This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
About Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.

Discussions

Start a conversation

Welcome to the Next-Generation Firewall Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 4518 Views
  • 0 replies
  • 1 Likes

Resolved! its possible have the same ip on proxy id on ipsectunnel and interface

good afternon for example my ISP give me data link with ip address 192.168.20.2/28 this interface i connect to my interface 1/1 ok this work like my WAN, when i create ipsec tunnel i put same ip address on proxy ID 192.168.20/2/28 peer 10.10.10.10 this its possible ? work o have some issues with routing because en static route i have 0.0.0.0/0...

URL games allowed through while blocked

HI Gang, Fairly new palo user here 👋 I'm having a headache where I have configured URL filtering to block students from accessing games. I have decryption in place however they are freely accessing those games (the site is both categorized as low risk (alert) and games (block)). I've been reading forums and the block is supposed to take pre...

sudden reboot 11.1.6-h3

on 11.1.6-h3 we have multiple firewall that reboot suddenly. In the "fault.log" I can see the following error: "core: [Hardware Error]: CPU 0: Machine Check: 0 Bank 0: " The error is logged few seconds usually before the reboot. Anyone knows if this is a hardware error and replacement is needed or is it a bug? Thank you!

NGFW Blocking Router Login Traffic After Policy Update – Requesting Guidance

Hi Community,I’m reaching out for help with an issue I’m facing on my Palo Alto Next-Generation Firewall involving router login and network access control.Issue:After updating security policies to improve our network posture, I'm noticing that router login attempts (to internal and remote routers) are being blocked or timing out. These router ...

Service Account used for UserID Agent

Hi Support Team, We need to ensure the service accounts used for the UserID agents installed on the domain controllers have the right active directory permissions and limit the permissions to what is required for them to function. I have the following question: 1. What are the required permissions and privileges for it to be functional? 2. What ...

Issue with Path Monitoring on Secondary ISP in Palo Alto Setup with Three ISPs

We’re using three ISPs (Primary, Secondary, and Tertiary) in our Palo Alto firewall setup: Primary: Ethernet 1/1 – Metric 10 (Path monitoring enabled with conditions set) Secondary: Ethernet 1/2 – Metric 20 (Path monitoring enabled with conditions set) Tertiary: Ethernet 1/3 – Metric 50 However, the path monitoring on the secondary interface i...

Jagdeep1 by L2 Linker
  • 1067 Views
  • 1 replies
  • 0 Likes

Pa220 begginer

Hello all, I am a new with this field for firewall pa220 .However i have one mikrotik which the port1 is connected with ISP , port2 on mikrotik is connected with my switch .How can configure the firewall? How to start. All replys as welcome and i will appriciate any assistance.Thank you in advanceAntreas

Palo Alto Explicit Proxy Traffic Issue

Hello Team,We have configured the Palo Alto firewall as an Explicit Proxy using Kerberos authentication in alignment with the Admin Guide. However, we’re noticing that the designated traffic is not routing through the Proxy as expected and is failing to initiate from the Proxy-Zone to the Internet-Zone.When attempting to access a webpage from a ...

Resolved! ipsec tunnel Phase 2 is down but IKE phase one shows green

Hi everyone, I have an Arista Untangle firewall deployed at a remote site, and I’m trying to establish an IPsec VPN tunnel between it and a Palo Alto firewall. The tunnel comes up on the Untangle side and shows as active, and on the Palo Alto side, IKE Phase 1 is green, but IPsec Phase 2 remains down. I've triple-checked the configurations on bo...

Different DNS Servers

Hello, We have a lot of servers in production (PRD) and development (DVE) domain. Servers in PRD domain use our internal PRD-DNS-Server and those in DVE domain use our internal DVE-DNS-Server. Our PA-5400 series firewall is considered to be PRD domain and hence uses internal PRD-DNS-Server to resolve FQDN objects. Now what happens is that inte...

PAFWNoob by L1 Bithead
  • 868 Views
  • 1 replies
  • 0 Likes

Resolved! Unable to Access Palo Alto Firewall via Public IP (Used as GlobalProtect Gateway)

Hi all, I'm facing an issue where I'm unable to access my Palo Alto firewall using its public (live) IP address. The same IP is configured as the GlobalProtect VPN gateway. As soon as I set the live IP as the GlobalProtect gateway, I can no longer access the firewall's management interface via that IP. It was working before assigning it to Globa...

User Identification Agent Error Access Denied

This is the error I'm getting when I have runed a command - less mp-log useridd.log 2025-05-12 13:56:46.879 +0530 Error: pan_user_id_win_wmic_log_query(pan_user_id_win.c:1688): log query for AD-Server failed: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied 2025-05-12 13:56:46.879 +0530 Error: pan_user_id_win_get_error_status(pan_user_id_win.c:...

Packet Flow Sequence KB is Missing

Hello community,There was a very good KB explaining the packet flow sequence on a Palo Alto firewall. It was an excellent resource both for study and tshooting because it contained a detailed list of steps on how the firewall processes the packet from the moment it enters until it leaves.It used to be accessiable via this link, but it has been b...

Bottom most Explicit deny all policy not capturing URLs for Url filtering logs.

So we have a URL filtering profile, which when enabled i can see URL filtering logs for a any any test policy, however there is a Deny All policy we created at the bottom most in policy, I have enabled URL filtering profile for that rule. I am seeing normal network traffic but not any log under Monitor > URL filtering. Yes we do have URL filt...

JubairJunaid_1-1747822277018.png
JubairJunaid_0-1747822063272.png
  • 1795 Posts
  • 60 Subscriptions
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks