Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
About Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.

Discussions

Welcome to the Next-Generation Firewall Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 4633 Views
  • 0 replies
  • 1 Likes

Vlan extend layer 2 - Pair of firewalls HA (Active passive) in differents Sites

Is it possible to extend a VLAN across two pairs of Palo Alto Networks firewalls in an HA (active-passive) configuration located at two different sites (Site A and Site B), while allowing each HA pair to use the same virtual IP address range?What are the standards and protocols that support this architecture with Palo Alto Networks firewalls? We...

jrcsss by L0 Member
  • 2092 Views
  • 1 replies
  • 0 Likes

Firewalls in HA

I am facing one issue, my active firewall is not down but I am not able to access it via GUI and CLI (The management access is gone). In this case I want to make my secondary firewall as active. If I change the priority of secondary firewall will the change will be pushed in paloalto firewall? And will my secondary becomes the active one. My fir...

URL category for anydesk

Hi community! I´m trying to create a url custom category that matches Anydesk traffic so I can decide what non-decrypt rule anydesk is using. In the URL filtering logs I only see the url anynet%20relay:6568 and I tried to create a custom category with that url but it doesn´t seem to match. I have followed also the suggestions from this disc...

Carracido by L4 Transporter
  • 3481 Views
  • 2 replies
  • 0 Likes

HA Active‑Passive 3420 Both Nodes Stuck – Suspecting LACP Issue

Hello, Yesterday our HA infrastructure on a pair of Palo Alto PA‑3420 (Active‑Passive) firewalls completely froze. Both units continued to believe they were the active peer, and automatic failover never occurred. We had to manually reboot the actual active node to restore service. We suspect the root cause is related to LACP on our aggregated in...

unibg_it by L1 Bithead
  • 1303 Views
  • 1 replies
  • 0 Likes

PA-410 and logs

Hello experts, We wants to buy PA-410, because no local logs avaiable, is it possible to purchase and store the logs to Strata Logging service without Strata cloud manager? thanks, SdGStrata Logging Service

HA Configuration Issue with Panorama-Managed Firewall with reason TCP channel failed ,reverting configuration.

Hi Team, We are currently facing an issue with a customer related to the configuration of High Availability (HA) in their firewall setup. Below is a brief overview of the scenario: The customer has two firewalls: One is managed by Panorama (all configurations are expected to be pushed from Panorama). The other is locally managed. The goal is t...

observing high cpu utilization on daily basis and the main CPU consumers are multiple pan_task processes, each using around 70% CPU, and running cont

below is the output of show system resources : kindly please let me know , is it a normal behavior or do we need some changes to be done.top - 06:37:58 up 153 days, 11:11, 1 user, load average: 48.31, 48.22, 40.92Tasks: 258 total, 43 running, 211 sleeping, 1 stopped, 3 zombie%Cpu(s): 96.9 us, 2.8 sy, 0.3 ni, 0.0 id, 0.0 wa, 0.0 hi, 0.0 si...

Planned Migration from PA-820 to PA-445 Firewall

Hello, We plan to replace the PA-820 firewall with the PA-445. A configuration snapshot will be taken from the PA-820 and imported into the PA-445. After the import, verify whether all settings have been successfully transferred and if the migration process is proceeding smoothly. The configuration to be migrated includes: 1. Int...

URL filtering or tightening up on GlobalProtect security rule?

I have a security rule for my GlobalProtect, and want to see if I can make it even tighter.... Source Zone: untrust (outside) Address\User\Device: Any Destination Zone: untrust Address: IP of my interface/GlobalProtect IP Device: Any Application Any Service/URL GP-4501 (4501/udp) service-https Category: Any Actions Just a vulnerab...

FIPS-CC cannot log into firewall

We have an HA pair PA-440's running 11.1.6-h3 in FIPS-CC Recently the Active firewall stopped allowing us to log into it or connect with Global Protect using local user accounts. Neiither the GUI or SSH works - it just times out. Seeing how its in FIPS-CC mode the console port is turned off so I could not test access via console. The standby ...

sos66sos by L1 Bithead
  • 1226 Views
  • 2 replies
  • 0 Likes

Terminal Service Agent with Azure Virtual Desktop

Our organization is moving away from Citrix VDI and exploring Azure Virtual Desktop (AVD). One of Security's requirements is that we get userID from the endpoints. We have successfully installed the TS Agent on the AVD and can get UserID; no issues here. The challenge we have is that our Desktop team is planning to dynamically stand up and tea...

MarceloM by L0 Member
  • 4709 Views
  • 4 replies
  • 0 Likes

IPSec tunnel throughput drops to 0mbps after some time

While testing for maximum throughput over an IPSec tunnel, I noticed that after a while throughput drops to 0mbps. When the test started, both ends of the tunnel had about 4.5gbps throughput total. But at around the 18 minute mark of the test, the throughput dropped to 0mbps. It self recovered on one end but the other end did not. Subsequent te...

Internet issues

Dear all, I connect ISP directly to the Cisco switch and from the same Cisco switch I connect the outer ISP interface and connect To Firewall , the Firewall LAN interface again passes through the Cisco switch to the internal network. Are there any compatibility issues between palo alto and Cisco switch? which means i used cisco switch as media...

Zola12_0-1746209698627.png
Zola12 by L1 Bithead
  • 689 Views
  • 1 replies
  • 0 Likes

Expedition not supported/available anymore?

Hello, I heard Expedition would not be improved and in the future partners should rely on PANW professional services for migrations. Anyone know more than me and has an update? I also heard from other sources, that Expedition like app would be available under Strata Cloud Manager and the offline version would not be supported/improved officially...

F.Kakar by L0 Member
  • 850 Views
  • 1 replies
  • 0 Likes
  • 1597 Posts
  • 61 Subscriptions
Top Solution Authors
Top Liked Authors