This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
About Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.

Discussions

Start a conversation

Welcome to the Next-Generation Firewall Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 4549 Views
  • 0 replies
  • 1 Likes

Question on "default" VLAN Interface

This may be a stupid question, but is there a purpose for the default vlan Interface (named just "vlan") that gets created on network templates? I have a couple of deployments that use vlan interfaces, but I noticed that the default vlan interface is the only one that has a mac address. Is this interface necessary?

jwill2 by L1 Bithead
  • 298 Views
  • 0 replies
  • 0 Likes

Resolved! Telemetry - Hostname/url is in illegal/bad format

Hello - Any idea on how to troubleshoot this? Device Telemetry Statistics:device-health-performance: last-attempt: Fri Oct 6 13:29:13 UTC 2023last-success: Fri Oct 6 12:19:14 UTC 2023num-of-failed-attempts: 2reason: Hostname/url is in illegal/bad formatstatus: failedproduct-usage: last-attempt: Fri Oct 6 13:29:13 UTC 2023last-success: Fri Oct ...

Duplicate DNS packets

I'm encountering and issue where we are seeing duplicate DNS (UDP) packets coming out of the palo to the resolving server. Specifically TXT records with multiple packets at the server (resolver) side vs. the normal request/response. At the client side we see the normal request response (2 packets). The server side there are up to 6 packets for ...

Limit User-ID Agent queries to cerain Windows event-IDs

We have been using PA-User-ID Agent for years an it was working fine. The Agent is connecting to Domain-Controller Log and maps user-name and ip-address of successful logins for firewall-policy usage. Yesterday we changed GPOs on the Domain Controller to enable Kerberos-Ticket Logging and since then we received unwanted mappings: A user starting...

SBegass by L0 Member
  • 639 Views
  • 1 replies
  • 0 Likes

Resolved! Performance impact of using higher DH group for site-to-site VPNs

“Clarification on the meaning and performance implications of ‘Integrated Crypto Assistant’ for PA-1420 IPSec VPNs” Hi all, I’m working with a PA-1420 appliance in a site-to-site VPN deployment and I’d like to better understand the hardware/crypto architecture. Specifically: The PA-1420 architecture diagram lists “Integrated Crypto Assistant...

Issue with allowing AnyDesk on a no-internet policy

Hey, I have a need to block all internet traffic at a specific site. I have created specific policies to allow needed services, and at the bottom of the policy, I have added a drop all. I have created a URL category for *.net.anydesk.com and allowed the ports according to this URL https://support.anydesk.com/docs/firewall but traffic from client...

gtaboy34 by L0 Member
  • 1290 Views
  • 1 replies
  • 0 Likes

NGFW 1400 Series LACP / Failover issue (11.1.5)

This is a notification for anyone running 1420 boxes in a high-availability (HA) configuration in their environments >11.1.4. We recently encountered significant issues with our NGFW operating in HA mode. Specifically, the HA setup failed on the active firewall, and the failover did not occur as expected to the secondary (standby) device. I h...

Palo Alto T-Q28-100G-S4 and PA-5450 with PAN-PA-5400-NC-A

Hey everyone, I am working on a project to integrate Cisco Catalyst 9500/Nexus 9300 switches with Palo Alto PA-5450 with PA-5400-NC-A cards using 100G QSFP transceivers. Specifically, I was testing with below transceivers. Cisco QSFP-100G-SR4-S Palo Alto T-Q28-100G-S4 Firewalls are running 11.1.4-h18. Non-Working combination. Cisc...

PAN OS integrated Use ID agent Server monitoring Status Showing "Access Denied"

Hi Team Pan OS Integrated User ID is connected with one of our DC server with out having any issues while configuring in the other DC servers we are getting the "ACCESS Denied" in the server monitoring. While seeing in the >less mp-log useridd.log I have seen in he following error: tail follow yes mp-log useridd.log 2025-02-20 14:1...

Cannot Access Primary in HA Pair – Need Failover & Recovery Advice"

**Subject: Unable to Access Primary Firewall in HA Setup — Need Guidance on Failover and Recovery**Hello Palo Alto Community,We are currently facing an urgent issue with our Active/Passive Palo Alto firewall setup:Palo Alto Model:PA-3220VERSION:10.2.5UPTIME:765 DAYS- The primary firewall (IP .165) is active but we have lost admin login access du...

Resolved! PDF report generate and date is not in order

hi all, I have an issue where I generated and exported my custom report in PDF and the timestamp is not in order. And the "sort-by" option is limited, refer to the attached. Is there a way to view my report in the correct order based on the timestamp? My Palo alto software version is 10.1.8

Palo Alto Firmware Downgrade

I want to downgrade the firmware of PA-410R from 11.1.4-h7 to 10.1.10-h1. I am trying to access the support portal, but it's not accessible, and I cannot even reach the help line numbers. I want to integrate the firewall with the existing Panorama with 10.1.10-h1 firmware. Need the community support to get access to the firmware, to the support ...

GKumar by L0 Member
  • 1600 Views
  • 2 replies
  • 0 Likes

Request Advice – BGP Failover Route-Based IPsec VPN With WatchGuard (WG)

Hi Everyone, I’m looking for guidance on the best-practice way to set up redundant route-based VPN tunnels using BGP between a Palo Alto firewall (PA-VM) and a WatchGuard firewall. The goal is to implement primary/secondary failover with dynamic routing instead of static proxy-ID tunnels. Environment Palo Alto: PAN-OS 10.x VM-Series WatchGu...

  • 1588 Posts
  • 60 Subscriptions
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks