General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
About General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.

Discussions

HA Failover Issue on PA-3420 with AE LACP – Both Nodes Active (Split Brain ?)

We’re experiencing a critical issue with our HA setup on a pair of Palo Alto PA‑3420 firewalls running PAN‑OS 11.1.6‑h3 in Active‑Passive mode (HA Group 25, preemptive disabled). Both firewalls simultaneously believed they were active, causing a complete traffic halt and requiring a manual reboot of the actual active node to restore service. We ...

romen54 by L0 Member
  • 2319 Views
  • 2 replies
  • 0 Likes

URL access issue

we have one legal category url where it’s not working checked on palo and found no return traffic .So palo support told need to check with upstream as we didn’t find issue on our azure too as we use azure public IP.As we don’t manage any CDN we don’t have visibility.l weather they are blocking our azure public IP or not any suggestions?

Failed to send CHAP authentication request:

admin@PA-(active)> test authentication authentication-profile ISE-TACACS username XXXX passwordEnter password : Target vsys is not specified, user "XXXX" is assumed to be configured with a shared auth profile. Do allow list check before sending out authentication request...name "XXXX" is in group "all" Authentication to TACACS+ server at '172...

pacavi by L1 Bithead
  • 19467 Views
  • 4 replies
  • 0 Likes

Firewall suddenly stopped reading EntraID groups from CIE

We have been using CIE for about half a year now for a spesific usecase where we use som groups that are maintained in Entra ID to control network access, monday we were made aware that that access did not update for new users. CIE does have the correct group mapping, but the firewalls does not sync with CIE. Debugging the issue we have foun...

StianKantebakke_0-1747212225376.png
StianKantebakke_1-1747212443937.png
StianKantebakke_2-1747212811193.png

Stop Connect "On-Demand" after "Pre-Logon"

Hi ! we use the pre-login feature with client cert logon - this work quite good. after logon we would like to connect on demand with saml login. we made two configs, one for prelogon and one for the user, both with prelogon: At the moment if you login to the client the GP client starts direct with the SAML login - is it possible to stopp this...

2025-05-13 15_00_16-Panorama und 7 weitere Seiten - Geschäftlich – Microsoft_ Edge.png
2025-05-13 15_03_51-Panorama und 7 weitere Seiten - Geschäftlich – Microsoft_ Edge.png

Resolved! Alerts in AIOPS Still Exists

Hi community, I have a critical alert on CVE Vulnerability on our firewall. However, after performing the PANOS upgrade to the version that patched the CVE, the alert is still showing in AIOPS. So, my questions are, shouldn't the alert disappear by itself after upgrading to the patched PANOS version? Is this a bug or it is an expected behavi...

Resolved! [API] - User-ID

Hello Guys, Sorry if the location is incorrect. I was looking for a location regarding API. I'm trying to set up an user with his IP through API. This is for a lab. I did follow this page: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-panorama-api/pan-os-xml-api-request-types/apply-user-id-mapping-and-populate-dynamic-address-groups...

Resolved! Issues with Pre-Defined Decryption Exclusion

Hello, I'm trying to figure out any reasons that the decryption exclusion would not be working. As the traffic is being denied: What could I be doing wrong in my config to have this exception not work?

CPATT_0-1747149300179.png
CPATT_2-1747149664690.png
CPATT by L1 Bithead
  • 2978 Views
  • 5 replies
  • 0 Likes

HA session sync too slow?

I've recently migrated to a pair of active/active HA firewalls and am seeing some DNS return traffic dropped. Checking the logs, I can see that traffic is returned via another firewall as the DNS request was received. No problem, as normally the HA session sync is fast enough for the other firewall to have the session.However, the DNS servers re...

dmgeurts by L2 Linker
  • 1969 Views
  • 3 replies
  • 0 Likes

Firewall Configuration via API

I have enquiries regarding the API on PA firewall. I would like to know whether I can enable User-ID in zone, adding server in Server Monitoring and adding Syslog Parse Profile via API or not? Are those actions supporting configuration via API?

Person Vue exam error

Hi, for the last week I tried to the Palo Alto SSE and the PCNSE and I get an error (see attachment). does anybody knows about problem with PersonVue exams online? thanks

m.Zrihen by L1 Bithead
  • 1969 Views
  • 5 replies
  • 0 Likes

PrismaAccess: Maximum limit for tunnel settings in the GlobalProtect app

HelloI would like to know the upper limits for tunnel settings in the GlobalProtect app in PrismaAccess.① Upper limit for tunnel settings profiles② Upper limit for IP address matches③ Upper limit for routes to exclude The background is that we plan to use GP with PrismaAccess at 30 companies with over 100 locations, and we would like to route as...

H.Tsuboi by L0 Member
  • 1872 Views
  • 1 replies
  • 0 Likes

Issues with PAN-OS 10.2 Upgrade – Missing Configuration After Update

Hello everyone, I recently performed an upgrade from PAN-OS 10.1 to 10.2 on our firewall, and we’ve noticed that some of the previous configuration settings seem to have disappeared post-upgrade. Specifically, some custom address groups and security policies are missing, while others remain intact. Has anyone encountered this issue with PAN-OS u...

Panorama not pushing network template changes to devices

Hello, I am very new to Palo Alto FWS so please be gentle 🙂 I have been asked to setup two new PA3060 firewalls to be centrally managed by a Panorama server. Both the Panorama and Firewalls are running v8.0.5. I have successfully followed the PA instructions to import the firewalls and configs into the Panorama. However, if I create say a new...

gc227s by L1 Bithead
  • 23249 Views
  • 8 replies
  • 0 Likes

Resolved! VM series firewalls and interfaces

Howdy all I have deployed 2 VM series firewalls in VMware workstation pro but I can't get their dataplane interfaces to ping each other. I'm sure this has to do with how to configure the network adapters. I have no issues accessing the GUIs/ Management interfaces and they can ping each other as these interfaces are bridged in Vmware workstation...

  • 24393 Posts
  • 123 Subscriptions
Top Solution Authors
Labels