Palo Alto Firewall Software and Hardware Matrix:

1. Palo Alto Networks Next-Generation Firewalls Software Matrix:

2. Palo Alto Networks Appliances:

3. Palo Alto Associated Software and Content Versions:

4. Palo Alto Software end of life Summary:

5. Palo Alto HA and Processor Support:

Wide IP’s are down due to Device Certificate expiration on F5 Link Controller:


Wideip’s will go down due to F5 device internal device certificate expiration.


DeviceA alert gtmd[13073]: 011ae0f3:1: SNMP_TRAP: big3d SSL cert EXPIRED at IP
Device A err gtmd[13073]: 011ae0fa:3: iqmgmt_ssl_connect: SSL error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (336134278)
Device A alert gtmd[13073]: 011ae0f3:1: SNMP_TRAP: big3d SSL cert EXPIRED at IP


Internal F5 device certificates are expired



  1. Login to the standby F5 device
  2. Go to System  ››  Device Certificates : Device Certificate
  3. Click on Renew
  4. Update valid for 3650 days (according to your requirement)
  5. Click Finished

Perform steps from 1 to 5 on active device.

B. Now login into the active device through CLI and perform the below steps.

bigip_add < peer IP>

bigip_add script uses the SSH protocol to exchange iQuery SSL certificates with the remote BIG-IP system

The bigip_add script appends the local BIG-IP DNS system’s SSL certificate to the remote BIG-IP system’s list of authorized certificates.


Now login into the sandby device through CLI and perform the below steps.

bigip_add < peer IP>

Once internal device certificates are exchanged, wideip’s will come to available status.








AWS – Copy S3 buckets from one account to another:

Steps to perform S3 buckets from one account to another is mentioned below:

1.    Attach a bucket policy to the source bucket in Account A.

2.    Attach an AWS Identity and Access Management (IAM) policy to a user or role in Account B.

3.    Use the IAM user or role in Account B to perform the cross-account copy.


Attach a bucket policy to the source bucket in Account A:

1.    Get the Amazon Resource Name (ARN) of the IAM identity (user or role) in Account B (destination account).

2.    From Account A, attach a bucket policy to the source bucket that allows the IAM identity in Account B to get objects, similar to the following:

Important: For the value of Principal, replace arn:aws:iam::11111111111:user/Jane with the ARN of the IAM identity in Account B.

    "Version": "2012-10-17",
    "Statement": [
            "Sid": "DelegateS3Access",
            "Effect": "Allow",
            "Principal": {"AWS": "arn:aws:iam::111111111111:user/Jane"},
            "Action": ["s3:ListBucket","s3:GetObject"],
            "Resource": [

Attach an IAM policy to a user or role in Account B

1.    From Account B, create an IAM customer managed policy that allows an IAM user or role to copy objects from the source bucket in Account A to the destination bucket in Account B. The policy can be similar to the following example:

    "Version": "2012-10-17",
    "Statement": [
            "Effect": "Allow",
            "Action": [
            "Resource": [
            "Effect": "Allow",
            "Action": [
            "Resource": [

2.    Attach the customer managed policy to the IAM user or role that you want to use to copy objects between accounts.

Use the IAM user or role in Account B to perform the cross-account copy:

After you set up the bucket policy and IAM policy, the IAM user or role in Account B can perform the copy from Account A to Account B. Then, Account B owns the copied objects.

To synchronize all content from a source bucket in Account A to a destination bucket in Account B, the IAM user or role in Account B can run the sync command using the AWS Command Line Interface (AWS CLI):

aws s3 sync s3://awssourcebucket s3://awsdestinationbucket

Disable non-working F5 Viprion blade

You can perform F5 viprion blade disable activity in two ways.

Disabling through CLI:

  1. Log in to the command line
  2. Set the VIPRION blade to Disabled by using the following command syntax:tmsh modify sys cluster default members { <slot number> { disabled } }

    For example:

    tmsh modify sys cluster default members { 2 { disabled } }


3. Set the VIPRION interfaces to Disabled by using the following command syntax:

            tmsh modify net interface <slot number>/<interface> disabled

For example:

            For single interface

             tmsh modify net interface 2/1.1 disabled

            For multiple interfaces

            tmsh modify net interface 2/1.1 2/1.2 disabled

Webui Method:

  1. Log in to the Configuration utility by connecting to the floating management IP address of the cluster.
  2. Navigate to System Clusters Properties.
  3. Select the box next to the desired slot.
  4. Click Disable/Yield.


Checkpoint Services

Checkpoint  important services are mentioned below.

  1. FWM
  2. FWD
  3. CPD
  4. CPCA

1.FWM  Tasks:

  • Serving the GUI clients
  • Database Tasks (Rules, objects, users etc..)
  • Collecting status from different firewalls
  • Policy compilation

2. FWD  tasks:

  •     Receiving the logs on port 257

3. CPD (Checkpoint Daemon) Tasks:

  • SIC
  • Loading policy
  • Status collections (AMON)

4. CPCA (Checkpoint certification Authority)

  • SIC certificate pulling
  • Certificate enrollment
  • CRL fetch
  • Admin WebUI




To obtain the Cluster members information, type the following command:

      tmsh show sys cluster
[root@vhost:/S1-green-P:Active:Standalone] config # tmsh show sys cluster

Sys::Cluster: default
Availability            available
State                   enabled
Reason                  Cluster Enabled
Primary Slot ID         1
Primary Selection Time  07/23/17 22:01:49

| Sys::Cluster Members
| ID  Address      Availability  State    Licensed  HA      Clusterd  Reason
| 1  available     enabled  true      active  running   Run
| 2  available     enabled  true      active  running   Run
| 3  available     enabled  true      active  running   Run
| 4  available     enabled  true      active  running   Run


To obtain the configured vCMP guest information, type the following command:
tmsh show vcmp guest

[root@vhost:/S1-green-P:Active:Standalone] config # tmsh show vcmp guest

Name      Slot ID Status  Requested   Request  Retries  Uptime  Comment
State  Complete
test1          3  running   deployed      true        0  07/23/17 22:18:16
test2          4  running   deployed      true        0  07/23/17 22:19:41
test3        1  running   deployed      true        0  07/24/17 19:24:16
test4        2  running   deployed      true        0  07/24/17 19:29:25
vguest1        3  running   deployed      true        0  07/24/17 19:28:49
vguest2        4  running   deployed      true        0  07/24/17 19:28:49  


To access the vGuest console you  may run the following command. 

        vconsole <guest name> <slot#> 
[root@vhost:/S1-green-P:Active:Standalone] config # vconsole guest 1
Connected to
Escape character is ‘^]’.

BIG-IP 12.0.0 Build 0.0.606
Kernel 2.6.32-431.56.1.el6.f5.x86_64 on an x86_64 login:
[root@guest1:/S1-green-P:Active:Standalone] config #

SSH into a specific slot:
ssh <slot number>

[root@guest1:/S1-green-P:Active:Standalone] config # ssh slot2

Forcing a Primary blade to Secondary

  1. Locate the primary slot# by running
    tmsh show sys cluster
  2. Disable the primary slot with the following command:
    tmsh modify sys cluster default members { 2 { disabled } }
    From the above command, the primary slot# is “2”

Shutting Down and Restarting a single VIPRION Blade

Restarting, powering off, and powering off VIPRION Blades can be done via the following commands:

  1. Reboot a single blade:
    bladectl -b <blade#> -r
    Example: bladectl -b 2 -r
  2. Power Down a single blade
    bladectl -b <blade#> -p 0
    Example bladectl -b 2 -p 0
  3. Power On a single blade
    bladectl -b <blade#> -p 1
    Example: bladectl -b 2 -p 1

Checkpoint Model List-2

P-30-00                       Power-1 11000
P-20-00                       Power-1 9070 Appliance
P-10-00                       Power-1 5075 Appliance
P-10-00                       Power-1 5070 Appliance
S-10-00                        Smart-1 5
S-20-00                        Smart-1 25
S-21-00                        Smart-1 25B
S-30-00                        Smart-1 50
S-40-00                        Smart-1 150
ST-5-00                        Smart-1 205
ST-10-00                      Smart-1 210
ST-25-00                      Smart-1 225
ST-50-00                      Smart-1 3050
ST-150-00                    Smart-1 3150
U-40-00                        Smart-1 3070
ST-105-00                    Smart-1 405
ST-110-00                     Smart-1 410
ST-425-00                     Smart-1 525
ST-4050-00                   Smart-1 5050
ST-4150-00                   Smart-1 5150
T-181-00                       TE250
P-231-00                       TE1000
P-371-00                       TE2000
TT-10-00                       TE100X
TT-20-00                       TE250X
TT-30-00                       TE1000X
TT-40-00                       TE2000X
U-31-00                         IPS-1 2076
P-11-00                          IPS-1 5076
P-21-00                          IPS-1 9076
P-22-00                          DLP-1 9571
U-42-00                          DLP-1 2571
L-50                                       Security Gateway 80
L-50                                       Check Point 600
S2 (SMB)                             Check Point 700
L-50                                      Check Point 1100
L-61i                                     Check Point 1200R
S1 (Enterprise)                Check Point 1430 / 1450
S2 (Enterprise)                 Check Point 1470 / 1490
L-71                                     Check Point 1430/1450
L-71W                                Check Point 1430/1450 WiFi
L-72                                    Check Point 1470/1490
L-72W                               Check Point 1470/1490 WiFi
L-72P                                 Check Point 1470/1490 PoE

Checkpoint DMI List -Part-1

Appliance UTM-1
U-40-00                        UTM-1 3070 Appliance
U-30-00                        UTM-1 2070 Appliance
U-20-00                        UTM-1 1070 Appliance
U-15-00                        UTM-1 570 Appliance
U-15-01                        UTM-1 570 Appliance
U-10-00                        UTM-1 270 Appliance
U-5-00                          UTM-1 130 Appliance
T-180-00                       UTM-1 4800
T-160-00                       UTM-1 4600
T-140-00                       UTM-1 4400
T-120-00                       UTM-1 4200 2012 Appliance
T-110-00                       UTM-1 2200 2012 Appliance
C6P_UTM                      UTM-1 2050 Appliance
C6_UTM                        UTM-1 1050 Appliance
C2_UTM                        UTM-1 450 Appliance


Appliance 2012
G-50                             Appliance 21400
G-70                             Appliance 21600
G-72                             Appliance 21700
G-75                             Appliance 21800
P-380-00                      Appliance 13800
P-370-00                      Appliance 13500
P-231-00                      Appliance 12600
P-230-00                      Appliance 12600
P-220-00                      Appliance 12400
P-210-00                      Appliance 12200


PB-05-00                     Appliance 3100
PB-10-00                     Appliance 3200
PB-15-00                     Appliance 5100
PB-20-00                     Appliance 5200
PL-10-00                     Appliance 5400
PL-20-00                     Appliance 5600
PL-30-00                     Appliance 5800
PL-40-00                     Appliance 5900
PH-20-00                    Appliance 15400
PH-30-00                    Appliance 15600
PD-10-00                    Appliance 23500
PD-20-00                    Appliance 23800



Export F5 SSL certificate and Key files to PFX format:

Step 1 :

Copy the designated website ssl certificate and key files to the tmp folder

SSL cert location:


Key location:


Step 2 :

Impact of procedure: There will be no impact to the system with the below procedure.

  1. Log in to the BIG-IP command line.
  2. Copy the certificate file to the /var/tmp directory

   cp /config/filestore/files_d/Common_d/certificate_d/<Certificate-Filename> /var/tmp/<Destination-Filename>

3. Copy the key file to the /var/tmp directory

cp /config/filestore/files_d/Common_d/certificate_key_d/<Key-Filename> /var/tmp/<Destination-Filename>

4. verify the files using the below command

ls -las /var/tmp/<Destination-Filename>

Step 3 :

To export the certificate/key pair to PFX format, perform the following procedure:

Export the certificate/key pair to PFX format to /var/tmp/certificate.pfx using the following command syntax:

openssl pkcs12 -export -out /var/tmp/<PFX -CertificateName> -inkey /var/tmp/<Key-Filename> -in /var/tmp/<Certificate-Filename>

For example, to export the certificate test.crt and key test.key copied in the previous procedure, type the following command:

openssl pkcs12 -export -out /var/tmp/certificate.pfx -inkey /var/tmp/test.key -in /var/tmp/test.crt

The exported PFX file is named /var/tmp/certificate.pfx.