This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
About General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.

Discussions

Start a conversation

Discover LIVEcommunity Through Our New Animated Explainer Video!

We’re thrilled to unveil a brand-new animated video that highlights everything LIVEcommunity has to offer! This short and engaging video gives you a quick tour of the many resources available in our vibrant community — from interactive discussions and customer journey guides to the Cyber Elite program and Member Spotlight features. Whether ...

kiwi_0-1745308399217.png
kiwi by Community Team Member
  • 4135 Views
  • 0 replies
  • 0 Likes

nailing up an ipsec vpn?

I have a site to site ipsec vpn between two Palo firewalls. A always initiates the tunnel to B. Is there a way i can make A always keep the tunnel up even when interesting traffic is not present?

Interzone default deny rule with logging is allowing traffic and shows up in traffic logs

We have a PA-3220 which is running in 10.2.4 Pan OS, we observed something really weird in the traffic logs this morning which shows 'ms-rdp' connections allowing through the default interzone deny rule which we re-verified again to see it is still set to 'deny' and no one really touched the rule. This is really freaking us out? Any insight on w...

Akhil_B by L2 Linker
  • 9748 Views
  • 7 replies
  • 0 Likes

IPSec Child-SA rekey negotiation fails

Our customer encounter intermittent connectivity issue with IPSec IKEv1 during phase 2 rekey of IPSec Child-SA. We open case with the IPSec peer device vendor, they mention that PAN is not sending message to R2011 (IPSec peer) for deleting the SA when the SA negotiation fails. Summary of issue: On IPsec PA-850 peer device log, it shows IKE ph...

Configure L2 service on Active-Active Mode

I'am using PAN-PA-3220 We want to setup this model with: 1. HA (active-active) 2. Interface configuration using Layer 2 configuration Is it possible to done it?. as when I try to create Layer 2 configuration. It always pop out error "Layer 2 unable to configure due to HA in active-active mode. Can help to suggest or any ways to do it? *ps: c...

Hazzuan by L0 Member
  • 1561 Views
  • 1 replies
  • 0 Likes

SSO not working properly

I have just setup SSO in our new eng panorama. When I tested it initially it gave me the error message "Error Displaying SAML error response page". I reached out to our team and it was noticed that the new saml app had fewer claims and attributes than the already existing saml app for our prod panorama. So we modified the settings of the new sam...

Bumenang by L1 Bithead
  • 4587 Views
  • 1 replies
  • 1 Likes

Resolved! Moving some connections to the New PA

We have this setup for one site ------Dis sw--------------Edge switch stack of 3 ----------40 users we need to move few users behind the PA . what can be best design for this as we only need to have 5 to 10 users behind the PA 850.? Should we connect small switch to the existing stack of switch ?

MP18 by Cyber Elite
  • 7964 Views
  • 15 replies
  • 0 Likes

Certificate delete

Hi i have a problem certificate delete. But sow error Failed to delete Certificate - CaptivePortal. ° CaptivePortal cannot be deleted because of references from: i look to to ssl/tls service profile list not show profiles. plase help mee

btadmin by L1 Bithead
  • 2290 Views
  • 6 replies
  • 0 Likes

Resolved! Configuring multiple DHCP scopes via single layer 3 interface

Hi All, I am running PanOS 10.1.0 vm image. Devices are connected as mentioned below. Firewall E1/2 ---> L3 switch ---> Vlan 10, Vlan 20 I would really appreciate if some can tell me how to configure two DHCP scopes for Vlan 10 and Vlan 20 in PA firewall because once I configured one scope under E1/2 , for second scope E1/2 is not appearin...

gayansasamarakoon_0-1634935691287.png

Clarification regarding vsys function and network isolation

Hello,After reading about and looking through documentation regarding vsys, and routing between vsys on the same firewall via use of external zones, as well as the vsys<>VR association, I have a few questions I would like to clarify if possible:1. If I have two vsys that share one virtual router, by default, will they be able to send traff...

Resolved! Prisma Cloud Workload Protection

Hello, I'm playing with the API to get hosts' vulnerabilities and images' vulnerabilities in Prisma Cloud (CWPP) (documentation: https://pan.dev/prisma-cloud/api/cwpp/get-images/) Following the documentation (which is great by the way) I noticed there is a note for some endpoints « Note: The API rate limit for this endpoint is 30 requests per mi...

Resolved! PA-3220 keeps shutting down to suspended state - can't enter maintenance mode to reset to factory

I have a PA-3220 that was likely formerly part of an HA pair. This device was the passive device and the other 3220 that was part of the pair is gone so I'm trying to factory reset this device. When I startup the system it boots to the login screen but it will not accept my password. After a couple tries, the devices shuts down with a message...

Proxy SG to Palo alto policy migration

Hi, Is there any automation tool through which we can migrate all our proxy SG policy rule, object and object group to Palo alto. Or else if there is any alternate option then please let me know.

Global Protect Linux and Strongswan

I had to test IPSec connection on Linux using strongswan as part of a support case i was working on and i collected a lot of good information on how to get this working. So i thought i would share it with you. Tested on PANOS 7.1.2, Ubuntu 16.04, Strongswan 5.3.5-1 Install Ubuntu Desktop or CentOS into VMWare environment and then install Strongs...

Xauth Option.png
ipsec.png
Client Success.png
system Logs.PNG
Davyboy by L1 Bithead
  • 14112 Views
  • 4 replies
  • 3 Likes

Cortex XDR agent change managing server

Hi All,Looking for best way to migrate cortex XDR agents to new tenant in bulk.I have downloaded all the hostnames in excel format and when i try to paste it on the XDr console filter section it doesnt work.Please comment

  • 24340 Posts
  • 124 Subscriptions
Labels
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks