This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
About Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.

Discussions

Start a conversation

Welcome to the Next-Generation Firewall Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 4510 Views
  • 0 replies
  • 1 Likes

How to block traffic from a specific ASN using DAG

I could use some assistance since AI sucks and gives you the wrong info. Here's what I would like to do, we already geoblock but I need to block malicious traffic (multible IP ranges) that's associated with a specific ASN. I've tried creating a dynamic address group with the following match criteria: 'ip.src.asnum AS14956'. I initially trie...

Resolved! File blocking upload

We have a requirement to Block uploads of file to Virustotal.com. We have SSL decryption working fine with URL filtering profiles applied. I created a new File blocking profile with application>> virustotal-base and virustotal web selected; File types>>All; Direction>>Upload; Action; Block Then i applied this profile to one int...

IPv6 and TLS 1.3?

I've been having some IPv6 issues (we're a dual-stack setup currently), and it seems like every time I fix one, I find another. The latest is an issue with some, but not all, IPv6 websites. Sometimes they'll load... sometimes they'll start to load and then stall. Sometimes they load, and then a refresh has them stalling. Looking at packet c...

jsalmans by L4 Transporter
  • 918 Views
  • 0 replies
  • 0 Likes

Resolved! PANOS upgrade to 11.1 - will UserID Agent 11.0 work?

Good afternoon, all! I'm preparing an upgrade on our PA-8XX firewall stacks from PANOS 10.2.X to the 11.1 train, which should be the last ones supported for these boxes. We are also running User-ID Agent 10.2.X, so I'll need to upgrade that, as well. However, I've not been able to accurately determine if UserID 11.0.X will work with PANOS 11.1.X...

ghughes by L1 Bithead
  • 1133 Views
  • 1 replies
  • 0 Likes

Resolved! Palo Alto wildcards for whitelist

I’m on panorama 10.2.12h-2 and have a silly question but after reading through the Palo Alto articles am a bit confused as I guess I don’t understand the difference between a URLs path vs subdomains I'm trying to whitelist https://app.e.dnv.com/e/bfs?s=861531437&lguid (<note not the full path for time and sanity reasons) but when I...

Kc_Dodds by L0 Member
  • 2842 Views
  • 1 replies
  • 0 Likes

NAT Translations Related to VPN Tunnels

Thanks for any help in advance. We have many partners that we create VPN tunnels with. To save time and to avoid IP overlap, I would like to dedicate a private subnet like 10.10.0.0/16 and route that subnet toward our Palo firewall that terminates VPNs. I would like to use IP addressing in that subnet to NAT the partner traffic as it comes...

User-ID Integration with AD Failing (Access Denied / Kerberos Errors – Event ID 10036)

Hi Team, I'm working on integrating my Active Directory (Windows Server 2016) with a Palo Alto PA-450 firewall to enable User-ID functionality. While setting up the server monitoring configuration, I'm running into issues when using both WMI and WinRM-based authentication. Issue Details: When using WMI: The firewall shows Access Denied under S...

URL filtering - allows blocked traffic

URL filtering logs show web traffic that matches a custom URL category that we use to block / deny traffic to certain malicious domains, but the traffic doesn't match the deny rule, it matches a generic rule we have for https/http traffic.Why would the firewall clearly show on the URL filtering logs that it matches the URL category used for blo...

Robert2 by L1 Bithead
  • 1175 Views
  • 4 replies
  • 0 Likes

Resolved! Syslog to one or two servers with default and custom log format

Hey all, I am wondering if this is possible. I understand this duplicates logging, but hopefully it's short-term. I need to send syslog to either one server in default and custom log formats or send to two syslog servers one in default and the other in custom log format. It seems like the profile only allows for either default or custom log form...

impact of Graceful Restart in the routing table reconvergence

Hello! We have 2 BGP peerings with 2 different routers and via both of them we can reach same network. When we disable a network link to force one peering to go down, it takes about 3 minutes to reroute the traffic via the other peering, time during which the traffic is dropped. Could be this issue due to Graceful Restart (GR) enabled and th...

Carracido by L4 Transporter
  • 660 Views
  • 0 replies
  • 0 Likes

Resolved! Tried to load config snapshot from a different firewall and Admin credentials got overlapped

I’d like to get your input on the following scenario: We have two standalone firewalls, let’s refer to them as Firewall A and Firewall B. Firewall A has become defective and needs to be replaced. Since Firewall B has already been decommissioned, we plan to repurpose its hardware for Firewall A. We attempted to restore Firewall A’s configuration ...

Need sample logs for all Next Generation Firewall log events for Integration Testing

Hi team,I'm currently working on integrating log analysis and would like to collect sample log events for all Next Generation Firewall log event typesIs there a way to access a reference dataset or sample payloads for each log event type for testing and validation purposes?Thanks in advance!

Hardware firewall, cant find the CPU "data, and mgmt plane" logs

Hello Team, I am trying to navigate in the system logs to find the data and mgt plane, and memory utilization but I cant find any. I have Panorama as syslog and I can find the resources utilization logs received in the panorama, but cant find them in the firewall it self. - How to find these resources utilization logs? - Is it p...

"LAN" and "WAN" interfaces for the Palo Alto Networks Cloud NGFW SaaS offering within Azure Virtual WAN

Hello Team,We are in the process of switching over from VM-Series PA to PA SaaS within Azure vWAN. Palo Alto VM-Series firewall, we explicitly created and configured LAN and WAN, however for PA SaaS within Azure vWAN is there a need to create? We also cannot create a new VNET/Subnet in Azure vWAN to associate it with the interfaces, so how doe...

  • 1794 Posts
  • 60 Subscriptions
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks