Next-Generation Firewall Discussions

Welcome to the Next-Generation Firewall Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

Network Segmentation

Hi, I'm working to redifine the global architecture. Currently, we have a cluster of 2 Watchguard but we will migrate to Palo Alto (PA-850). Currently, all vlan are configured on Watchguard but I'm not sure that is the best approach. On my LAB, based on GNS3 emulator, I configured a Palo Alto connected to our core switch (Cisco C3850-12s). At ...

Software Upgrade Path within 10.1.x

Hi Team, Planning a software upgrade on PA-5220 from current 10.1.5-h2 to 10.1.6-h3. Can we upgrade directly from 10.1.5-h2 to 10.1.6-h3 or it has to go 10.1.5-h2. > 10.1.6 > 10.1.6-h3 ? Thank you in advance. Best regards, Darren Chew

Wildfire is resetting the connection

Hi, I want to know why wildfire is resetting the connection for legitimate traffic.

Problem with PBF with two ISP and two VR

Hi all, I have a PA220 managed with Panorama. Very cool mgmt and very powerful. Only the PA220 is a bit slow.My Situation - I have two internet connections (Eth 1/1 and 1/7) with fixed IP. Both have their own VR and therefore both have a null route. And both have own untrust1 and untrust2 zone.All my clients 10.10.10.x/24 are in trust1 zone and ...

LED Status yellow for PWR

Hello Guys, Need some suggestions, Paloalto 5220 or say 3220 while deploying I can see yellow LED in PWR but every other LED's are green. referred - https://docs.paloaltonetworks.com/hardware/pa-3200-hardware-reference/service-pa-3200-series-firewall/interpret-leds-pa-3200-series In this document it says it will either be green for ON and ...

Traffic log action shows allow but session end shows threat

Hi I need to know if any traffic log is showing allow and if the session end reason is showing as threat than in that case the traffic is allowed, or it's blocked, and also I need to know why the traffic is showing us threat.

How to add secondary wan pool added in sdwan configuration

How to add secondary wan pool added in sdwan configuration.

Resolved! Creating Data Filtering Profile in PA

Hi, I am creating a data filtering profile and I want to only allow alert threshold, not to block, so I need to know how much value to add inside.

Resolved! DNS-base application

Hi ALL, In our monitor log ,we see a lot of deny for a few PCs with "dns-base" application . Please see below: what is "DNS-base" and how do we allow it if needed. Thanks QL

Unlicensed device that BPF and Security Policy is not working

Hi all, I am facing one issue for PA-3260 (sw-10.1). This is not unlicensed. PBF and Security Policy is not stable on it. Some time is okay. Some time is not working well.

PaloAlto base config, not able to commit config after removing vwire references

Hi Folks, I am using Palo-Alto 3260 without panaroma. i want to take base config from it, so we have reset the firewall to factory default and trying to commit config by removing vwire from interfaces and zones. but config is not getting commit and giving error as interface is missing default config. How can i take base config then

Pan OS 10.0 prefered release

Could you please conform Pan OS 10.0 prefered release ?

Google Cloud VPN IKE-SA-INIT packets being dropped

I built a site-to-site VPN between GCP and a PA3250, which is not working. Surely, I'm missing something. The GCP vpn points to the same interface and IP that other VPNs successfully use on the Palo. I added a Sec policy to allow the GCP IP and the Palo IP to set up Phase 1. However, the Palo drops the inbound IKE-SA-INIT packets. They are g...

Resolved! ssl inbound inspection in a reverse proxy scenario

Dear Community, I need to configure ssl inboud inspection in a scenario with 5 web services running behind a reverse proxy. The flow of traffic is as follow:Internet (same_public_ip) =>> PA ==(nat)=>> Reverse Proxy =>> Web Services Since PA will not be able to peek into the sll traffic to grasp which one is the aimed internal s...

Best practices for Dynamic updates

Hi, Does anyone know what the Best Practices are for dynamic updates?

Discussions

Welcome to the Next-Generation Firewall Discussions!

Network Segmentation

Software Upgrade Path within 10.1.x

Wildfire is resetting the connection

Problem with PBF with two ISP and two VR

LED Status yellow for PWR

Traffic log action shows allow but session end shows threat

How to add secondary wan pool added in sdwan configuration

Resolved! Creating Data Filtering Profile in PA

Resolved! DNS-base application

Unlicensed device that BPF and Security Policy is not working

PaloAlto base config, not able to commit config after removing vwire references

Pan OS 10.0 prefered release

Google Cloud VPN IKE-SA-INIT packets being dropped

Resolved! ssl inbound inspection in a reverse proxy scenario

Best practices for Dynamic updates

PAN-OS HA UGRADE PATH

Unable to find "Hide My IP" application on firewall (Applipedia shows it exists

HSCI port - amber blinking LED on both primary and secondary devices (5445)

Intergrations of External Dynamic Lists (EDL) with External Systems

Translate Pop-up Feature Block

Re: Unable to find "Hide My IP" application on firewall (Applipedia shows it exists

Re: Azure "az" command and decryption

Re: Azure "az" command and decryption

Re: HA failover on Acitve Passive concerns

Re: InPlace Upgrade Windowsserver with User ID Agent

Unlock your full community experience!

Resolved! Creating Data Filtering Profile in PA

Resolved! DNS-base application

Resolved! ssl inbound inspection in a reverse proxy scenario