This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
About Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.

Discussions

Start a conversation

Welcome to the Next-Generation Firewall Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 4562 Views
  • 0 replies
  • 1 Likes

Different DNS Servers

Hello, We have a lot of servers in production (PRD) and development (DVE) domain. Servers in PRD domain use our internal PRD-DNS-Server and those in DVE domain use our internal DVE-DNS-Server. Our PA-5400 series firewall is considered to be PRD domain and hence uses internal PRD-DNS-Server to resolve FQDN objects. Now what happens is that inte...

PAFWNoob by L1 Bithead
  • 981 Views
  • 1 replies
  • 0 Likes

Resolved! Unable to Access Palo Alto Firewall via Public IP (Used as GlobalProtect Gateway)

Hi all, I'm facing an issue where I'm unable to access my Palo Alto firewall using its public (live) IP address. The same IP is configured as the GlobalProtect VPN gateway. As soon as I set the live IP as the GlobalProtect gateway, I can no longer access the firewall's management interface via that IP. It was working before assigning it to Globa...

User Identification Agent Error Access Denied

This is the error I'm getting when I have runed a command - less mp-log useridd.log 2025-05-12 13:56:46.879 +0530 Error: pan_user_id_win_wmic_log_query(pan_user_id_win.c:1688): log query for AD-Server failed: NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied 2025-05-12 13:56:46.879 +0530 Error: pan_user_id_win_get_error_status(pan_user_id_win.c:...

Packet Flow Sequence KB is Missing

Hello community,There was a very good KB explaining the packet flow sequence on a Palo Alto firewall. It was an excellent resource both for study and tshooting because it contained a detailed list of steps on how the firewall processes the packet from the moment it enters until it leaves.It used to be accessiable via this link, but it has been b...

Bottom most Explicit deny all policy not capturing URLs for Url filtering logs.

So we have a URL filtering profile, which when enabled i can see URL filtering logs for a any any test policy, however there is a Deny All policy we created at the bottom most in policy, I have enabled URL filtering profile for that rule. I am seeing normal network traffic but not any log under Monitor > URL filtering. Yes we do have URL filt...

JubairJunaid_1-1747822277018.png
JubairJunaid_0-1747822063272.png

PA 850 ETH1/1 disabled

Need your help we setup a new PA850 to replace our PRIMARY FW in EUR. Now the config has been push to the device however, i'm seeing the eth1/1 is disabled for some reason. Is there a command that I can forcefully enable it? even on GUI it shows RED status. I tried to disabled or re-enable it on CLI and I got this error set failed, may...

weezy_0-1747200270037.png
weezy by L3 Networker
  • 1663 Views
  • 5 replies
  • 0 Likes

The same traffic is getting allowed by one rule and blocked in firewall by another (please refer scrnshot)

So we have a explicit Deny all rule at the bottom most, and there is another rule by which the same traffic is also getting allowed. The allowed rule has dest as any and has URL category in it with service as https. So if u can see the screenshot same traffic is getting blocked by bottom most Deny ALL and allowed by the <Int prod to lambda ...

Meraki clients unable to access internal resources

I'm having an issue where devices on the internal network cannot access internal resources. Ping works, but browsing on 80 or 443 does not. Devices are on the same vlan, subnet and Palo Alto security zone as the wired devices. Wired works, wireless does not. When monitoring source -> destination I see the wireless client picked up in a fire...

dp.med by L0 Member
  • 846 Views
  • 0 replies
  • 0 Likes

Palo alto denying the traffic randamly

A simple rule is created in my firewall, where the traffic is allowed from our servers to the fqdn which is reaiding in internet. Application is as any and in service 443 is allowed. Sometimes firewall is allowing the traffic , sometimes it is denying. The only difference which i observed on the log is action source. If action source is from-pol...

Resolved! Ha failover for A/A firewall

Hello All, We have a setup of Active/Active firewall running with eBGP towards router 1 and router 2 respectively and static route for Lan segment (subnet 1 and 2).eBGP with As-path prepend for subnet 2 at firewall 1 and As-path prepend for subnet 1 at firewall 2Static route from subnet 1 to hsrp ip and static route for subnet 2 to hsrp ip. ...

Vlan extend layer 2 - Pair of firewalls HA (Active passive) in differents Sites

Is it possible to extend a VLAN across two pairs of Palo Alto Networks firewalls in an HA (active-passive) configuration located at two different sites (Site A and Site B), while allowing each HA pair to use the same virtual IP address range?What are the standards and protocols that support this architecture with Palo Alto Networks firewalls? We...

jrcsss by L0 Member
  • 2008 Views
  • 1 replies
  • 0 Likes

Firewalls in HA

I am facing one issue, my active firewall is not down but I am not able to access it via GUI and CLI (The management access is gone). In this case I want to make my secondary firewall as active. If I change the priority of secondary firewall will the change will be pushed in paloalto firewall? And will my secondary becomes the active one. My fir...

URL category for anydesk

Hi community! I´m trying to create a url custom category that matches Anydesk traffic so I can decide what non-decrypt rule anydesk is using. In the URL filtering logs I only see the url anynet%20relay:6568 and I tried to create a custom category with that url but it doesn´t seem to match. I have followed also the suggestions from this disc...

Carracido by L4 Transporter
  • 2713 Views
  • 2 replies
  • 0 Likes

HA Active‑Passive 3420 Both Nodes Stuck – Suspecting LACP Issue

Hello, Yesterday our HA infrastructure on a pair of Palo Alto PA‑3420 (Active‑Passive) firewalls completely froze. Both units continued to believe they were the active peer, and automatic failover never occurred. We had to manually reboot the actual active node to restore service. We suspect the root cause is related to LACP on our aggregated in...

unibg_it by L1 Bithead
  • 1231 Views
  • 1 replies
  • 0 Likes
  • 1589 Posts
  • 60 Subscriptions
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks