This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
About Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.

Discussions

Start a conversation

Welcome to the Next-Generation Firewall Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 4593 Views
  • 0 replies
  • 1 Likes

Deepseek Restriction

I've noticed when trying to just use the appIDs, any web traffic not able to be identified ("incomplete", "insufficient-data") will hit the policy even though the appID doesn't technically match the policy. My other thought was just to allow the unidentified traffic on 80/443 in a policy just before the deepseek policy but that is not an option ...

LBSalvat by L0 Member
  • 1405 Views
  • 0 replies
  • 0 Likes

Difficulty in Displaying Unused Firewall policies in PA networks using API key

Below is the script i have been working on that helps to display all the firewall policies of a device group. Now I'm having trouble in making the script display the Rule usage, as used, partially used, or unused as shown next to a policy. The script keeps on returning N/A every time i run it. Can someone help?import requests import xml.etree.El...

Resolved! Package manager upgrade failures to certain sites

Hello, We have a case open for this that has been turned over to internal dev but I thought I would post this here to see if anyone else was experiencing this issue. This on a 5260 running 10.2.7-h3. We been tracking down this issue for a long time. It started as Mac build servers that reach out to the Internet using brew to install package...

Query on Load configuration snapshot operation

Hi, We are trying to take config backup in firewall. We have saved named config snapshot with name lets say "config" . As next step instead of doing export named configuration snapshot we have selected Load named configuration snapshot and loaded previously saved file named "config" by mistake. Received popup saying Config loaded from config.xml...

New software 11.1.6-h3 network issue

Hi guys, May I ask if any of you are currently using the latest preferred version 11.1.6-h3? Recently, I upgraded my firewall from 11.1.4-h9 to 11.1.6-h3 in my lab (VM workstation environment), and my firewall has become very slow. I am unable to access the management page through GUI and SSH commands. Currently, my VM-PA uses 8GB of memo...

APP ID

Hello Techie, I've one generic query related to aap id feature, one of the PA docs says it requires 4packets or 2000bytes to identify any single applications where in live scenerio I do see see it works with only 1 single layer 7 packet(C2S/S2C) can identify the application though it was for dns traffic. Is it specific for UDP traffic. Thank...

Restart button is grayed out under both IKE Info and Tunnel Info on IPSec tunnels

Hello folks, I am not sure when this happened but I suspect it when we upgraded to PAN-OS 11.1.3. On my PA-3250 when I go into Network > IPSec Tunnels in PAN-OS, and then click either IKE Info or Tunnel Info, I am no longer able to restart the connections. The Refresh button is available but Restart is grayed out. This is on all of my VPN tun...

license for PA-220

Hi, I am a private user, and wanted to purchase the PA -220 device. but I wanted to know where should I go to purchase the basic threat protection license for this device? am based in Italy and probabaly would be easier if there is some online store available but not easy to find. can someone please explain the process? Regards,Antonio

External Dynamic List is not showing while creating a policy.

I am trying to create an external dynamic list to block incoming traffic from some IPs. I have created an EDL list listening to a server on LAN to fetch the IPs. However when I am trying to create a policy the EDL option is not showing under the drop down menu. Is there any thing I am missing? Thanks in advance! Screenshots are attached for re...

1.png
2.png
3.png

Soft and hard lifetime in IPSec

Hi, I think I understand what is soft lifetime, but I can't see anywhere in Ipsec config to set it, is it something that palo alto set by default based on the hard lifetime. Also having some issues with my tunnel and when set the debug the soft lifetime between palo alto and other end (different vendor) doesn't match, can this cause the issue...

AY_FASAR by L1 Bithead
  • 2018 Views
  • 1 replies
  • 0 Likes

Resolved! openSSH version 9.8 or later in PAN-OS

Hi Guys,Hope you are all doing well.Just wanted to confirm which PAN-OS currently has an openSSH 9.8 version or later? Following this kb article: How to check the OpenSSH version the PAN-OS device is using - Knowledge Base - Palo Alto NetworksI did try to check it on Palo Alto networks OSS Licenses, however seems like the most updated PAN-OS tha...

RVizcarra by L4 Transporter
  • 3856 Views
  • 2 replies
  • 0 Likes

Tunnel inside of Tunnel

I have a site to site configure and tunnel established between palo alto and juniper vsrx. I am trying to route an IPSec tunnel through the existing tunnel. I am able to ping through the existing tunnels so connectivity exist. I have applied and "ANY/ANY" policy as well. The issue I is the traffic from the "spoke/remote" is able to send the ...

skey4867 by L0 Member
  • 1265 Views
  • 2 replies
  • 0 Likes
  • 1586 Posts
  • 61 Subscriptions
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks