This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
About Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.

Discussions

Start a conversation

Welcome to the Next-Generation Firewall Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 4552 Views
  • 0 replies
  • 1 Likes

Plugin-DLP mis-match on HA pair (HA not syning)

We recently had a firewall failure in a High Availability (HA) pair and replaced the faulty unit. However, there's a mismatch in the Data Loss Prevention (DLP) plugin versions: The working firewall is running DLP 5.0.1 with OS 11.1.6-h1 The replacement firewall has been updated to OS 11.1.6-h1 but only has DLP 5.0.4 available I do not want to ...

din100 by L3 Networker
  • 3268 Views
  • 1 replies
  • 0 Likes

IPSec Tunnels acting Strange

Version 11.1.4-h7 I am unsure if anyone else has experienced this. We are seeing IPSec tunnels suddenly showing errors in the system logs that IKE phases are just deleting one right after the other and not initializing. Originally one of the tunnels actually went down and caused some issues, but it was able to be fixed via the test commands to r...

BTS_MS by L2 Linker
  • 606 Views
  • 0 replies
  • 0 Likes

UserID mapping flags user unknown with single digit timeout secs

Hi all, I'm using Agentless UserID mapping. Since past 2 weeks, random users are dropped out of ip-user-mapping and unable to browse internet. When I run "show user ip-user-mapping all" on CLI: I get 90% of connected AD users mapped to IP addresses but rest of the 10% users are logged as below - IP | Vsys | From | User | ...

rshetye by L0 Member
  • 1060 Views
  • 1 replies
  • 0 Likes

Use of SSL Decryption.

Dear AllI hope you all are doing well.We recently deployed a firewall with SSL decryption features. Previously, we used F5 WAF for SSL decryption.Should we use SSL decryption for the new firewall or the previous F5 WAF SSL decryption?Can I use both WAF and Firewall SSL decryption? If so, what benefit will I get from using both devices?

rockbd by L0 Member
  • 885 Views
  • 1 replies
  • 0 Likes

Vsys1-Vsys2 main-Backup

dears in community i have some trouble with the scenario inside my Palo Alto device and need your support, i have two Vsys names (A, B), and each one of them has L3 uplink-ISP Vlan configured on a separate interface and set Public IP on interface and static route 0.0.0.0/0 to ISP IP side and the private service reaching to the internet by us...

Meta Apps bypassing Captive Portal Authentication

Hi Everyone, I am asking your expert advise on this issue: We have an AP in bridge mode that is directly connected to Palo Alto. The firewall acts as the dhcp server and the AP just extends/bridges the network wirelessly. This setup is for Wireless Connection of Guest users with a separate zone as well. We created only one common guest user ...

zedexxx by L1 Bithead
  • 905 Views
  • 0 replies
  • 0 Likes

Management and Data plane same subnet

Hi All, My organisation need to have data plane interface i.e eth1/2 and management plane i.e mgmt port in same subnet as beloweth1/2 192.168.2.1/24mgmt- 192.168.2.2/24 and 192.168.2.3/24 (Palo alto in HA). Need to know what could be harm or disadvantages to keep data and mgmt in same broadcast domain.

vishalrsshah_0-1741937942340.png

Protecting Admin UI with Duo MFA

I'm attempting to setup Duo MFA with the admin UI of a PA-3220 running PAN-OS 10.2, but have been unsuccessful. I've found that the guide, https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/authentication/configure-multi-factor-authentication/configure-mfa-between-duo-and-the-firewall, is referencing the Duo Access Gateway which is being...

Hardware Refresh from 820 to 445, able to copy config from 820 into 445?

I need to refresh an 820 to a 445 then another pair of 820s in HA to a pair of 445 in HA. Using on the box for management, no Panorama. Can I take the configuration from the 820s and load it into the 445s? 820 are currently on 10.1.14-h8. If not, if there another tool which can be used? There is a couple site to site VPNs if that matters. Than...

Well knows URLs are getting marked as not-resolved and traffic getting blocked in Advanced URL Filtering in PA-450 box

We recently implemented a PA-450 firewall box in the organization and well knows URLs are getting marked as not-resolved and traffic getting blocked in Advanced URL Filtering. Any certain configurations we need to modify to avoid this? Find more info from the attached SS.

Many ping drops during failover

We have a setup as shown above and when we do a failover testing (power off the active firewall), we see atleast 15 ping drops when we ping devices from one vlan to another, The vlans are configured as sub-interfaces on the firewall. Switches are just L2We have configured HA1 and HA1 backup configuredIs it mandatory to configure HA2 to failover ...

ciscojuniperf5_0-1741821290980.png
  • 1588 Posts
  • 60 Subscriptions
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks