Different DNS Servers

Hello,

We have a lot of servers in production (PRD) and development (DVE) domain.

Servers in PRD domain use our internal PRD-DNS-Server and those in DVE domain use our internal DVE-DNS-Server. Our PA-5400 series firewall is considered to be PRD domai

User Identification Agent Error Access Denied

This is the error I'm getting when I have runed a command

- less mp-log useridd.log

2025-05-12 13:56:46.879 +0530 Error: pan_user_id_win_wmic_log_query(pan_user_id_win.c:1688): log query for AD-Server failed: NTSTATUS: NT_STATUS_ACCESS_DENIED - Acces

Packet Flow Sequence KB is Missing

Hello community,

There was a very good KB explaining the packet flow sequence on a Palo Alto firewall. It was an excellent resource both for study and tshooting because it contained a detailed list of steps on how the firewall processes the packet fro

Bottom most Explicit deny all policy not capturing URLs for Url filtering logs.

So we have a URL filtering profile, which when enabled i can see URL filtering logs for a any any test policy, however there is a Deny All policy we created at the bottom most in policy, I have enabled URL filtering profile for that rule. I am seeing

PA 850 ETH1/1 disabled

Need your help we setup a new PA850 to replace our PRIMARY FW in EUR. Now the config has been push to the device however, i'm seeing the eth1/1 is disabled for some reason.

Is there a command that I can forcefully enable it? even on GUI it shows RE

Ipsec tunnel monitoring issue

Hello All,

Iam having a issue with paloalto tunnel monitoring.

I have configured tunnel monitoring between Paloalto and fortigate firewall,

Inside tunnel i have 6 to 7 proxy ID.
one proxy id i have created for tunnel ip traffic and remaining all are norm

The same traffic is getting allowed by one rule and blocked in firewall by another (please refer scrnshot)

So we have a explicit Deny all rule at the bottom most, and there is another rule by which the same traffic is also getting allowed.

The allowed rule has dest as any and has URL category in it with service as https.

So if u can see the screenshot s

Meraki clients unable to access internal resources

I'm having an issue where devices on the internal network cannot access internal resources. Ping works, but browsing on 80 or 443 does not.

Devices are on the same vlan, subnet and Palo Alto security zone as the wired devices. Wired works, wireless

Palo alto denying the traffic randamly

A simple rule is created in my firewall, where the traffic is allowed from our servers to the fqdn which is reaiding in internet. Application is as any and in service 443 is allowed.

Sometimes firewall is allowing the traffic , sometimes it is denyin

Vlan extend layer 2 - Pair of firewalls HA (Active passive) in differents Sites

Is it possible to extend a VLAN across two pairs of Palo Alto Networks firewalls in an HA (active-passive) configuration located at two different sites (Site A and Site B), while allowing each HA pair to use the same virtual IP address range?

What are

Firewalls in HA

I am facing one issue, my active firewall is not down but I am not able to access it via GUI and CLI (The management access is gone). In this case I want to make my secondary firewall as active. If I change the priority of secondary firewall will the

URL category for anydesk

Hi community!

I´m trying to create a url custom category that matches Anydesk traffic so I can decide what non-decrypt rule anydesk is using.

In the URL filtering logs I only see the url anynet%20relay:6568 and I tried to create a custom category w

HA Active‑Passive 3420 Both Nodes Stuck – Suspecting LACP Issue

Hello,

Yesterday our HA infrastructure on a pair of Palo Alto PA‑3420 (Active‑Passive) firewalls completely froze. Both units continued to believe they were the active peer, and automatic failover never occurred. We had to manually reboot the actual