General Topics

Join us for an amazing virtual event - Ignite: What's Next - October 28, 2025

AI is upon us, and here's a fantastic chance to learn more about it!

During this virtual event, we will be hearing from top industry experts and senior executives within Palo Alto Networks about PANW's plans for AI to help drive a more secure futur

...

Discover LIVEcommunity Through Our New Animated Explainer Video!

We’re thrilled to unveil a brand-new animated video that highlights everything LIVEcommunity has to offer!

This short and engaging video gives you a quick tour of the many resources available in our vibrant community — from interactive discussi

...

Active/Active HA with OSPF is dropping packets when innactive member becomes active

I am seeing an issue where upon pulling the plug in an active/active setup, OSPF does it's job. A few packets are lost but it is within an acceptable range. My issue stems from when the innactive member comes back online and joins the HA. I can't

...

Resolved! Panorama VM 7.1.0 - Difference between debug reboot and reboot

If you go into maintenance mode you have two options "debug reboot" and "reboot."

What are the differences between these two boot modes as they both seem to do the same thing and get me back to the panorama login.

Resolved! Outputs Limit! Service restart loop @ 30+

So the title is a slight misnomer.

Have a dev server with 59 miners, 42 procs, and 32 outputs, works fine.

Have a prod server with 58 miners 41 procs and 29 outputs, does not work fine.

The two devices are set up with "identical" configs the dev server

...

Resolved! Security policy that permits traffic to any *.office365.com ?

I see there is an FQDN option for Destination Address when I create a security policy.

I want to permit port 993 to any host in office365.com. Will it work if I just put office.com

in the FQDN destination? Trying to put the * wildcard causes the widget

...

Resolved! Adding Address object to GlobalProtect split tunnel access route list

Hi. In the Palo Alto firewall, I've created a new Address object with the type set to FQDN and with a valid DNS record. Saved and committed the change. Then I try to add this newly created address object to the access route list in the GlobalProt

...

Can a specific restricted youtube video be blocked?

We have Google safesearch enabled via the DNS hack and allow educational / restricted YouTube videos. One of the staff has an issue with a specific video, is there a method to block just a specific video?

Block outbound NTLM auth

With CVE-2018-0950 from Microsoft, if an outlook user clicks on an OLE object in an RTF email, the client will send credentials try to logon. Our security group is quite concerned about this.

While allowing ports 445, 137 and 139 out to the internet

...

Resolved! Antivirus Dynamic Update fails PAN-OS 8.1.0 Cluster

Hi Community,

I have a PA-850 Cluster with PAN-OS 8.1.0 and a valid Threat license.

The active firewall is configured to download and install antivirus updates and sync them to his peer.

Unfortunately, the update failed lately, so we were 4 days behin

...

Resolved! Disabling Indicator Expiration

@lmori, thank you for your help so far.

I am migrating my data to the "stdlib.localDB" miner, per your suggestion here.

I have two questions now:

First, I noticed that the default expiration for indicators added to this miner is just one day. How can

...

Resolved! TAP mode interface drop

Hi. I have a question about TAP deployment

I set the TAP mode which I used just one interface, set the zone TAP

Security policy TAP-TAP any any permit.

Then, regularly I'm checking the global counter, but I don't know why the drop packet occured.

When

...

Cloudflare using 1.1.1.1 (Palo Alto recommended ipv4 DNS sinkhole IP)

Since PA recommends using 1.1.1.1 for DNS sinkholes I thought it would be interesting for those of us following this practice that Cloudflare is now using 1.1.1.1

https://www.theverge.com/2018/4/1/17185732/cloudflare-dns-service-1-1-1-1

IKEv2 renegotiation on acceptor gateway reboot

Hi community,

I have a site-to-site IPSec connectivity with Palo Alto gateway (PA-VM 8.0.5 on kvm hypervisor - CentOS 7 host) on one end as initiator and Vyatta OS based gateway on the other end as acceptor.

When IKEv2 and IPSec (and BGP) are in esta

...

PaloAlto Managed Services Question:

I have a question pertaining to Palo Alto's Managed Services business.

Does Palo Alto have its own Managed Services business where they service end clients directly?

Another way of asking this is, does PaloAlto only use the partner channel to deliv

...

Layer 1+2 decisions for PA820 HA pair

This is my first time having the luxury of two ISP's and redundancy in all hardware - I was tryingt to research best practice for wiring the PA pair as active/passive router/nat - I found some mentioning of using port channels to achieve local reduna

...

2nd default route

My PA already has a Default Gwy pointed to the current Internet provider. I got a new Internet provider and I'd like to test the Internet connection by only allow my traffic to go to the new Internet connection. What is the side effect if I add anoth

...

Discussions

Join us for an amazing virtual event - Ignite: What's Next - October 28, 2025

Discover LIVEcommunity Through Our New Animated Explainer Video!

Active/Active HA with OSPF is dropping packets when innactive member becomes active

Resolved! Panorama VM 7.1.0 - Difference between debug reboot and reboot

Resolved! Outputs Limit! Service restart loop @ 30+

Resolved! Security policy that permits traffic to any *.office365.com ?

Resolved! Adding Address object to GlobalProtect split tunnel access route list

Can a specific restricted youtube video be blocked?

Block outbound NTLM auth

Resolved! Antivirus Dynamic Update fails PAN-OS 8.1.0 Cluster

Resolved! Disabling Indicator Expiration

Resolved! TAP mode interface drop

Cloudflare using 1.1.1.1 (Palo Alto recommended ipv4 DNS sinkhole IP)

IKEv2 renegotiation on acceptor gateway reboot

PaloAlto Managed Services Question:

Layer 1+2 decisions for PA820 HA pair

2nd default route

Cloud NGFW - Revert Content Update

Panorama commit warning

No "certificate used by" field when generating certs for SSL forward trust and untrust?

A question about snat address pool couse a route loop

How do I get the documentation / training for creating advanced XQL queries

Re: Exclude only communications on specific port numbers from Global Protect

Re: Software NGFW Credits

Re: Advanced DNS Security vs DNS Security License

Re: Replacing HA Hardware

Re: About API keys when using the curl command

Unlock your full community experience!

Resolved! Panorama VM 7.1.0 - Difference between debug reboot and reboot

Resolved! Outputs Limit! Service restart loop @ 30+

Resolved! Security policy that permits traffic to any *.office365.com ?

Resolved! Adding Address object to GlobalProtect split tunnel access route list

Resolved! Antivirus Dynamic Update fails PAN-OS 8.1.0 Cluster

Resolved! Disabling Indicator Expiration

Resolved! TAP mode interface drop