When to use zone type Tunnel

I am setting up a lan to lan tunnel between my palo alto firewall and another palo alto device.  When I look at the documentation online, they suggest I create a new zone and set the type to "layer3".  But I also see a type "Tunnel" in there.  I woul

User Mapping - Server Monitoring Issue

I am currently having an issue with the Server Monitoring.

When I add the DC to this section then under Type: Microsoft Active Directory I want to use the Transport Protocol WinRM-HTTPS but it is only showing WMI and is greyed out.

If I swap the type t

Join us for an amazing virtual event - Ignite: What's Next - October 28, 2025

AI is upon us, and here's a fantastic chance to learn more about it!

During this virtual event, we will be hearing from top industry experts and senior executives within Palo Alto Networks about PANW's plans for AI to help drive a more secure futur

A/A vWire Deployment Forwarding MAC Address on HA Links?

Hey Guys,

I'm having an odd MAC flapping issue when I implemented a A/A PAN under a A/P ASA. I'll give the high level and attach a topology with the failure patterns I saw.

We have a pair of 5585X's as the traditional L3 / L4 internet facing Firewall

Broken capture in SASE workshop registration

I'm not sure of the best location for this. I'm trying to register for a SASE workshop (and I'm not sure if it's online or not, but that's another conversation), and I need to complete a captcha. Unfortunately, I can't see most of it (see the attache

Bulk changing target device in policy set

I have several policy sets which have between 500-900 rules each and are being re-used for a firewall migration. Each of the sets has the old 850 palo set as the target device. To save time on migration night I am looking to change the target to "any

Commit Failed on Passive Paloalto-3250-admin-role -> AdminRole -> role -> device -> webui -> objects -> packet-broker-profile unexpected here

Hi , Please help , after installed dynamic update of antivirus on Active & Passive PaloAlto-3250, commited successfully on Active but not able to commit on passive.. after commit failed on passive try another way made appication & threat shaedule non

S2S VPNs using Self-signed Certificates

What is the procedure for configuring Site-to-Site VPNs using self-signed certificates?

For example, we need to establish a VPN between Firewall A and Firewall B.

The documentation describes how to create a self-signed Root CA certificate, but it doe

Type: INNR in session id detail.

Hi team,

What does INNR represents in type when looking at the session ID details.

I know that this happens at child session, when parent session ID belongs to the HTTP/2 ID.

If you guys have any idea about what INNR represents, let me know.

Mgmt Traffic over VPN

Hi All,

  I am looking to deploy a few (4) PA-440's into the field. What is the best way to configure my remote firewalls to send MGMT traffic 3.3.3.3/24 (using loopback) over a vpn to central firewall to pass along to panorama MGMT (10.10.10.10/24

jQuery vulnerability on management interface of PA-3220

Hello all,

Our customer is currently using PA-3220 running PAN-OS 11.1.
During their recent vulnerability scan, the following CVEs were reported that jQuery used on the Web management interface;

CVE-2018-8046
CVE-2007-6758

Questions:
1. Do these v