Next-Generation Firewall Discussions

Welcome to the Next-Generation Firewall Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating:

Rules and Best Practices

Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussion

...

SCM management routing mode change failed

Hi,

I’m trying to manage PA-460 from SCM, but I still get error, even after a factory reset.

The firewall still disconnects and cannot complete bootsrap process, but SCM receive telemetry data. I also try to change [routing mode] to advanced routing

...

Palo Alto 5450

I need specifics on the DC cables provided with the 5450. The specs page shows AC cables. Can someone provide me the specifics around the DC cables that come with the 5450? Thanks

Which Pan os 11.1.2-18 11.1.6-h3 more stable ?

Associating Link Tags with GRE Tunnels for SD-WAN Path Control on PA-1410

We are configuring SD-WAN path control on a Palo Alto Networks PA-1410 (PAN-OS 11.4) that connects to two Zscaler data centers (Dallas and Atlanta) over two ISP circuits. Four GRE tunnels are in place:

ISP 1 → Zscaler DFW
ISP 1 → Zscaler ATL
ISP 2

...

Resolved! Azure SAML Authentication for Admin access - HA Pair - AZURE Enterprise APP ADMIN UI

We have been able to configure the ADMIN UI to use SAML auth on the primary firewall to leverage MFA. The problem is the secondary firewall has a different URL, of course, to access it. We tried creating a second ADMIN UI, but you cannot assign a sep

...

Interface Errors after upgrade - VM Series

Hello,

we upgraded our Palo Alto VM to 11.1.6-h1, after the upgrade the monitoring system gave us warning about the errors increasing on the Firewall interfaces but the clients did not report any issues, so it's not affecting them at all,

this is

...

Facebook working as application reddit-base

We are currently experiencing an issue with URL filtering and application-based policies. We’ve set up a policy to block the Facebook application, but it’s still being allowed through. In the logs, it shows as the application "Application reddit-base

...

Bonjour mDNS Reflector Layer 3 Vlan Interface

Just curious if anyone out there knows why Palo Alto has never implemented the Bonjour Reflector feature in Layer 3 Vlan interfaces.

PAN implemented this a long time ago but it is only available on physical Layer 3 interfaces (or subinterfaces) or

...

Temp user created using TACAS: Can no longer access device.

A temp user account was created using TACAS username. The device attempting to be reached is no longer accessible to the user. Is there any work around for the particular issue?

Deepseek Restriction

I've noticed when trying to just use the appIDs, any web traffic not able to be identified ("incomplete", "insufficient-data") will hit the policy even though the appID doesn't technically match the policy. My other thought was just to allow the unid

...

Palo Alto Explicit Proxy Traffic Issue

Hello Team,

We have configured the Palo Alto firewall as an Explicit Proxy using Kerberos authentication in alignment with the Admin Guide. However, we’re noticing that the designated traffic is not routing through the Proxy as expected and is failing

...