Add backup GlobalProtect portal to GlobalProtect client

On our PA-1410 under Network - GlobalProtect - Portals - each of our portals (one on each interface for each ISP) - Agent - Agent Config - External Gateway I added gp2.domain.com to go along with gp.domain.com. 

I was thinking (hoping) that would upd

VPN tunnel flapping after the 11.1.4-h7 upgrade

We have upgraded our FW to 11.1.4-h7. After the upgrade the IPSEC tunnels were working fine. But from the past 2 days we are observing that tunnels are flapping and one of the tunnel is down due to phase-1 negotiation failure due to timeout.

Does a

PAN-OS 10.2 preferred release Vs. vulnerabilities

Hello everyone,

  maybe this is a silly question, but as far as I can see the current PAN-OS 10.2 preferred release dates back in november and does not include fixes for recently discovered vulnerabilities (CVE-2025-0108, for example). I usually pu

GlobalProtect requires token twice - Possible RSA inconvenience

Hi Community. I have an issue on GP: it makes requests for token twice to get through VPN to my network.

I discovered the RSAs feature "Next Token Code Mode", but believe PA (5050 - PAN-OS 7.1.10) has nothing to do when a NTC is requested, so I recom

Lab license for Palo Alto

How hard is it to get a lab license from a Vendor such as CDW.   Last week I  went to their website and purchased 'PAN-PA-410-USG-BND-LAB'.  

Today I looked and saw it as canceled.  Still trying to find out why it was canceled.   The cost of $104 w

Upgrade path question

We have a second Palo Alto that we want to upgrade and then use as a High Availability device to work with our current operational firewall. It had been used before, but is currently offline.  I was following the upgrade path from 9.0.13 to 10.2.13-h

transfering license without a CSP account

Hello,
I hope someone can help me.
I tried to find myself the answer but looks like I'm getting a chicken-and-egg problem.
To accelerate the learning curve, I've bought a PA-440 on ebay.
To transfer the device, I need a CSP account but since I don't have

Antivirus mismatch without license

We have a cluster of firewalls with an antivirus mismatch alert.

The thing is that there is no antivirus license.This issue happpened after one of the nodes went down and we had to perform a factory reset.

We are seeing this by cli:

av-version: 0

av-

Secondary IPSec tunnel with Prisma Access always down.

Dear community!

I have a dual S2S VPN configuration with Prisma Access with static route path-monitoring as well as tunnel monitoring.

The secondary tunnel is always down, only comes up when primary goes down. Do you know if this is expected behavi

Feature Request: ECMP Path Monitoring

We are currently using ECMP to load balance to our two ISPs. Which works great. However since there is no path monitoring(Unless you set static routes). If something happens upstream and your peer doesn't go down the PANs will happily keep sending da