SSH and console login blocked

cannot login to Palo Alto SSH and console using super admi user. From console it shows error = "user not known to the underlying authentication module" From SSH it shows error - " Access Denied". SSH screenshot attached.

How to upgrade palo alto directly from 10.2.8 to 11.1.2

How to upgrade palo alto directly from 10.2.8 to 11.1.2

VPN PA-400 to PFSense

Hi all! I've created an IPsec VPN site-to-site between Palo Alto and PFSense.We are facing problems because the tunnel doesn't connect. We see the errors below on Monitor Logs: Error1 = IKEv2 IKE SA negotiation is started as responder, non-rekey. Initiated SA: IP_PALO_ALTO[500]-IP_PFSENSE[33848] SPI:1719700341f53997:4c83ee594abb7b38. Error2 = ig...

PA850 last supported PANOS 11.1.x

Hey Folks, The last supported version for the PA-850 is PAN-OS 11.1.0. The PA-850 has End-of-Support (EoS) until 2029. However, I want to confirm whether security patches, threat updates, and other dynamic updates will continue to be provided until 2029. We need to ensure that the firewall remains secure against vulnerabilities throughout its...

Proxy IDs between Peers

Hi, if the remote peer require local palo alto to set proxy IDs, what happens if the proxy IDs at PAN side doesn't match the ones at remote? would this cause any issue i.e traffic gets dropped or does palo alto forward the traffic down the tunnel as long as there is a route. Thanks

Support regarding query

Hi All, My current PA support is ASC (Authorized Service Center) where they open a Case on my behalf. How can i change my ASC or transfer my device ownership to some other support partner. Pls note: Support is currently valid and active to my existing ASC partner

URL Filtering Issue with Gaming Category

Hi Team, Good day to you! We are facing an issue with URL filtering. Specifically, we are unable to block gaming URLs through the filtering system. The customer has a specific user group called the Travel Group, for which a separate URL filtering category has been created. This setup is working as expected. However, the issue arises when attemp...

High availability failover: GARP doubts.

Hey guys!. First time poster here.To begin with, I am beginner to PA and learning my way through. I have just reached the HA part, and have a few questions.In an active/passive deployment, when the Active unit fails and the Passive unit starts taking over, it sends GARP and updates the downstream/ (upstream?) switches CAM tables with the new in...

Palo Alto Login issue though GUI " ERR_SSL_KEY_USAGE_INCOMPATIBLE " (Solved)

For the last few days, we have been experiencing an issue with logging in to the Palo Alto Firewall through the GUI. We are getting the below error from the browser during login. After that, we contacted TAC support but they were unable to solve this issue, and they suspected this issue happened due to the browser. Today morning we we...

what happen when enable logging on high DP load on palo firewalls? - Does it introduce new risk like performance degradation, increased latency, firew

Finding Rootkits in Palo Alto

I was looking for information on finding and removing rootkits on Palo Alto, using the CLI commands. Reinstalling PANos isn't an option for me, but any help would be greatly appreciated. I know there is a rootkit installed, but I am not entirely sure what it does, beyond bricking the firewall when upgraded to a new base version.

Paloalto API to get the recommended pan-os version details

Does Paloalto has a API for customers to identify recommended pan-os version details through the API query based on firewall models

Plugin-DLP mis-match on HA pair (HA not syning)

We recently had a firewall failure in a High Availability (HA) pair and replaced the faulty unit. However, there's a mismatch in the Data Loss Prevention (DLP) plugin versions: The working firewall is running DLP 5.0.1 with OS 11.1.6-h1 The replacement firewall has been updated to OS 11.1.6-h1 but only has DLP 5.0.4 available I do not want to ...

IPSec Tunnels acting Strange

Version 11.1.4-h7 I am unsure if anyone else has experienced this. We are seeing IPSec tunnels suddenly showing errors in the system logs that IKE phases are just deleting one right after the other and not initializing. Originally one of the tunnels actually went down and caused some issues, but it was able to be fixed via the test commands to r...