With the default LDAP settings on a Palo Alto firewall, failing over from one LDAP server to another may not work correctly. You need to tune the LDAP timers and retry intervals down to a lower level. The settings I used are:
Time Limit: 3
Bind Time Limit: 4
Retry Interval: 900
The official doc is found here: https://live.paloaltonetworks.com/docs/DOC-7420
I followed the steps HERE to perform an upgrade from 6.0.4 to 6.0.6 successfully. To summarize, the steps are:
- On the active fw (fw1), log into the cli and enter: request high-availability state suspend. This will force a failover to the secondary firewall (fw2). I lost 2 pings during the failover.
- Install the new PAN-OS on fw1, and reboot when requested.
- Once rebooted, log into the CLI and enter: show jobs all to verify auto commit has completed (it should show FIN OK). Then log into the web gui and verify the HA state of fw1 is Passive.
- Now, log into fw2 (which is currently the active fw), and force failover back to fw1 with: request high-availability state suspend. I lost 0 pings during the fail-back.
- Install the new PAN-OS on fw2, and reboot when requested.
- From the web gui of fw1, monitor the HA state and verify fw2 comes back up in Passive mode.
>show high-availability all
>show high-availability state
>show high-availability link-monitoring
>show high-availability path-monitoring
Configuring High Availability: https://live.paloaltonetworks.com/docs/DOC-2926
After enabling HA, the interfaces on the firewall will switch from using the interface MAC address to a virtual MAC address. In my case, the Palo Alto updated the MAC address to connected devices, except for the loopback interfaces. I had to clear the arp table of my internet edge routers to update the MAC of the loopbacks (I’m terminating GlobalProtect to the loopback interfaces).
More information regarding the MAC address change can be found here: https://live.paloaltonetworks.com/docs/DOC-4144
Two quick commands to see who is currently logged in, and who logged in previously:
>show global-protect-gateway current-user
>show global-protect-gateway previous-user
You can also specify the username with each command to see specific results.
If want want to force a user logout (from my testing, the user will not see a notification they have been logged out):
>request global-protect-gateway client-logout domain yourdomain reason force-logout computer computername gateway gatewayname user username
These commands will help troubleshoot and resolve issues with AD groups on your PAN device.
- show user group list
- Shows every AD group added to the PAN firewall
- show user ip-user-mapping all (or specific user)
- Shows the user and IP address mapping
- show user group-mapping state all
- Gives more detailed statistics of the command above
- show user group name “???”
- Shows the user members of the group specified
- debug user-id reset group-mapping all
- Re-pulls the user-to-group mapping from AD
- debug user-id refresh user-id agent all
- Refreshes all user-to-IP mappings
- debug software restart user-id (this command is usually not needed)
- Restarts the user-id service