This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
About Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.

Discussions

Start a conversation

Welcome to the Next-Generation Firewall Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 4590 Views
  • 0 replies
  • 1 Likes

Data plane cpu 100% (pa-3410)

Hello! We have a PA-3410 in our corporate network, and yesterday we encountered a problem: the data plane CPU reached 100%, and disabling the Decryption rules helped. Are there any solutions to this issue? Device is up : 53 days 12 hours 43 mins 57 sec Packet rate : 232,316/s Throughput : 1,559,508 Kbps ...

A.Bekim by L1 Bithead
  • 1337 Views
  • 4 replies
  • 0 Likes

Renew of Self Signed SSL Forward Trust Certificate without Root CA

Hello,I have a self-signed (self-generated) certificate without a Root CA on a firewall, which is used for SSL Forward Proxy to decrypt traffic. The certificate is valid for 10 day and has been imported on client machines as a trusted root CA.The question is that : If I renew this certificate on the firewall, will I need to re-import it on ...

fkuecuek_1-1755079916908.png

HA error when configuring

High-availability ha1 encryption requires an import of the high-availability-key(Module: ha_agent) client ha_agent phase 1 failure Any ideas why this is happening? I have configured 3 other HA pairs with no issue. PA1 PA2

MAllen_1-1755178114085.png
MAllen_0-1755178085803.png
MAllen_2-1755178169452.png
MAllen_3-1755178206678.png
M.Allen by L1 Bithead
  • 1293 Views
  • 1 replies
  • 0 Likes

Security Profile Evaluation

Hey Community! In Palo Alto NGFW, when multiple Security Profiles (like Antivirus, Anti-Spyware, Vulnerability Protection, URL Filtering, File Blocking, DLP, etc.) are applied to a Security Policy How does the inspection happen? Is it sequential (one profile after another)?Or is it parallel (all inspections happen simultaneously)?Also, if a pack...

Edsnow by L3 Networker
  • 690 Views
  • 1 replies
  • 0 Likes

PALO ALTO FIREWALL , lan interface internet issue

I currently have a palo alto VM on my VMware esxi environment and i have setup the LAN and WAN interfaces and also created a dhcp scope on my lan interface and connected it to my windows server 2019 also on the esxi environment but i can se traffic to the internet and google dns 8.8.8.8 on palo alto traffic logs but on the windows server 2019 it...

HA Links Over DWDM

Currently have a couple pairs of Palos (internal and external), with an HA pair over at a remote location. These 2 sites at connected via redundant DWDM devices (SmartOptics to be precise). Currently the HA links are just connected to a core switch, then passes to the other site over a stretched VLAN. Just seeing if it'd be wise to just move the...

Errors with Data Redistribution (User-ID Agent) on Labs Environment

Hi all, I am searching Palo Alto User-ID configuration and build Labs on EVE-NG use Palo Alto KVM. Now I can set up LDAP and Group Mapping , it's working. But I can not set up Data Redistribution, Connection between Firewall and User-ID Agent is No. (Connected No, log as bellow). I created Certificate and add it to Agent already. I am using P...

Clientless VPN and Remote Desktop

I have a question about clientless VPN and Remote Desktop. We have a Global Protect portal, but we only use it with the client. I have a new project to provide remote access via RDP to an internal windows computer for a select user. I've never done clientless VPN on a palo before, but as I understand it is possible. Expectation is that the use...

Header Insertion doesn't work

Hi, I try to enable HTTP Header Insertion to allow only my company's domain. I see the header insertion in the logs, but I got an error: This account is not allowed to sign in within this network. Please talk to your network administrator for more information." I got this error when I try to use a Gmail domain, for example, but even if I ...

K.Balas by L0 Member
  • 507 Views
  • 0 replies
  • 0 Likes

About upgrade an HA configuration

Hello Team, Standalone PAs can be upgraded by skipping multiple versions starting with 10.1. Is this skip feature supported for HA? I checked the documentation, but I couldn't find anything that clearly stated that it was supported in an HA configuration. HA configurations didn't work if the minor versions were more than two apart. Howev...

Dos Policy Value Finetune

Hello, We are currently using PA-3420 appliance & we have configured DOS Policy with default values, which is as below: Action Current Value Alarm Rate 10000 Activate Rate 10000 Max Rate 40000 Block Duration (Sec) 300 We have feteched last 30days connection per second report & as per the report max...

Single interface failing LACP negotiation after PAN-OS update

I'm having an issue with a single interface in an aggregate bundle failing LACP negotiations after updating one network's firewalls from PAN-OS 10.2.13 to 11.1.6.I have two separate networks (Network A and Network B) each with two PA firewalls in Active/Passive HA. I have these firewalls cross connected to each other to provide a transit network...

P.Betts by L0 Member
  • 1204 Views
  • 0 replies
  • 0 Likes
  • 1586 Posts
  • 61 Subscriptions
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks