This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
About Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.

Discussions

Start a conversation

Welcome to the Next-Generation Firewall Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 4559 Views
  • 0 replies
  • 1 Likes

NGFW unable to fetch device certificate due to bug

Hi Team,In reference to PAN-313623 describes an issue on Palo Alto Networks firewalls with Trusted Platform Module (TPM), support where device certificate renewals, may fail due to a disk partition becoming full . This occurs because temporary .pub_pem files accumulate in the /opt/pancfg/mgmt/ssl/private/ directory and are not deleted during dev...

PAN-275077 is this bug still affected in 11.1.10-h1?

I am currently observing behavior where both Sinkhole and Alert actions are being logged simultaneously for the same malicious domain. When performing an nslookup from the affected endpoint, the domain resolves correctly to the Sinkhole IP, which indicates that the sinkhole functionality is working as expected. However, I continue to see “Aler...

Rapid7 Insight Agent not showing as vendor in HIP Object Anti-Malware tab despite OPSWAT V4 support

Hi everyone, I'm trying to configure a HIP Object to detect Rapid7 Insight Agent as an antimalware vendor, but the vendor doesn't appear in the Anti-Malware dropdown when creating the HIP Object. According to the OPSWAT support chart (software.opswat.com), Rapid7 Insight Agent is listed under Signature 4098 with categories ANTIMALWARE and HEAL...

PAN‑OS versions affected by PAN‑307795

Attention: Global TPM team, Question:Which PAN‑OS 11.2 versions are affected by PAN‑307795? Background:This issue is listed under Addressed Issues for PAN‑OS 11.2.11.Based on that, I expected it to be listed in the Known Issues of earlier versions, such as PAN‑OS 11.2.7‑h4, but I could not find it there.Could you clarify which PAN‑OS 11.2 vers...

Is the unified RPC interface (MonitorDirect.enqueueLogRequest) supported for external use?

Hi all, I'm working on an integration that needs to query firewall logs across multiple log types (threat, url, wildfire, system, config, etc.) on a regular schedule. We currently use the public XML API (/api/?type=log), which works well but requires a separate request per log type. While investigating alternatives, we noticed that the PAN-OS we...

Resolved! Palo Alto 820 - Software Update for CVE-2026-0300

Hi there, I'm trying to patch the current secruity waring for CVE-2026-0300, but it is not clear to me which software version will fix the problem. My current system is on 11.1.10-h10 (PA-820 cluster). The official document from PA can be found here: https://security.paloaltonetworks.com/CVE-2026-0300 The versions in the product table whic...

2026-05-06 08_22_59-PA.png
Netzer by L3 Networker
  • 1884 Views
  • 8 replies
  • 0 Likes

PA-5450 MGT-A and MGT-B Management Ports configuration

Based on the PA-5400 MPC Component Descriptions, the MGT-A and MGT-B management ports are bundled by default as a LAG: "Two SFP/SFP+ management ports providing 1/10GE connectivity that are used to access the management interface. MGT-A and MGT-B are bundled by default as a LAG (link aggregation group). To leverage both ports, they must be conn...

Known issue (Issue ID: PAN-227368) with version 11.0.2. Will it be solved by 11.1.0-h2 to upgrade?

Change : We have upgrade to 11.0.2 post upgrade facing below issue. Issue ID: PAN-227368 Issue Statement : The GlobalProtect app cannot connect to a portal or gateway and GlobalProtect Clientless VPN users cannot access applications if authentication takes longer than 20 seconds.Workaround: Increase the TCP handshake timeout to the ...

Karthi_N by L1 Bithead
  • 2095 Views
  • 2 replies
  • 0 Likes

Azure "az" command and decryption

Hello, All. Working on Windows. A few days ago, tried to understand why the Microsoft Azure CLI "az" command line program was not working with decryption behind our PAN OS 10.2.10. Azure CLI is a python tool. I am currently running v2.77 (latest) I added the root CA to C:\Program Files\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi\cacer...

Rievax by L2 Linker
  • 4415 Views
  • 5 replies
  • 0 Likes

Not able to log XFF (Actual Client IP) in PaloAlto Logs even when we enable XFF and URL filtering profile in Palo's

Issue Summary – XFF Not Logged on Palo Alto (Even With Decryption ON) We are running a flow where AWS ALB inserts X-Forwarded-For (XFF) and the Palo Alto firewall performs SSL decryption + re-encryption: Flow:Client --> Internet --> AWS ALB (HTTPS) (Palo's are registered as TG IP) --> Palo Alto FW (SSL Decrypt) --> Server What worksA...

Difference in Session Synchronization configuration output in PAN-OS 11.2 Active/Passive HA

Hello experts, I would like to confirm the HA configuration behavior in PAN-OS 11.2.We have two firewalls configured in an Active/Passive HA pair. In the GUI, Enable Session Synchronization is enabled on both devices.However, when checking the configuration from the CLI, the following line is displayed on one device: ”set deviceconfig high-avail...

Palo Alto 3410 Firewall 100% DP CPU spike

Hello all,We are seeing sudden spikes in Data Plane CPU on our Palo Alto Networks PA-3410 firewalls running PAN-OS 11.1.13. The CPU usage jumps to 100% for a few seconds and then returns to normal automatically. This happens randomly, with no fixed timing. We have observed this at two different locations where we have PA-3410.Initially, we suspe...

EDL Scalability & Platform Limits – Best Practices

Hello Everyone, Looking for best practice recommendations on handling large IP-based External Dynamic Lists (EDLs). In cases where the EDL reaches platform limits (e.g., ~150K IPs), scalability becomes a challenge, especially when continuous updates are required and manual handling is not practical. Would appreciate your input on: More scalable...

A.AlHafi by L1 Bithead
  • 315 Views
  • 1 replies
  • 0 Likes

Resolved! Reason: Authentication profile not found for the user

local admin created with authentication profile set to none but still PaloAlto is looking for authentication profile for this local user and not allowing to login, saying invalid username/password and here at FW end we are getting the log- Reason: Authentication profile not found for the userPAN OS - 11.1.10-h1 - Is this is a bug in this version...

  • 1589 Posts
  • 60 Subscriptions
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks