This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
About Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.

Discussions

Start a conversation

Welcome to the Next-Generation Firewall Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 4520 Views
  • 0 replies
  • 1 Likes

Remote Admin via ISP connected interface

I have a PA-440 that I need to be able to manage via it's ISP connected interface. I did the intial setup via the MGT interface but when I had the device moved to it's permanent location, which is not connected to our WAN, I cannot get the login web page when trying to connect to it's internet IP address. I have set the an Interface-Mgmt profi...

Unable to take passive firewall access.

We tried changing the cable, switchport and VLAN and also connected the Management Interface directly to a laptop. There was no SSH or HTTPS access possibleWe also tried to restart the Management and Device Server and other related processes on the FW. There was no change in the access.We uploaded TSF to a new case for further investigation.We c...

FCI by L0 Member
  • 2546 Views
  • 3 replies
  • 0 Likes

Resolved! Adding Malicious IPs on security list manually on FWs which don't have threat protection license

Hi Guys, We have two firewalls with Threat prevention license and few other palo firewalls without threat prevention license. I have a requirement to create security rules to block malicious IPs. I can do this easily on FW which has Dynamic external list of malicious IPs because of license but I can't do same thing on other FWs which don't hav...

shafi021 by L2 Linker
  • 2662 Views
  • 2 replies
  • 0 Likes

Resolved! Cert Delete and Created new devicecert

Anyone run into this? We discovered around 0400 AM (outside business hours so no admins online) the following logs generated. They appear system generated as if the device is regenerating a cert. Problem is, it doesn't match the dates on the device certificate that is normally generated under the device tab and PAN has zero documentation to tell...

logs-cert.jpg

Traffic Distribution methodology

We have 35 PA firewalls all using SD-WAN and have (typically) the following configuration for WAN connections... 100M TC4 Internet 20M TC2 Internet (best quality) 5G Cellular Internet (always on) We have the following traffic distribution profiles... Critical Traffic - TC2, TC4, Cellular (top down priority) Standard Traffic - TC4, TC2, Cel...

NAT rule

Hello I have a problem. I have a firewall Palo Alto. Eth1 (20.74.34.3) is configured on public zone and eht1/2 is configured in the internal zone (10.110.0.4). Inside the internal network, I have a dmz subnet 10.111.0.0/24 where I have 2 web servers for application (app1 10.111.0.10 and app2 10.111.0.11) How I can configure the NAT rule to a...

Having trouble to create an support account?

I am trying to setup an account to create a case. I have my serial number/Order number, Since one of these are required in the registration process, I opend a case [Case#: 02362263] . I do have access to my paloalto unit online in case I can find anything there or register with information associated with what I can pull from that unit. If so...

m_sufian by L1 Bithead
  • 1957 Views
  • 0 replies
  • 0 Likes

PA-VM HA Failover Procedure

hello dear forum members, i have a question regarding the cluster configuration. wer'e currently running a PA-VM in cluster (A/P Mode) in the organization within an azure enviornment, both are configured with different External ip address. my question is, in the case of the active node going down, how does the procedure happen? will...

v-wire security newbie

we have a v-wire setup where we are controlling traffic to a secondary firewall w our 820. as its sitting between ISP and the site secondary firewall (sonicwall) we created a rule that negates all but some countries we do business with and that negation drops the traffic. would it be possible to accomplish the same with just creating the allowed...

JGaitan by L0 Member
  • 1670 Views
  • 1 replies
  • 0 Likes

Resolved! Create Security Policy Allowing Access to Sharefile based on User while URL filtering is blocking "Online-storage-and-Backup".

We currently block access to Online storage using URL Filtering and make exemptions to online-storage sites like Sharefile using custom URL Category with list of URLs that we want to exempt. However, this setup lets everyone in the company have access to Sharefile. I am trying to figure out a way to instead of Sharefile being accessible to eve...

NormGala by L0 Member
  • 4268 Views
  • 2 replies
  • 0 Likes

Certificate revocation / OCSP not working

I've set up one of our PAs (a 5260 running 10.1.6-h3) to use as a certificate authority and OCSP responder for use with GlobalProtect remote access. I'm able to issue and verify certificates with no problem, but revoking a client certificate has no effect on whether the able to connect. I'm able to browse to http://<PA IP>/CA/ocsp, but th...

  • 1795 Posts
  • 60 Subscriptions
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks