Next-Generation Firewall Discussions

Welcome to the Next-Generation Firewall Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

Why would an active firewall in an active-passive HA configuration broadcast gratuitous ARPs every 60 seconds?

I found a KB article stating that the active firewall sends out gratuitous ARPs every 60 seconds during normal operation, but it doesn't explain why. What is the reason for this behaviour? https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004Ny3CAE

HA failover on Acitve Passive concerns

Hello all, I would like to get some idea/thoughts about the current setup on my two PA1410 Active/Passive FW failover concerns. Few weeks ago, our Active FW has some issues and hung on the data plane. I found there was some missing configurations on our network side so the Failover didn't work at all. So eventually I resumed it, and raised the...

Global Protect is having issues with newer MACOS version.

Hi, I have problems trying to sign in some mac users that are running some SEQUOIA and TAHOE version, the only version that is working is 15.7.4 Sequoia version. It seems that the gl client is unable to authenticate. I checked in logs and it seems that the gp client is not able to open a .dat file 04/15/2026 17:06:14:954 [Info ]: Portal pre...

Security Policy Disappears After Commit – Palo Alto in Azure with Panorama

We have Palo Alto deployed in Azure, using Panorama. When my colleague created a policy, it took time to commit, and then the policy automatically disappeared. We want to understand possible reasons for a policy deletion in this setup. She created the policy again from starting.

Study Material (PDF) for Next generation Firewall Engineer

Hi people,May I have the link to download the Next Generation Firewall Engineer study material, which is a PDF doc? I am looking to prepare for the certification. Thank you

Firewall SSH, the login succeeds with TACACS Account, but there is an issue that closes the session immediately.

Hello, everyone. Firewall has OS of 10.2.4-H2. When TACACS account to connect to Firewall SSH, the login succeeds, but there is an issue that closes the session immediately. In Firewall System-log, authentication and authorization were successful and it was confirmed that the Superuser role was granted.. However, a "create-admin-acct-err...

Rapid7 Insight Agent not showing as vendor in HIP Object Anti-Malware tab despite OPSWAT V4 support

Hi everyone, I'm trying to configure a HIP Object to detect Rapid7 Insight Agent as an antimalware vendor, but the vendor doesn't appear in the Anti-Malware dropdown when creating the HIP Object. According to the OPSWAT support chart (software.opswat.com), Rapid7 Insight Agent is listed under Signature 4098 with categories ANTIMALWARE and HEAL...

Stupid question, but how to show all vsys in CLI with one command?

Hey guys, this may be a stupid question but I just cannot find the appropriate command for this after googling for nearly an hour. I just want to display all vsys via CLI in one command without the need of "?". Something like show virtual-system all or so. Is this even possible?

VPN peer ID

Hi guys, we have a 3rd party VPN peer who must set the Peer Identification value, the tunnel works fine, but on their side the tunnel ID IP address can change depending on whether they are on their active or standby firewall, and that means we need to update config and push policy to get it online (this is a regular occurrence) I thought abo...

Resolved! HSCI port - amber blinking LED on both primary and secondary devices (5445)

Hey guys I have 2 PA-5445 in HA setup, I noticed that the HSCI port shows blinking amber LED on both sides. Dashboard shows HA is up. Should it be green or is it fine? Because the 5260 models show solid green LED.

PAN-275077 is this bug still affected in 11.1.10-h1?

I am currently observing behavior where both Sinkhole and Alert actions are being logged simultaneously for the same malicious domain. When performing an nslookup from the affected endpoint, the domain resolves correctly to the Sinkhole IP, which indicates that the sinkhole functionality is working as expected. However, I continue to see “Aler...

TS-Agent 11.1.1 Compatibility

The Compatibility Matrix shows that TS-Agent 11.1.0 is compatible with (only) Citrix XenApp 7.x According to the matrix, the TS-Agent 11.1.1 is not compatible with ANY version of Citrix XenApp Is this correct? Has TS-Agent 11.1.1 deprecated all support for Citrix? There is nothing in the release notes to suggest this which would seemto be a...

InPlace Upgrade Windowsserver with User ID Agent

Hello, we are planning to upgrade a windows 2016 server to windows server 2022. On the server we have installed the User ID Agent for NGFWs. Has someone experience with the upgrade? Is it possible to make a InPlace Upgrade or is it better to install the agent on a new server? Thanks!

NGFW unable to fetch device certificate due to bug

Hi Team,In reference to PAN-313623 describes an issue on Palo Alto Networks firewalls with Trusted Platform Module (TPM), support where device certificate renewals, may fail due to a disk partition becoming full . This occurs because temporary .pub_pem files accumulate in the /opt/pancfg/mgmt/ssl/private/ directory and are not deleted during dev...

Source and destination is APIPA or Soure is Legit machine and destination to Internet(zone) is APIPA

In Palo Alto firewall we see legit source from zone inside to Internet zone send traffic to destination 168.254.x.x it's apipa ip. why do we see this traffic? in some cases its from APIPA to APIPA IP. or Legit source to APIPA IP (internet zone)

Discussions

Welcome to the Next-Generation Firewall Discussions!

Why would an active firewall in an active-passive HA configuration broadcast gratuitous ARPs every 60 seconds?

HA failover on Acitve Passive concerns

Global Protect is having issues with newer MACOS version.

Security Policy Disappears After Commit – Palo Alto in Azure with Panorama

Study Material (PDF) for Next generation Firewall Engineer

Firewall SSH, the login succeeds with TACACS Account, but there is an issue that closes the session immediately.

Rapid7 Insight Agent not showing as vendor in HIP Object Anti-Malware tab despite OPSWAT V4 support

Stupid question, but how to show all vsys in CLI with one command?

VPN peer ID

Resolved! HSCI port - amber blinking LED on both primary and secondary devices (5445)

PAN-275077 is this bug still affected in 11.1.10-h1?

TS-Agent 11.1.1 Compatibility

InPlace Upgrade Windowsserver with User ID Agent

NGFW unable to fetch device certificate due to bug

Source and destination is APIPA or Soure is Legit machine and destination to Internet(zone) is APIPA

Palo Alto 820 - Software Update for CVE-2026-0300

In PAN version 9, public IP addresses and the VPN were accessible from the Intranet.

PAN-OS HA UGRADE PATH

Unable to find "Hide My IP" application on firewall (Applipedia shows it exists

HSCI port - amber blinking LED on both primary and secondary devices (5445)

Re: Unable to find "Hide My IP" application on firewall (Applipedia shows it exists

Re: Azure "az" command and decryption

Re: Azure "az" command and decryption

Re: HA failover on Acitve Passive concerns

Rapid7 Insight Agent not showing as vendor in HIP Object Anti-Malware tab despite OPSWAT V4 support

Unlock your full community experience!

Resolved! HSCI port - amber blinking LED on both primary and secondary devices (5445)