Next-Generation Firewall Discussions

Welcome to the Next-Generation Firewall Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

Why would an active firewall in an active-passive HA configuration broadcast gratuitous ARPs every 60 seconds?

I found a KB article stating that the active firewall sends out gratuitous ARPs every 60 seconds during normal operation, but it doesn't explain why. What is the reason for this behaviour? https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004Ny3CAE

HA failover on Acitve Passive concerns

Hello all, I would like to get some idea/thoughts about the current setup on my two PA1410 Active/Passive FW failover concerns. Few weeks ago, our Active FW has some issues and hung on the data plane. I found there was some missing configurations on our network side so the Failover didn't work at all. So eventually I resumed it, and raised the...

Global Protect is having issues with newer MACOS version.

Hi, I have problems trying to sign in some mac users that are running some SEQUOIA and TAHOE version, the only version that is working is 15.7.4 Sequoia version. It seems that the gl client is unable to authenticate. I checked in logs and it seems that the gp client is not able to open a .dat file 04/15/2026 17:06:14:954 [Info ]: Portal pre...

Security Policy Disappears After Commit – Palo Alto in Azure with Panorama

We have Palo Alto deployed in Azure, using Panorama. When my colleague created a policy, it took time to commit, and then the policy automatically disappeared. We want to understand possible reasons for a policy deletion in this setup. She created the policy again from starting.

Study Material (PDF) for Next generation Firewall Engineer

Hi people,May I have the link to download the Next Generation Firewall Engineer study material, which is a PDF doc? I am looking to prepare for the certification. Thank you

Firewall SSH, the login succeeds with TACACS Account, but there is an issue that closes the session immediately.

Hello, everyone. Firewall has OS of 10.2.4-H2. When TACACS account to connect to Firewall SSH, the login succeeds, but there is an issue that closes the session immediately. In Firewall System-log, authentication and authorization were successful and it was confirmed that the Superuser role was granted.. However, a "create-admin-acct-err...

Stupid question, but how to show all vsys in CLI with one command?

Hey guys, this may be a stupid question but I just cannot find the appropriate command for this after googling for nearly an hour. I just want to display all vsys via CLI in one command without the need of "?". Something like show virtual-system all or so. Is this even possible?

VPN peer ID

Hi guys, we have a 3rd party VPN peer who must set the Peer Identification value, the tunnel works fine, but on their side the tunnel ID IP address can change depending on whether they are on their active or standby firewall, and that means we need to update config and push policy to get it online (this is a regular occurrence) I thought abo...

Resolved! HSCI port - amber blinking LED on both primary and secondary devices (5445)

Hey guys I have 2 PA-5445 in HA setup, I noticed that the HSCI port shows blinking amber LED on both sides. Dashboard shows HA is up. Should it be green or is it fine? Because the 5260 models show solid green LED.

InPlace Upgrade Windowsserver with User ID Agent

Hello, we are planning to upgrade a windows 2016 server to windows server 2022. On the server we have installed the User ID Agent for NGFWs. Has someone experience with the upgrade? Is it possible to make a InPlace Upgrade or is it better to install the agent on a new server? Thanks!

Source and destination is APIPA or Soure is Legit machine and destination to Internet(zone) is APIPA

In Palo Alto firewall we see legit source from zone inside to Internet zone send traffic to destination 168.254.x.x it's apipa ip. why do we see this traffic? in some cases its from APIPA to APIPA IP. or Legit source to APIPA IP (internet zone)

Clear ARP for spesific ae interface

Hi All is it possible to clear arp for spesific sub ae interface ? for example, clear arp for interface ae1.10 and if possible, what is the command ? Thanks

Firwall is uable to send logs to the Panorma (Log collector is showing inactive)

Hi Team, I am currently managing multiple firewalls through Panorama; however, one of the HA firewalls is not forwarding logs to Panorama. Please find the CLI output below for your reference. show logging-status -----------------------------------------------------------------------------------------------------------------------------Type Las...

Increasing config size beyond max reccomended values 450s

Hi I have a customer who is getting the following alert on their Palo Alto PA-450 on 11.1.13, I believe these alerts have come about with new features on 11.1. To try and clear error we have set to the max recommended configuration file size per this article for the model. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1...

Intrazone-default Rule

I have a question and would like some advice! We currently operate by applying an “any-any deny” policy at the bottom of the stack and opening ports only for necessary traffic.I noticed that the hit count is increasing on the “intrazone-default” allow policy at the bottom, even though the “any-any deny” policy is in place.I enabled logging for t...

Discussions

Welcome to the Next-Generation Firewall Discussions!

Why would an active firewall in an active-passive HA configuration broadcast gratuitous ARPs every 60 seconds?

HA failover on Acitve Passive concerns

Global Protect is having issues with newer MACOS version.

Security Policy Disappears After Commit – Palo Alto in Azure with Panorama

Study Material (PDF) for Next generation Firewall Engineer

Firewall SSH, the login succeeds with TACACS Account, but there is an issue that closes the session immediately.

Stupid question, but how to show all vsys in CLI with one command?

VPN peer ID

Resolved! HSCI port - amber blinking LED on both primary and secondary devices (5445)

InPlace Upgrade Windowsserver with User ID Agent

Source and destination is APIPA or Soure is Legit machine and destination to Internet(zone) is APIPA

Clear ARP for spesific ae interface

Firwall is uable to send logs to the Panorma (Log collector is showing inactive)

Increasing config size beyond max reccomended values 450s

Intrazone-default Rule

TS-Agent 11.1.1 Compatibility

11.2.10-h6 details??

virtual address active-active

Palo Alto 820 - Software Update for CVE-2026-0300

In PAN version 9, public IP addresses and the VPN were accessible from the Intranet.

[FIREWALL] - Commit Issue

OSPF process crashes after manual HA Failover

Re: TS-Agent 11.1.1 Compatibility

Re: Regarding the migration from HDD to SSD for PA-VM running in the Azure environment

Re: 11.2.10-h6 details??

Unlock your full community experience!

Resolved! HSCI port - amber blinking LED on both primary and secondary devices (5445)