"entry\" colspan=\"2\">\n<div>\n<div>\n<div class=\"p\">\n<div>\n<div>You can still:<\/div>\n<\/div>\n<\/div>\n<div><\/div>\n<\/div>\n<\/div>\n<ul>\n<li class=\"li\">\n<div>Store log data for a 30-day grace period, after which it is deleted.<\/div>\n<\/li>\n<\/ul>\n<div>\n<div>\n<div><\/div>\n<\/div>\n<\/div>\n<ul>\n<li class=\"li\">\n<div>Forward logs to Cortex Data Lake until the end of the 30-day grace period.<\/div>\n<\/li>\n<\/ul>\n<div>\n<div><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<tr class=\"row rowsep\">\n<td class=\"entry\">\n<div>GlobalProtect<\/div>\n<\/td>\n<td class=\"entry\" colspan=\"2\">\n<div>\n<div>\n<div class=\"p\">\n<div>\n<div>You can still:<\/div>\n<\/div>\n<\/div>\n<div><\/div>\n<\/div>\n<\/div>\n<ul>\n<li class=\"li\">\n<div>Use the app for endpoints running Windows and macOS.<\/div>\n<\/li>\n<\/ul>\n<div>\n<div>\n<div><\/div>\n<\/div>\n<\/div>\n<ul>\n<li class=\"li\">\n<div>Configure single or multiple internal\/external\u00a0<a class=\"xref\" title=\"\" href=\"https:\/\/docs.paloaltonetworks.com\/globalprotect\/10-1\/globalprotect-admin\/globalprotect-gateways\/globalprotect-gateway-concepts\/types-of-gateways.html#\" target=\"_blank\" rel=\"noopener\" data-scope=\"external\" data-format=\"html\" data-type=\"\">gateways<\/a>.<\/div>\n<\/li>\n<\/ul>\n<div>\n<div>\n<div><\/div>\n<div class=\"p\">\n<div>\n<div>You can no longer:<\/div>\n<\/div>\n<\/div>\n<div><\/div>\n<\/div>\n<\/div>\n<ul>\n<li class=\"li\">\n<div>Access the Linux OS app and mobile app for iOS, Android, Chrome OS, and Windows 10 UWP.<\/div>\n<\/li>\n<\/ul>\n<div>\n<div>\n<div><\/div>\n<\/div>\n<\/div>\n<ul>\n<li class=\"li\">\n<div>Use IPv6 for external gateways.<\/div>\n<\/li>\n<\/ul>\n<div>\n<div>\n<div><\/div>\n<\/div>\n<\/div>\n<ul>\n<li class=\"li\">\n<div>Run\u00a0<a class=\"xref\" title=\"\" href=\"https:\/\/docs.paloaltonetworks.com\/globalprotect\/10-1\/globalprotect-admin\/host-information.html#\" target=\"_blank\" rel=\"noopener\" data-scope=\"external\" data-format=\"html\" data-type=\"\">HIP<\/a>\u00a0checks.<\/div>\n<\/li>\n<\/ul>\n<div>\n<div>\n<div><\/div>\n<\/div>\n<\/div>\n<ul>\n<li class=\"li\">\n<div>Use\u00a0<a class=\"xref\" title=\"\" href=\"https:\/\/docs.paloaltonetworks.com\/globalprotect\/10-1\/globalprotect-admin\/globalprotect-clientless-vpn\" target=\"_blank\" rel=\"noopener\" data-scope=\"external\" data-format=\"html\" data-type=\"\">Clientless VPN<\/a>.<\/div>\n<\/li>\n<\/ul>\n<div>\n<div>\n<div><\/div>\n<\/div>\n<\/div>\n<ul>\n<li class=\"li\">\n<div>Enforce split tunneling based on destination domain, client process, and video streaming application.<\/div>\n<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>All a bunch of nope&#8230;<\/p>\n<table class=\"table colsep rowsep table-striped\">\n<tbody class=\"tbody\">\n<tr class=\"row rowsep\">\n<td class=\"entry\">\n<div>VM-Series<\/div>\n<\/td>\n<td class=\"entry\" colspan=\"2\">\n<div><a class=\"xref\" title=\"\" href=\"https:\/\/docs.paloaltonetworks.com\/vm-series\/10-1\/vm-series-deployment\/license-the-vm-series-firewall\/what-happens-when-licenses-expire\" target=\"_blank\" rel=\"noopener\" data-scope=\"external\" data-format=\"html\" data-type=\"\">See the VM-Series Deployment Guide<\/a>.<\/div>\n<\/td>\n<\/tr>\n<tr class=\"row\">\n<td class=\"entry\">\n<div>Support<\/div>\n<\/td>\n<td class=\"entry\" colspan=\"2\">\n<div>\n<div>\n<div class=\"p\">\n<div>\n<div>You can no longer:<\/div>\n<\/div>\n<\/div>\n<div><\/div>\n<\/div>\n<\/div>\n<ul>\n<li class=\"li\">\n<div>Receive software updates.<\/div>\n<\/li>\n<\/ul>\n<div>\n<div>\n<div><\/div>\n<\/div>\n<\/div>\n<ul>\n<li class=\"li\">\n<div>\n<div class=\"p\">\n<div>Download VM images.<\/div>\n<\/div>\n<\/div>\n<\/li>\n<\/ul>\n<div>\n<div>\n<div><\/div>\n<\/div>\n<\/div>\n<ul>\n<li class=\"li\">\n<div>Benefit from technical support.<\/div>\n<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>This is a VM series yes&#8230; so what does that link mean&#8230;.<\/p>\n<table class=\"table colsep rowsep table-striped\">\n<tbody class=\"tbody\">\n<tr class=\"row rowsep\">\n<td class=\"entry\">\n<div>VM-Series<\/div>\n<\/td>\n<td class=\"entry\" colspan=\"2\">\n<div>\n<div class=\"p\">\n<div>\n<div>You can still:<\/div>\n<\/div>\n<\/div>\n<div class=\"p\">\n<div>You can continue to configure and use the firewall you deployed prior to the license expiring with no change in session capacity. The firewall won&#8217;t reboot automatically and cause a disruption in traffic.<\/div>\n<\/div>\n<div class=\"p\">\n<div>However, if the firewall reboots for any reason, the firewall enters an unlicensed state. While unlicensed, a firewall supports a maximum of 1,200 sessions. No other management plane features or configuration options are restricted.<\/div>\n<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>OK&#8230; Maybe&#8230; but I&#8217;m sure a download of a single file doesn&#8217;t take over 1,200 sessions&#8230; while I did reboot the unit (cloned, power off OG, power on clone, etc)<\/p>\n<p>All other things are the same as posted above&#8230; Then I noticed some really weird things&#8230;.<\/p>\n<ol>\n<li>Checking for updates doesn&#8217;t state anything about license status, just tries and quietly fails.<\/li>\n<li>Checking support status shows &#8220;Device not found on this update server&#8221;<\/li>\n<li>Dynamic Updates do not show a &#8220;currently installed&#8221; version.\n<ol>\n<li>The current version installed with Review Policies, and review apps under action.<\/li>\n<li>The previous installed one will have the same plus a revert action.<\/li>\n<li>Downloaded one will have an install action.<\/li>\n<li>All others seen since last communication to PAN will have download<\/li>\n<\/ol>\n<\/li>\n<li>Retrieving licenses from licenses server returns &#8220;Failed to install features. The device is not found.<\/li>\n<li>Finally the smoking gun&#8230; Serial Number on the Dashboard will be listed as unknown.<\/li>\n<\/ol>\n<p>So, I ended Googling this and found not one, but TWO KB&#8217;s!!!<\/p>\n<p><a href=\"https:\/\/knowledgebase.paloaltonetworks.com\/KCSArticleDetail?id=kA14u000000HBFNCA4&amp;lang=en_US%E2%80%A9\">Serial number becomes \u201cunknown\u201d after changing the instance typ&#8230; &#8211; Knowledge Base &#8211; Palo Alto Networks<\/a><\/p>\n<p>and<\/p>\n<p><a href=\"https:\/\/knowledgebase.paloaltonetworks.com\/KCSArticleDetail?id=kA10g000000PP1gCAG\">Serial number becomes \u201cunknown\u201d upon rebooting PA-VM &#8211; Knowledge Base &#8211; Palo Alto Networks<\/a><\/p>\n<p>After reading these, it all made sense&#8230; and it&#8217;s all rather dumb&#8230; to paraphrase it simply&#8230;.<\/p>\n<p>It&#8217;s due to DRM, how the DRM works is it derives the serial number from two ID&#8217;s CPUID and UUID&#8230; and when you migrate a PAN VM the CPU is different cause of the different host it resides&#8230; this in turn breaks the licensing.<\/p>\n<p>*Standing Ovation*<\/p>\n<p>What&#8217;s PAN solution&#8230; Open a support ticket&#8230; that&#8217;s right.. instead of coming up with a technical solution to make DRM work while still retaining the ability to migrate the VM (The most important and valuable reason why you want to run it as a VM anyway)&#8230;.<\/p>\n<p>Instead of having a way to edit the CPUID and UUID in the PAN portal to fix this yourself&#8230;..<\/p>\n<p>No they want you to waste their tech support personals time&#8230;.<\/p>\n<p>This &#8230;.. IS&#8230;&#8230;. DUMB!!!!!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>So today I had some weird stuff happening (Fedora Download was downloading slow, 300 KB\/s)&#8230; I thought it was the mirror, but no matter what mirror I picked I had the same results, I asked a buddy to verify my findings and they could download Fedora with speed&#8230; Long story short, I thought maybe it &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/zewwy.ca\/index.php\/2024\/09\/09\/pa-vm-in-bazaar-state-by-design\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;PA VM in bazaar state&#8230; by Design&#8221;<\/span><\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"sfsi_plus_gutenberg_text_before_share":"","sfsi_plus_gutenberg_show_text_before_share":"","sfsi_plus_gutenberg_icon_type":"","sfsi_plus_gutenberg_icon_alignemt":"","sfsi_plus_gutenburg_max_per_row":"","footnotes":""},"categories":[6,127,8],"tags":[466,467],"class_list":["post-1598","post","type-post","status-publish","format-standard","hentry","category-networking","category-palo-alto-networks","category-server-administration","tag-drm","tag-dumb"],"_links":{"self":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts\/1598","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/comments?post=1598"}],"version-history":[{"count":2,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts\/1598\/revisions"}],"predecessor-version":[{"id":1600,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts\/1598\/revisions\/1600"}],"wp:attachment":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/media?parent=1598"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/categories?post=1598"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/tags?post=1598"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}