This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
About Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.

Discussions

Start a conversation

Welcome to the Next-Generation Firewall Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 4521 Views
  • 0 replies
  • 1 Likes

GlobalProtect MFA with LDAP at Phase 1 and Okta Verify at Phase 2

Hello everyone, I want to implement GlobalProtect with Multi-factor Authentication, with LDAP at Phase 1 and Okta Verify at Phase 2. Is it possible? I have configured based on Palo Alto Document "Configure MFA between Okta and the Firewall" and mapping configuration to GlobalProtect, but when i try the GlobalProtect it show only LDAP Authent...

raihannd by L0 Member
  • 1744 Views
  • 0 replies
  • 0 Likes

DHCP Fail

Hello Community, I have a FW with eth0 configured as DHCP client and it gets IP, no problem. But then I see lots of DHCP Fail system messages between lease renewals: Are these normal? Thanks!

2022-11-28_16-22.png
Alex_S by L1 Bithead
  • 3798 Views
  • 4 replies
  • 0 Likes

PA-220 (A/P) Packet Buffer on DP filling up over time on passive Firewall

Hi There We have two PA-220-ZTP Firewalls with PanOS: 10.2.3 and in Active-Passive configuration On the passive firewall we see Packet Buffers on Data Plane filling up over time. The active firewall doesn't have this issue. I've just rebooted the passive firewall and the counter went back to zero. I can conform from the cli of the passive fire...

mattlede_0-1669794354892.png
mattlede by L1 Bithead
  • 1362 Views
  • 0 replies
  • 0 Likes

Certificates duplicated from Primary to Secondary firewall in Palo alto

Hi All, We have 2 Palo alto firewalls in HA mode (Active-standby). Palo alto mode: PA-3220 OS Version: 10.1.6-h3 We create Unique certificates (for management, interdevice) in each firewall with hostname. After some time, the certificates in secondary firewall gets removed and the certificates from primary firewall are copied into secondary ...

SSL Decrytpion not working consistently on MAC's

We just installed SSL decryption ( not self signed) across our PANs. It is working fine with Windows workstations at office and at home. However, with MAC machines it is working inconsistently when at home and connected to global protect. Some sites it's picking up the SSL decryption cert while for others it wasn't. I have already tried to upg...

Resolved! Cisco Twice NAT

I am working a migration of a Cisco ASA Firewall to Palo Alto and the NATs are confusing. Here are a couple of the NATs: (Outside) to (Vendor) source static 10.5.1.0/24 10.5.1.0/24 destination static (10.24.49.47 & 10.24.49.46) (10.24.49.47 & 10.24.49.46) (Outside) to (Outside) source static 10.160.100.100 67.91.127.197 destinati...

PAN User-ID Agent

Hi All, I installed User-ID Agent on the Windows DC, and it is working somewhat successfully. For some odd reason it recognizes the users from our domain but on the app's monitoring tab, where I can see the IP-User correlations, sometimes the users are identified like this: domain\user and sometimes like this user@domain.com Sometimes the ...

Internal users unable to access some banking URLs/Sites

I'm experiencing an issue with internal users unable to access some banking websites/URLs. Users can access these sites over the VPN (Global Protect) but can’t access these sites from the office/Internal. I then created a URL Filtering category (added all the URLs in question) and attached it to a policy rule, also added these URLs to the SSL ...

WinstonC by L0 Member
  • 2181 Views
  • 1 replies
  • 0 Likes

Phase 1 compromise impact to Phase 2

Hi, I would like to know if IKEv2 phase ia compromise because of weak encryption in proposal, malicious user can access to all data sent across the VPN connection, which may include passwords and sensitive file ? Or Malicious user only know phase 1 proposal and it cannot be impact phase 2 if we are suing strong encryption on phase 2 ?

crypto by L2 Linker
  • 1157 Views
  • 0 replies
  • 0 Likes

PAN-OS 10.2 HTTP Log Integration with Google Chat

Hello!I want to send webhooks from paloalto 5220 (panos 10.2) to google chat (about the commit). I found the following document https://live.paloaltonetworks.com/t5/log-forwarding-articles/pan-os-8-0-http-log-integration-with-slack/ta-p/172093.But I can't do it for google chat.Maybe someone has experience how to set up an http service for google...

Dorofeev by L0 Member
  • 1634 Views
  • 0 replies
  • 0 Likes

Receive errors on all traffic interfaces

Hi guys I am a bit lost in our own network...... We have a PA-820 Cluster in active-passive mode. It is running for maybe 7 months now. Each firewall has 2 uplinks to our 2 core switches and 1 downlink to the access switch (with subcontractor on it). We noticed around 2 weeks ago that all those 6 ports have hardware receive errors since we insta...

tulkas by L0 Member
  • 10133 Views
  • 2 replies
  • 0 Likes

Resolved! Not able to delete Vsys1

Hello, We have a problem when trying to delete vsys1 from the FW. Customer enabled multi-vsys and they had two vsys configured. Right now, due to topology changes, vsys1 is no longer required so customer would like to delete that vsys. The thing is that the PaloAlto won't allow us to delete the vsys1 even tough we have double-checked that t...

JMBerzal by L1 Bithead
  • 5428 Views
  • 3 replies
  • 0 Likes
  • 1795 Posts
  • 60 Subscriptions
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks