This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
About Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.

Discussions

Start a conversation

Welcome to the Next-Generation Firewall Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 4593 Views
  • 0 replies
  • 1 Likes

PA-5450 MGT-A and MGT-B Management Ports configuration

Based on the PA-5400 MPC Component Descriptions, the MGT-A and MGT-B management ports are bundled by default as a LAG: "Two SFP/SFP+ management ports providing 1/10GE connectivity that are used to access the management interface. MGT-A and MGT-B are bundled by default as a LAG (link aggregation group). To leverage both ports, they must be conn...

Known issue (Issue ID: PAN-227368) with version 11.0.2. Will it be solved by 11.1.0-h2 to upgrade?

Change : We have upgrade to 11.0.2 post upgrade facing below issue. Issue ID: PAN-227368 Issue Statement : The GlobalProtect app cannot connect to a portal or gateway and GlobalProtect Clientless VPN users cannot access applications if authentication takes longer than 20 seconds.Workaround: Increase the TCP handshake timeout to the ...

Karthi_N by L1 Bithead
  • 2137 Views
  • 2 replies
  • 0 Likes

Azure "az" command and decryption

Hello, All. Working on Windows. A few days ago, tried to understand why the Microsoft Azure CLI "az" command line program was not working with decryption behind our PAN OS 10.2.10. Azure CLI is a python tool. I am currently running v2.77 (latest) I added the root CA to C:\Program Files\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi\cacer...

Rievax by L2 Linker
  • 4871 Views
  • 5 replies
  • 0 Likes

Not able to log XFF (Actual Client IP) in PaloAlto Logs even when we enable XFF and URL filtering profile in Palo's

Issue Summary – XFF Not Logged on Palo Alto (Even With Decryption ON) We are running a flow where AWS ALB inserts X-Forwarded-For (XFF) and the Palo Alto firewall performs SSL decryption + re-encryption: Flow:Client --> Internet --> AWS ALB (HTTPS) (Palo's are registered as TG IP) --> Palo Alto FW (SSL Decrypt) --> Server What worksA...

Difference in Session Synchronization configuration output in PAN-OS 11.2 Active/Passive HA

Hello experts, I would like to confirm the HA configuration behavior in PAN-OS 11.2.We have two firewalls configured in an Active/Passive HA pair. In the GUI, Enable Session Synchronization is enabled on both devices.However, when checking the configuration from the CLI, the following line is displayed on one device: ”set deviceconfig high-avail...

Palo Alto 3410 Firewall 100% DP CPU spike

Hello all,We are seeing sudden spikes in Data Plane CPU on our Palo Alto Networks PA-3410 firewalls running PAN-OS 11.1.13. The CPU usage jumps to 100% for a few seconds and then returns to normal automatically. This happens randomly, with no fixed timing. We have observed this at two different locations where we have PA-3410.Initially, we suspe...

EDL Scalability & Platform Limits – Best Practices

Hello Everyone, Looking for best practice recommendations on handling large IP-based External Dynamic Lists (EDLs). In cases where the EDL reaches platform limits (e.g., ~150K IPs), scalability becomes a challenge, especially when continuous updates are required and manual handling is not practical. Would appreciate your input on: More scalable...

A.AlHafi by L1 Bithead
  • 358 Views
  • 1 replies
  • 0 Likes

Resolved! Reason: Authentication profile not found for the user

local admin created with authentication profile set to none but still PaloAlto is looking for authentication profile for this local user and not allowing to login, saying invalid username/password and here at FW end we are getting the log- Reason: Authentication profile not found for the userPAN OS - 11.1.10-h1 - Is this is a bug in this version...

Why would an active firewall in an active-passive HA configuration broadcast gratuitous ARPs every 60 seconds?

I found a KB article stating that the active firewall sends out gratuitous ARPs every 60 seconds during normal operation, but it doesn't explain why. What is the reason for this behaviour? https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004Ny3CAE

HA failover on Acitve Passive concerns

Hello all, I would like to get some idea/thoughts about the current setup on my two PA1410 Active/Passive FW failover concerns. Few weeks ago, our Active FW has some issues and hung on the data plane. I found there was some missing configurations on our network side so the Failover didn't work at all. So eventually I resumed it, and raised the...

Global Protect is having issues with newer MACOS version.

Hi, I have problems trying to sign in some mac users that are running some SEQUOIA and TAHOE version, the only version that is working is 15.7.4 Sequoia version. It seems that the gl client is unable to authenticate. I checked in logs and it seems that the gp client is not able to open a .dat file 04/15/2026 17:06:14:954 [Info ]: Portal pre...

Firewall SSH, the login succeeds with TACACS Account, but there is an issue that closes the session immediately.

Hello, everyone. Firewall has OS of 10.2.4-H2. When TACACS account to connect to Firewall SSH, the login succeeds, but there is an issue that closes the session immediately. In Firewall System-log, authentication and authorization were successful and it was confirmed that the Superuser role was granted.. However, a "create-admin-acct-err...

hbshin by L2 Linker
  • 2560 Views
  • 3 replies
  • 0 Likes
  • 1586 Posts
  • 61 Subscriptions
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks