This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
About Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.

Discussions

Start a conversation

Welcome to the Next-Generation Firewall Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 4590 Views
  • 0 replies
  • 1 Likes

Bonjour mDNS Reflector Layer 3 Vlan Interface

Just curious if anyone out there knows why Palo Alto has never implemented the Bonjour Reflector feature in Layer 3 Vlan interfaces. PAN implemented this a long time ago but it is only available on physical Layer 3 interfaces (or subinterfaces) or aggregate links. - Is there a technical reason for not implementing on L3 Vlans or just that the...

BaudMatt by L1 Bithead
  • 1806 Views
  • 2 replies
  • 1 Likes

How to allow a user only to push the changes made by him/her on Panorama

Hi Team, How do I allow a user to Push only the changes made by him/her. I tried restricting the access using "Allow push for other admins" option but this is disabling the access for any push. I've tried multiple options but none of them is helping. We're on PAN-OS 11.2.4-h7 and it's Panorama VM series. Thanks for all your help, Bram

OSPF & Static Routes

Hi, I have OSPF configured on PA460 firewall with profile redistributing Static. I have another redistribution profile not to redistribute certain subnets/routes. Now I want to add some new routes with metric higher than that of OSPF. Will these routes be redistributed in OSPF. Thanks

Which model is the rack mount kit for the PA-510?

In the datasheet, the rack mount kit for the PA-510 is listed as “PAN-PA-400-RACKTRAY”, but in the technical documentation, it’s written as “PAN-1RU-4POST-RACK-10.”Is there a qualified Palo Alto Networks staff member who can confirm which one is actually correct? Honestly, Palo Alto could really be more careful—this kind of inconsistency in th...

Resolved! High availability system alarms

I can't find all the HA events. I need to map all the system alerts on my FW. Searching the system logs, I find logs like the ones shown below, but I need to be able to map each one to my server to monitor alarms. 2025/08/25 06:03:57 high ha config- 0 HA Group 1: Commit on peer device with running configuration not synchronized; synchronize ma...

Palo Alto CGNAT block issues with GeoBlock rule

We just migrationed from Cisco Firepower: We have some Negate Geo block rules that will block any country that is NOT on the lists of allowed, but now it is unintentinally blocking CGNAT addresses. We would still like to only allow US CGNAT's but the fix below would be world wide I believe? We don't want to wait until someone travels around the ...

E.Egger by L0 Member
  • 556 Views
  • 0 replies
  • 0 Likes

Link and traffic priority on palo alto

Hi All, We are using one isp link for internet browsing and 2 site to site tunnel. Now we have procure another isp link and want to configure it as a primary for internet traffic and one location (India) site to site vpn. Below my approach to achieve this1. Configure new isp link with lesser priority for interent traffic and one location (India)...

Issues with SSH and Telnet access only on the passive firewall. GUI access is working fine.

I’m having an issue accessing the passive firewall in my cluster via SSH or Telnet. I can access it normally through the GUI and authenticate using LDAP or my local admin user. The active firewall authenticates both GUI and CLI without any problems. What I’ve tried: Restarted the firewall. Reset the SSH service via API and also rebooted the dev...

jtjesus by L0 Member
  • 508 Views
  • 0 replies
  • 0 Likes

Abnormal display of traffic log BYTES filed

The customer found that some traffic logs have extremely large bytes, reaching 281.5T, Looking at the log details, it was found that: Question 1: Details: Type end Bytes 281474976579754 ---- I think this is an incorrect display? Bytes Received 2147483647 Bytes Sent 170 Repeat CountPackets1 Packets Sent 2 Bytes= Bytes sent + Bytes Receiv...

Felixcao_2-1692495616125.png
Felixcao_0-1692495416644.png
Felixcao_1-1692495460261.png
Felixcao by L3 Networker
  • 6395 Views
  • 8 replies
  • 0 Likes

validation error "poe unexpected here"

I'm trying to push policy from Panorama (11.1.6) to a PA-440 (10.2.13). In Panorama, when looking at the config of an interface such as Ethernet1/1, it has a tick box for "PoE". However, on the same dialog on the PA-440 there is no PoE depicted. Now, when i try to push policy (whether PoE is ticked or not) it comes back with: Validation Error:n...

Global Protect Mac-OS Received fatal alert IllegalParameter from client

Hello team,I have an issue with the Global Protect 6.2.7 app running on an Apple Mac OS X Sequoia15.3.1 in the SSL negotiation process,The error on the Global Protect say "The network connection is unreachable or the portal is unresponsive. Check the network connection and reconnect."On the NGFW logs see somes decrypt errors on the traffic and d...

DanielSRomero_0-1740714068271.png
DanielSRomero_1-1740714215213.png
DanielSRomero_2-1740714813788.png
DanielSRomero_3-1740714853802.png

Unable to patch Windows Server to utilize UIA

Hello Team, We are currently experiencing this knowledge issue in our environment. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001Vcg I understand that this can be resolved by applying a patch.However, we are unable to install or uninstall patches in our environment. Is there any other way to work around this ...

About the output of the "show ctd-agent status security-client" command

Hi everyone, I'm using a PA-5250. When I ran the "show ctd-agent status security-client" command, I noticed that the output had changed:"Security Client UrlCat(2)" had disappeared, and "Security Client WifUpload(0)" was displayed instead. [Before]Security Client UrlCat(2) <<<<<<<<<<<<<Current cloud server: ...

Otsuka by L1 Bithead
  • 803 Views
  • 0 replies
  • 0 Likes
  • 1586 Posts
  • 61 Subscriptions
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks