Palo Alto Firewall Migration – VSYS Consolidation

Dears,

We currently have a production environment running on two Palo Alto 5220 firewalls. We are planning to migrate to new Palo Alto 5410 firewalls.

In the existing setup, the firewalls are divided into two VSYS (Vsys1 and Vsys2). Since Vsys1 is no l

Step by Step Radius Configuration for PA-1410

Dear Everybody,

I have a problem in configuring Radius on PaloAlto Firewall 1410 series , I find different manual for different methods as below :

Configuring Administrator Authentication with Windows 2008 RADI... - Knowledge Base - Palo Alto Networks

Palo Alto Kerberos for sso

Anyone hit the same issue before?

2025-08-16 20:35:38.768 +0800 debug: pan_auth_cache_get_authprof_info(pan_auth_cache_authprof_n_authseqprof.c:218): prof "KRB-SSO", vsys "vsys1" (method: Kerberos pre-auth) has sso hash table id: 1 (0 means no or inv

'cfg.general.need-acknowledgement-to-login': NO_MATCH

I have deployed a new VM series PA FW, however whenever I am trying to login, it is giving 'cfg.general.need-acknowledgement-to-login': NO_MATCH

Any suggestions?

Policy destination field when using URL filtering

I need to write a rule that looks like this

Source zone: Internal

Destination zone: External

Source address: 10.38.105.201

Destination address: This is where it is tricky, I need the destination addresses to be *.myqlink.biz *.med.myqlink.net

Finding IP of threat blocked via DNS Proxy

As our PA is configured at the moment, I see some notifications in the threat logs where a request from the Palo DNS proxy has been blocked from looking up something determined to be spyware.

I can't find a matching log anywhere to indicate the IP

Data plane cpu 100% (pa-3410)

Hello!

We have a PA-3410 in our corporate network, and yesterday we encountered a problem: the data plane CPU reached 100%, and disabling the Decryption rules helped. Are there any solutions to this issue?

Renew of Self Signed SSL Forward Trust Certificate without Root CA

Hello,

I have a self-signed (self-generated) certificate without a Root CA on a firewall, which is used for SSL Forward Proxy to decrypt traffic.

The certificate is valid for 10 day and has been imported on client machines as a trusted root CA.

Th

HA error when configuring

• High-availability ha1 encryption requires an import of the high-availability-key(Module: ha_agent)
• client ha_agent phase 1 failure

Any ideas why this is happening? I have configured 3 other HA pairs with no issue.

PA1

PA2

Security Profile Evaluation

Hey Community!

In Palo Alto NGFW, when multiple Security Profiles (like Antivirus, Anti-Spyware, Vulnerability Protection, URL Filtering, File Blocking, DLP, etc.) are applied to a Security Policy

How does the inspection happen?

• Is it sequential (one

PALO ALTO FIREWALL , lan interface internet issue

I currently have a palo alto VM on my VMware esxi environment and i have setup the LAN and WAN interfaces and also created a dhcp scope on my lan interface and connected it to my windows server 2019 also on the esxi environment but i can se traffic t

Migrating certs from one palo to another

What is the process when migrating certs? 
are the added when new palo joins the device group?

do I need to import export the top level cert?

do I need to import the trusted root provided by customer or can I use what is already on the old palo?

thank

HA Links Over DWDM

Currently have a couple pairs of Palos (internal and external), with an HA pair over at a remote location. These 2 sites at connected via redundant DWDM devices (SmartOptics to be precise). Currently the HA links are just connected to a core switch,