This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
About Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.

Discussions

Start a conversation

Welcome to the Next-Generation Firewall Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 4517 Views
  • 0 replies
  • 1 Likes

Clientless VPN for SQL Traffic?

I have users at a development partner company who need to access a dev SQL instance. So they need TCP 1433 to one server. I would like to restrict access to their corporate public NAT IP and require that they use AD credentials. But it would be preferable if they didn't have to install the GP client. Would it be possible to set this up on a PAN ...

Resolved! Twice NAT of ASA FW , equivalent NAT rules on Palo Alto FW

Hi Experts , We have twice nat rules (nearly 608 NAT rules) configured on ASA FW and we are planning to refresh them with Palo Alto 5020 soon.Below is one the NAT rule of ASA FW. nat (Internet,Inside) source static any any destination static h-197.29.23.83 h-10.30.2.74 unidirectional I would like to know what kind of nat rule(s) we should ...

EMEA-FW by L1 Bithead
  • 6035 Views
  • 2 replies
  • 0 Likes

Bypass the url filtering

Hi everyone Can bypass the url filtering by changing the URL in HTTP get request ?For exampleFirewall rule deny connect to url deny.com and allow url allow.comUser try to connect to deny.com with IP adress a.b.c.d, user add item the host file or using plugin/extension of browsers to change http request to allow.com but destination ip address in ...

kiennn by L0 Member
  • 3418 Views
  • 2 replies
  • 0 Likes

unknown traffic pcaps just stopped happening one day around 2 weeks ago

I have a PA-460 that stopped doing pcaps for unknown traffic about two weeks ago. I played around with the application dump setting and I think I may have broken something: Application setting:Application cache : yesSupernode : yesHeuristics : yesCache Threshold : 16Bypass when exceeds queue limit: noTraceroute appid : yesTraceroute TTL thres...

Routing issue on Multi VSys PA Firewall integrated with Cisco ACI

Hello, We have multi Vsys firewall to handle North-South and East-West traffic, which is integrated with Cisco ACI. The virtual router is configured with static route 0.0.0.0/0, next hope as Cisco ACI. We are seeing some North-South traffic on East-West firewall, the ACI team insist it is a case of Route Leak from PA/Vsys. Any suggestion, A...

sometimes the policy matched the multicast packets and sometimes it didn’t when each packet had the exact same source/dest IP and source/dest port?

sometimes the policy matched the multicast packets and sometimes it didn’t when each packet had the exact same source/dest IP and source/dest port? Some multicast traffic is allowed but other packets are denied. We need to understand why there is a difference. In this case some multicast traffic was allowed by a policy that was not configure...

site to site ipsec vpn issue

PA 3260 and VM 300 set site to site ipsec vpn, The Ipsec vpn had been working.But from two days ago , it wasn't working ,can you help me to check it ? admin@tfw001> tail follow yes mp-log ikemgr.log tail follow yes mp-log ikemgr.log2022-10-08 19:12:29.812 +0800 [DEBG]: { 2: 4}: 192.168.1.1[0] => 4.96.1.109[0]: Child SA key expire ignore...

Palo firewall routing

Hello. New to Palo's. I have a question re routing. I have an interface with, say, 1.1.1.1/24. There is a router on the same network on 1.1.1.2. I have had to add a static route in order to ping/communicate with 1.1.1.2 Is this normal Palo behaviour?

Source Mac not displaying

We have multiple Paloalto firewalls running in version 10.1.X/10.2. None of them are showing the source or destination mac address in the traffic logs. When we select the source/destination mac address column in the traffic logs, it shows blank. So how to display the source/destination mac address in the traffic logs

still see in logs while I already blocked it

Dears panorama firewall logs show threat for example spyware which threat name is website link. I blocked website IP and the link but still I see it in logs.it repeated many times which full the logs .The source address from DMZ zone and the destination address from outside. what can I do to not see it again in logs ?

KmdCyber by L0 Member
  • 1796 Views
  • 1 replies
  • 0 Likes

Certificate export on a fips enabled firewall

Hello All, I currently have an HA pair of 3260 firewalls that have a GP portal and gateway. My firewalls are in FIPS mode. I want to setup a redundant pair of firewalls in AWS as my DR running GP with the same config. So I would have a monitor setup that if my main site becomes unreachable for more then 30 min my DNS changes priorities to my DR ...

Paloalto HA probem

Hello, we have a few PA440 clusters where we are unable to activate HA. Software version is 10.1.6-h6. As soon as we enable HA on first node, everything goes down (including internet access) and then the config gets rolled back (due to lost connectivity to panorama). I cannot seem to find any hint in the system logs. Has this happened to...

  • 1795 Posts
  • 60 Subscriptions
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks