This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
About Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.

Discussions

Start a conversation

Welcome to the Next-Generation Firewall Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 4517 Views
  • 0 replies
  • 1 Likes

Traffic hits policy with URL Category even though the traffic is not for that URL

We have several policies that permit traffic to 80/443 with no specific destination address, but with a URL category set for a specific URL. For example, we have a post-rule for VPN users to access our internal Splunk server via the URL. The issue I'm seeing is that I am trying to connect to another device using https://ipaddress and the traf...

jwill2 by L2 Linker
  • 1178 Views
  • 3 replies
  • 0 Likes

Resolved! Users with multiple devices: more than one ip per username

The gating question is: is it true that user-id on the firewalls support only one IP address per username at a time? The followup question is: if so, what is the recomended solution for users logged into more than one device simultaneously with the same username to have all devices have policies applied correctly? Thank you!

uvdes by L2 Linker
  • 908 Views
  • 1 replies
  • 0 Likes

Palo Alto QOS configuration question

created the below QOS configuration to limit the bandwidth to wasabi to 10 mbps on PA 440. When I checked the QOS statistics, the default group is getting used and not the one I created and also the default group is restricted to 10 Mbps. Please guide me how do I fix it.Interface Ethernet 1/6 has a subinterface Ethernet 1/6.201. Create the QoS P...

ciscojuniperf5_1-1754548028266.png
ciscojuniperf5_2-1754548044354.png
ciscojuniperf5_4-1754548077387.png

Palo Alto Firewall Migration – VSYS Consolidation

Dears,We currently have a production environment running on two Palo Alto 5220 firewalls. We are planning to migrate to new Palo Alto 5410 firewalls.In the existing setup, the firewalls are divided into two VSYS (Vsys1 and Vsys2). Since Vsys1 is no longer in use, we only need to migrate Vsys2 to the new firewalls.So I need your advice

Ahmedeid by L0 Member
  • 747 Views
  • 1 replies
  • 1 Likes

Step by Step Radius Configuration for PA-1410

Dear Everybody, I have a problem in configuring Radius on PaloAlto Firewall 1410 series , I find different manual for different methods as below :Configuring Administrator Authentication with Windows 2008 RADI... - Knowledge Base - Palo Alto NetworksHow To Configure RADIUS Server Profile and Add it to an Authent... - Knowledge Base - Palo Alto N...

Mokhairy by L0 Member
  • 1133 Views
  • 1 replies
  • 0 Likes

Palo Alto Kerberos for sso

Anyone hit the same issue before? 2025-08-16 20:35:38.768 +0800 debug: pan_auth_cache_get_authprof_info(pan_auth_cache_authprof_n_authseqprof.c:218): prof "KRB-SSO", vsys "vsys1" (method: Kerberos pre-auth) has sso hash table id: 1 (0 means no or invalid keytab)

Policy destination field when using URL filtering

I need to write a rule that looks like this Source zone: Internal Destination zone: External Source address: 10.38.105.201 Destination address: This is where it is tricky, I need the destination addresses to be *.myqlink.biz *.med.myqlink.net *.internapcdn.net but am aware you cannot use wildcards for FQDN objects, and needs to be done v...

Kc_Dodds by L0 Member
  • 1114 Views
  • 1 replies
  • 0 Likes

Finding IP of threat blocked via DNS Proxy

As our PA is configured at the moment, I see some notifications in the threat logs where a request from the Palo DNS proxy has been blocked from looking up something determined to be spyware. I can't find a matching log anywhere to indicate the IP which made the DNS request to the Palo's DNS proxy. I'd appreciate some direction. I'm aware some...

SASY-IT by L0 Member
  • 1198 Views
  • 1 replies
  • 0 Likes

Data plane cpu 100% (pa-3410)

Hello! We have a PA-3410 in our corporate network, and yesterday we encountered a problem: the data plane CPU reached 100%, and disabling the Decryption rules helped. Are there any solutions to this issue? Device is up : 53 days 12 hours 43 mins 57 sec Packet rate : 232,316/s Throughput : 1,559,508 Kbps ...

A.Bekim by L1 Bithead
  • 1175 Views
  • 4 replies
  • 0 Likes
  • 1795 Posts
  • 60 Subscriptions
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks