The same traffic is getting allowed by one rule and blocked in firewall by another (please refer scrnshot)

So we have a explicit Deny all rule at the bottom most, and there is another rule by which the same traffic is also getting allowed.

The allowed rule has dest as any and has URL category in it with service as https.

So if u can see the screenshot s

Meraki clients unable to access internal resources

I'm having an issue where devices on the internal network cannot access internal resources. Ping works, but browsing on 80 or 443 does not.

Devices are on the same vlan, subnet and Palo Alto security zone as the wired devices. Wired works, wireless

Palo alto denying the traffic randamly

A simple rule is created in my firewall, where the traffic is allowed from our servers to the fqdn which is reaiding in internet. Application is as any and in service 443 is allowed.

Sometimes firewall is allowing the traffic , sometimes it is denyin

Vlan extend layer 2 - Pair of firewalls HA (Active passive) in differents Sites

Is it possible to extend a VLAN across two pairs of Palo Alto Networks firewalls in an HA (active-passive) configuration located at two different sites (Site A and Site B), while allowing each HA pair to use the same virtual IP address range?

What are

Firewalls in HA

I am facing one issue, my active firewall is not down but I am not able to access it via GUI and CLI (The management access is gone). In this case I want to make my secondary firewall as active. If I change the priority of secondary firewall will the

URL category for anydesk

Hi community!

I´m trying to create a url custom category that matches Anydesk traffic so I can decide what non-decrypt rule anydesk is using.

In the URL filtering logs I only see the url anynet%20relay:6568 and I tried to create a custom category w

HA Active‑Passive 3420 Both Nodes Stuck – Suspecting LACP Issue

Hello,

Yesterday our HA infrastructure on a pair of Palo Alto PA‑3420 (Active‑Passive) firewalls completely froze. Both units continued to believe they were the active peer, and automatic failover never occurred. We had to manually reboot the actual

PA-410 and logs

Hello experts,

We wants to buy PA-410, because no local logs avaiable, 

is it possible to purchase and store the logs to Strata Logging service without Strata cloud manager?

thanks,

SdG
Strata Logging Service 

HA Configuration Issue with Panorama-Managed Firewall with reason TCP channel failed ,reverting configuration.

Hi Team,

We are currently facing an issue with a customer related to the configuration of High Availability (HA) in their firewall setup. Below is a brief overview of the scenario:

1. The customer has two firewalls:
2. • One is managed by Panorama (all config

Query about Session Offloading

Hi Team,

How to check the Offloaded session in PAN-OS 10.1.11 ?

In the below image the session is offloaded ?

observing high cpu utilization on daily basis and the main CPU consumers are multiple pan_task processes, each using around 70% CPU, and running cont

below  is  the  output of  show system resources  :  kindly please let me know , is it a  normal behavior or do we need some changes to be done.

top - 06:37:58 up 153 days, 11:11, 1 user, load average: 48.31, 48.22, 40.92
Tasks: 258 total, 43 running,

Cortex XDR EDL

Hi,

We want to integrate Cortex XDR EDL with PANGFW EDL. We did everything with this guide -- https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Manage-External-Dynamic-Lists

After finishing setup we initiated tes

Planned Migration from PA-820 to PA-445 Firewall

Hello,

                We plan to replace the PA-820 firewall with the PA-445. A configuration snapshot will be taken from the PA-820 and imported into the PA-445. After the import, verify whether all settings have been successfully transferred and i

URL filtering or tightening up on GlobalProtect security rule?

I have a security rule for my GlobalProtect, and want to see if I can make it even tighter....

• Source
  • Zone: untrust (outside)
  • Address\User\Device: Any
• Destination
  • Zone: untrust 
  • Address: IP of my interface/GlobalProtect IP
  • Device: Any
• Application
  • Any
• Se