Discussions
Check out LIVEcommunity discussions to find answers, get support, and share knowledge related to Palo Alto Networks tools and products.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Discussions
Check out LIVEcommunity discussions to find answers, get support, and share knowledge related to Palo Alto Networks tools and products.

Browse the Community

General Topics

Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.

24404 Posts

Custom Signatures

The Custom Signatures discussion is a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance.

176 Posts

VirusTotal

Have you encountered a false positive verdict for Palo Alto Networks (Known Signatures) on VirusTotal? Use this forum to submit a verdict change request. Change requests should include the File Hash, Link to VirusTotal report, current VirusTotal verdict, and description.

803 Posts

Network Security

Post questions, provide answers, share best practices, and connect with peers and experts in this area dedicated to all things Network Security.

5187 Posts

Cloud Delivered Security Services

Post questions, provide answers, share best practices, and connect with peers and experts in this area dedicated to Palo Alto Networks’ Cloud Delivered Security Services.

655 Posts

Secure Access Service Edge

Post questions, provide answers, share best practices, and connect with peers and experts in this area dedicated to Prisma Access and Prisma SD-WAN.

574 Posts

Security Operations

Post questions, provide answers, share best practices, and connect with peers and experts in this area dedicated to Cortex XDR, XSOAR, and Xpanse discussions.

4594 Posts

Activity in Discussions

Possible false-positive spike: Threat ID 99951 Inline Cloud Analyzed CMD Injection Traffic Detection

Hi all, Is anyone else seeing a recent spike in the following Advanced Threat Prevention / Inline Cloud Analysis alert? Threat ID: 99951Threat Name: Inline Cloud Analyzed CMD Injection Traffic DetectionThreat Type: VulnerabilitySeverity: HighThreat Category: inline-cloud-exploit We started seeing a sharp increase in this detection shortly af...

IDS Alerts

Hi, I have been by auditors to submit IDS log alerts from Panorama, i know the best practice is to use Microsoft Sentinel. Has anyone done directly using Panorama and which severity is selected to minimize impact on the smtp server.

Resolved! EDL server certificate authentication failed. A local copy of associated external dynamic list will be used

Since Saturday 7/12/2026 I've started receiving these messages on our firewall every few minutes. eventid: tls-edl-auth-failureobject:fmt: 0id: 0module: generalseverity: criticalopaque: EDL server certificate authentication failed. A local copy of associated external dynamic list will be used, so it won't impact your policy. EDL Name: Cortex I...

Set up a test Internal Gateway for User-ID logging

Hi everyone planning to set up an Internal Gateway so we can log User-ID and an internal host detection to automatically disable VPN when in the office. We are planning to set up an internal gateway strictly for a test OU to ensure that the changes we make won't disrupt the business. I set up a loopback address from a reservered dhcp(we use Palo...

RPerez481389_0-1783920681442.png
RPerez481389_1-1783920986077.png

【PrismaAccess】Regarding the Active Status of GPGW (MU-SPN)

Hello everyone! In our PrismaAccess environment, we set the number of IP address pools to twice the number of mobile user devices connecting to Prisma Access, as per the documentation below.However, the following situation occurs, and the following message is frequently displayed. "mu private ip pool allocation exceeds 85% for theater worldwide"...

Otsuka by L1 Bithead
  • 29 Views
  • 2 replies
  • 0 Likes

Unable to make GlobalProtect Changes

Hi all, We recently upgraded to 11.2 and noticed that when trying to make changes on any of our Globalprotect portals I see an "Operation Failed" and it calls out the clientless-vpn (when we don't use or have this configured). This issue is also seen at one of our branch sites, PA-1420 on same OS11.2.10-h3. Thanks

BRana_0-1783716228428.png
B.Rana by L0 Member
  • 58 Views
  • 1 replies
  • 0 Likes

Brand New Deployment - GlobalProtect vs Prisma Access Agent

About to deploy a set of 1410s and trying to get some feedback on using standard GP vs going w/ PAA? The firewalls will be managed by an on-prem Panorama VM and be using a cloud provider for SAML authentication. I think I've read PAA will support using Panorama as the front-end and a standard NGFW as the device the vpn connects on. Wanted t...

DJ_1924 by L2 Linker
  • 57 Views
  • 0 replies
  • 0 Likes

How to Query WildFire Malware Prevention Events Not Generated as Issues

Hello We are currently operating approximately 4,800 agents. During the initial deployment, a large number of false positives were generated by WildFire Malware events, so we applied an exception to prevent these events from being generated as Issues. However, we have recently received user reports of cases suspected to be blocked by this policy...

.522643 by L1 Bithead
  • 83 Views
  • 1 replies
  • 0 Likes

I just received this alert "Script Activity - 245655498" with this description "Suspicious script with keywords written in a non-standard way." in Cor

I just received this alert "Powershell Activity - 2390140751 " with this description "Suspicious script with keywords written in a non-standard way." in Cortex multiple times related to PowerShell script execution on a developer machine. The executed scripts were different and I don't know why Cortex is blocking such executions. There is also no...

PAN-OS Dark Mode

I am surprised there is not a Dark Mode. I have seen comments on using CLI and other Third Party apps to change, This can effect how the GUI is viewed. I have noticed when doing this with other apps you can miss critical info. I would say this is a feature add that needs to be made. I have issue with my eyes that the bright background makes it h...

Site to site VPN between PA & Azure || Failover / HIgh availability

We have configured two Site-to-Site VPN tunnels between our Palo Alto firewall and Azure VPN Gateway to provide redundancy and high availability. However, we are encountering an issue where we are unable to keep both VPN tunnels active simultaneously: When both VPN tunnels are up, connectivity between our on-premises environment and Azure becom...

PAN-OS 12.1.X Firewalls & Panorama Managed

Just a heads up to the community apparently there's an issue with firewalls that are 12.1.X that are configured to be managed from Panorama. Apparently PAN-322826 exists where any hardware that's Panorama managed can spontaneously suffer a hardware reload due to a "configd" memory leak. (A 4 months long case finally got us this info.) To my k...

Is 10.2.17 affected by CVE-2026-0287?

Hi, I'm looking into the new CVE-2026-0287, and I can't figure out if PAN-OS version 10.2.17 is affected.In the “Product Status” table, the following versions are listed as affected: "<10.2.7-h36, < 10.2.10-h39, < 10.2.13-h23, < 10.2.16-h9, < 10.2.18-h8“ and these others as unaffected ” >= 10.2.7-h36, >= 10.2.10-h39, >= 1...

Resolved! [SOLVED] Prisma Browser Issue "No upstream gateways available & GlobalProtect/Remote Networks Push Jobs Fails Continously"

Hello LiveCommunity Team! I created this post to share my experience regarding some Issues that recently seen on the Prisma Browser and Mobile User GlobalProtect pushed failing multiple times!We had configured Prisma Browser alongside GlobalProtect—deployed via Strata Cloud Manager (SCM) to work seamlessly; however, a few days ago, we began seei...

DanielSRomero_0-1783546154021.png
DanielSRomero_1-1783546483912.png
DanielSRomero_2-1783546809140.png
DanielSRomero_3-1783547353425.png

Cortex XSIAM broker vm

Our Cortex XSIAM agents connect to the XSIAM server exclusively via the Broker VM's local agent proxy settings applet, as direct outbound internet/server access is blocked for these endpoints. If we want our agents to auto-upgrade, do we absolutely have to enable and configure the 'Agent Installer and content caching' part of the applet on the B...