Next-Generation Firewall Discussions

IPSEC_ESP port 50 Traffic even when IKE Phase-1 is not up

We are running into an issue, where we have 2 Palo Firewalls and we are trying toe establish S@S VPN between them. Both the tunnels are behind NAT devices and we do have NAT-T Enabled.

We can see in IKE MGR.logs that the initiator is trying to reach

Connection Aged to archive.apache.org, but works through another PA firewall

We are trying to connect archive.apache.org from Cloud VM, it does not work but shows it is allowed in logs, but session shows aged out and application shows incomplete.

But the same is working through another PA firewall 

What could be it?

Firewall Rules

I was wondering if anyone had any interest or thoughts, but I am tired of always having to build rules for popular products that are not well-documented.  I was thinking of starting a forum to share these common configurations so we all don't have to

PANGFW integration with ESET XDR

Hi everyone,

Can i integrate PANGFW with ESET XDR like Cortex XDR? As i know Cortex XDR can read and understand PA logs and it can creates incidents and alerts via those logs. Can i do it with ESED XDR?

What does FBO stand for

We are troubleshooting something with TAC wherein they asked us to set the FBO to "Software". 

What, exactly, is an FBO? I cannot find any references thereto in the docs besides the CLI reference, and that tells me nothing.

Syslog forwarding to Microsoft Sentinel

hello everyone.

seems we got a weird one here.

So we took the CEF format that the pdf guide says

https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/cef/pan-os-10-0-cef-configuration-guide.pdf

heres the weird thing.

we truncated it to

HA Passive interfaces not coming up.

Hi All, I have searched the community before posting however I cannot find a solution for the issue I am experiencing.

We have a very straightforward physical topology. A cisco 9500 sw switch stack operating as a stackwise-virtual chassis. On Switc

Traffic Issues

Hi Friends,

We are seeing this issue with one of our customer in recent few days where a particular destination traffic which should go via security rule are passing via PBF policies which is not expected.

The Destination address which is not spe

OSPF Area Question

Can you have an area be normal on 1 interface and NSSA on another interface?

Say you have area 1.

Area 1 has neighbor on interface 1 with normal type.

Can another Area 1 interface be brought online on different interface 2 with NSSA type?

Untrust interface is not coming up after firmware upgrade

Untrust interface is not coming up after firmware upgrade in PA-220

PA-820 random Decyption Error

Since a few month we got more and more random outbound decryption errors. When the user wait a moment the website will automatically open correct. The browser error messages are "err_connection_reset" or net:err_cert_authority_invalid". In the decryp

Unexpected Classification of 443 Traffic as "naver-line" with Subcategory "voip-video

Hi everyone,

1) End user has confirmed that these users' computers do not have the LINE application installed. However, the 443 traffic is being identified as "naver-line," with a subcategory of "voip-video." Could you please help us understand the