This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
About Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.

Discussions

Start a conversation

Welcome to the Next-Generation Firewall Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 4560 Views
  • 0 replies
  • 1 Likes

Firewall Policies App Dependencies Order

For app dependencies is it better to include the dependency in the policy with the dependent app each time or to make an allow rule for all dependencies first? Say I have two app policies for different apps that each use SSH. Should I include SSH in each app or set one policy above them that allows SSL?

E.Burke by L1 Bithead
  • 823 Views
  • 1 replies
  • 0 Likes

Firewall query

I have a Meraki that has a SVI for vlan 5, 172.18.5.2 and it's trunk to a firewall that also has an SVI for vlan 5 172.18.5.1. There is a default route from Meraki pointing to 172.18.100.1 which is on the firewall. Meraki has an SVI 172.18.2.1. Server 172.18.5.76 is unable to reach IDRAC 172.18.2.75 via https though ANY is allowed on firewall. I...

Can Policy-Based Forwarding be detected with the following OIDs?

I have set up Policy-Based Forwarding on PA-220. We would like to be able to detect alerts on the monitoring server side via SNMP trap when a ping drops and the path switches in Path Monitoring.Can the following OIDs be used for detection? panPBFNhUpTrap: 1.3.6.1.4.1.25461.2.1.3.2.0.1100 panPBFNhDownTrap: 1.3.6.1.4.1.25461.2.1.3.2.0.1101

n-tomo by L2 Linker
  • 722 Views
  • 1 replies
  • 0 Likes

Failed to Validate Client Certificate" Error with User ID Agent

Hi Community, We’re encountering an issue with our Windows-based User ID Agent installed on the server. Specifically, we're receiving the error message: "Failed to validate client certificate: No connection found." Here’s what we’ve tried so far to resolve the issue: Verified Certificate Locations: Checked Device > User Identification &gt...

Jagdeep1 by L2 Linker
  • 20616 Views
  • 9 replies
  • 1 Likes

Licensing issues

Hello, I purchased a PA-850 with from the marketplace that I am trying to license. However, it seems I will have to go through the Secondary Market Policy. I am finding it difficult to register this device. Please advise on what l have to do.

PA outbound security policy - Terraform to AWS console

We have an on-prem dev environment with outbound access through a PA-3220 running 11.0.4-h6. We are trying to craft a rule to allow an on-prem src to connect to AWS console to run terraform scripts.We've tried using application type amazon-aws-console with and without the web+ssl dependencies. Also tried restricting it to just http+https with ...

Resolved! its possible have the same ip on proxy id on ipsectunnel and interface

good afternon for example my ISP give me data link with ip address 192.168.20.2/28 this interface i connect to my interface 1/1 ok this work like my WAN, when i create ipsec tunnel i put same ip address on proxy ID 192.168.20/2/28 peer 10.10.10.10 this its possible ? work o have some issues with routing because en static route i have 0.0.0.0/0...

URL games allowed through while blocked

HI Gang, Fairly new palo user here 👋 I'm having a headache where I have configured URL filtering to block students from accessing games. I have decryption in place however they are freely accessing those games (the site is both categorized as low risk (alert) and games (block)). I've been reading forums and the block is supposed to take pre...

sudden reboot 11.1.6-h3

on 11.1.6-h3 we have multiple firewall that reboot suddenly. In the "fault.log" I can see the following error: "core: [Hardware Error]: CPU 0: Machine Check: 0 Bank 0: " The error is logged few seconds usually before the reboot. Anyone knows if this is a hardware error and replacement is needed or is it a bug? Thank you!

NGFW Blocking Router Login Traffic After Policy Update – Requesting Guidance

Hi Community,I’m reaching out for help with an issue I’m facing on my Palo Alto Next-Generation Firewall involving router login and network access control.Issue:After updating security policies to improve our network posture, I'm noticing that router login attempts (to internal and remote routers) are being blocked or timing out. These router ...

Service Account used for UserID Agent

Hi Support Team, We need to ensure the service accounts used for the UserID agents installed on the domain controllers have the right active directory permissions and limit the permissions to what is required for them to function. I have the following question: 1. What are the required permissions and privileges for it to be functional? 2. What ...

Issue with Path Monitoring on Secondary ISP in Palo Alto Setup with Three ISPs

We’re using three ISPs (Primary, Secondary, and Tertiary) in our Palo Alto firewall setup: Primary: Ethernet 1/1 – Metric 10 (Path monitoring enabled with conditions set) Secondary: Ethernet 1/2 – Metric 20 (Path monitoring enabled with conditions set) Tertiary: Ethernet 1/3 – Metric 50 However, the path monitoring on the secondary interface i...

Jagdeep1 by L2 Linker
  • 1106 Views
  • 1 replies
  • 0 Likes

Pa220 begginer

Hello all, I am a new with this field for firewall pa220 .However i have one mikrotik which the port1 is connected with ISP , port2 on mikrotik is connected with my switch .How can configure the firewall? How to start. All replys as welcome and i will appriciate any assistance.Thank you in advanceAntreas

Palo Alto Explicit Proxy Traffic Issue

Hello Team,We have configured the Palo Alto firewall as an Explicit Proxy using Kerberos authentication in alignment with the Admin Guide. However, we’re noticing that the designated traffic is not routing through the Proxy as expected and is failing to initiate from the Proxy-Zone to the Internet-Zone.When attempting to access a webpage from a ...

Resolved! ipsec tunnel Phase 2 is down but IKE phase one shows green

Hi everyone, I have an Arista Untangle firewall deployed at a remote site, and I’m trying to establish an IPsec VPN tunnel between it and a Palo Alto firewall. The tunnel comes up on the Untangle side and shows as active, and on the Palo Alto side, IKE Phase 1 is green, but IPsec Phase 2 remains down. I've triple-checked the configurations on bo...

  • 1589 Posts
  • 60 Subscriptions
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks