Service Account used for UserID Agent

Hi Support Team, We need to ensure the service accounts used for the UserID agents installed on the domain controllers have the right active directory permissions and limit the permissions to what is required for them to function. I have the followin

Issue with Path Monitoring on Secondary ISP in Palo Alto Setup with Three ISPs

We’re using three ISPs (Primary, Secondary, and Tertiary) in our Palo Alto firewall setup:

• Primary: Ethernet 1/1 – Metric 10 (Path monitoring enabled with conditions set)
• Secondary: Ethernet 1/2 – Metric 20 (Path monitoring enabled with conditions set

AZURE Entra MFA for admin access via CLI

We are easily able to setup MFA for the Web UI for the management port vial SAML and Entra SAML auth. We have run into some challenges I was surprised exist. First here are the requirements and goals

• PA VM series firewalls in  AZURE.
• No On prem AD, IS

Pa220 begginer

Hello all, 

 I am a new with this field for firewall pa220 .

However i have one mikrotik which the port1 is connected with ISP , port2 on mikrotik is connected with my switch .

How can configure the firewall? How to start. All replys as welcome and i wi

Palo Alto Explicit Proxy Traffic Issue

Hello Team,

We have configured the Palo Alto firewall as an Explicit Proxy using Kerberos authentication in alignment with the Admin Guide. However, we’re noticing that the designated traffic is not routing through the Proxy as expected and is failing

To force NGFW login using SAML/SSO

Is it possible to use SAML/SSO login instead of manual credential username/password. 

Currently in the GUI page, we can either use manual credential / and SSO, but is it possible to force Admin to used SSO method instead.

Different DNS Servers

Hello,

We have a lot of servers in production (PRD) and development (DVE) domain.

Servers in PRD domain use our internal PRD-DNS-Server and those in DVE domain use our internal DVE-DNS-Server. Our PA-5400 series firewall is considered to be PRD domai

User Identification Agent Error Access Denied

This is the error I'm getting when I have runed a command

- less mp-log useridd.log

2025-05-12 13:56:46.879 +0530 Error: pan_user_id_win_wmic_log_query(pan_user_id_win.c:1688): log query for AD-Server failed: NTSTATUS: NT_STATUS_ACCESS_DENIED - Acces

Packet Flow Sequence KB is Missing

Hello community,

There was a very good KB explaining the packet flow sequence on a Palo Alto firewall. It was an excellent resource both for study and tshooting because it contained a detailed list of steps on how the firewall processes the packet fro

Bottom most Explicit deny all policy not capturing URLs for Url filtering logs.

So we have a URL filtering profile, which when enabled i can see URL filtering logs for a any any test policy, however there is a Deny All policy we created at the bottom most in policy, I have enabled URL filtering profile for that rule. I am seeing

PA 850 ETH1/1 disabled

Need your help we setup a new PA850 to replace our PRIMARY FW in EUR. Now the config has been push to the device however, i'm seeing the eth1/1 is disabled for some reason.

Is there a command that I can forcefully enable it? even on GUI it shows RE

Ipsec tunnel monitoring issue

Hello All,

Iam having a issue with paloalto tunnel monitoring.

I have configured tunnel monitoring between Paloalto and fortigate firewall,

Inside tunnel i have 6 to 7 proxy ID.
one proxy id i have created for tunnel ip traffic and remaining all are norm

The same traffic is getting allowed by one rule and blocked in firewall by another (please refer scrnshot)

So we have a explicit Deny all rule at the bottom most, and there is another rule by which the same traffic is also getting allowed.

The allowed rule has dest as any and has URL category in it with service as https.

So if u can see the screenshot s