This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
About Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.

Discussions

Start a conversation

Welcome to the Next-Generation Firewall Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 4555 Views
  • 0 replies
  • 1 Likes

delayed traffic logging

Hi All, Some weird stuff going on on our unit: what are the chances that the firewall logged traffic that it received hours ago? In our case, the firewall logged RDP connections that occurred in the early morning. However, the target servers didn't log any login attempts at all. The alleged source IP of the connections was down during that p...

Direct DNS Resolution on Palo Alto Without DNS Proxy Enabled

Hello, It is possible to perform a DNS resolution directly from the Palo Alto firewall without relying on the current network configuration (such as the default configured DNS). The idea is to bypass internal DNS and use a public DNS directly, such as 8.8.8.8. Note that the DNS proxy is not enabled because it is not being used. Thanks

Resolved! RCS Chats from iPhone (IOS 18) broken

A fun problem got brought up that now that Apple surprisingly supports RCS (Google's SMS replacement) and for some reason it does not function on our networks.I can see in our internet firewall that there is a TCP 5223 session to us.verizon.rcs.telephony.goog (216.239.36.131) from our test client. That session is valid, I have a 3way handshake,...

block ransomware

Hello i am new to palo alto . what's the recommended way to block ransomware in a firewall policy? Antivirus profile? High Risk category? Please provide a screenshot if possible showing me how to do it.

jgodfrey by L1 Bithead
  • 892 Views
  • 1 replies
  • 0 Likes

Outlook is not working with Outside internet mails are getting slow

Hello Team, I hope everyone doing well! One of my customer is facing issue with Outlook is not working with Outside internet mails are getting slow. Below steps we have followed: Outlook keeps getting stuck when connected via a personal hotspot or WAN. This issue has been present since the initial configuration. Outlook works fine within th...

Palo alto HA enquiry

Hi guys, Currently firewall is configured in HA active/passive mode.We are trying to find out if we are able to change the HA mode to active/active.What are the impacts and requirements if decides to change the HA mode.

Firewall security managing via Zone vs multi layered firewall

Hello Experts, We are in the process to migrate from our current firewall (enterprise network) platform to Palo Alto. Current firewall infrastructures are layered hardware like one pair for perimeter, one pair for business network (internal), one pair for DMZ etc. We are exploring the option to collapse everything in one pair of firewall, handl...

Bidirectional PIM Support

Hello everyone, Does PaloAlto support bidirectional PIM? I understand that bidirectional multicast means that a device can be both a sender and a listener, and I would like to know if PaloAlto supports multicast communication in PIM-SM where a single device can be both a sender and a listener.

Resolved! Log messages in ikemgr.log that were present in PAN-OS 11.1 are missing in PAN-OS 11.2

In PAN-OS 11.1 (running on VM-Series in AWS) I could do `debug ike global on dump` to get some [DEBG] and [DUMP] messages in `ikemgr.log` from which I could get the SK_ei and SK_er keys that allow me to decode the IKEv2 messages in a pcap using Wireshark. In PAN-OS 11.2.3-h3, it seems that many log messages that used to be logged are no longer...

brunor by L1 Bithead
  • 3346 Views
  • 1 replies
  • 0 Likes

Resolved! How can I extract the IKEv2 encryption keys SK_ei and SK_er on PAN-OS 11.2?

How can I extract the IKEv2 encryption keys SK_ei and SK_er on PAN-OS 11.2 (for the purpose of decoding a packet capture file in Wireshark)? The following article describes the procedure: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLMzCAO This worked fine on PAN-OS 11.1. But it does not seem to work on PAN-O...

brunor by L1 Bithead
  • 2890 Views
  • 2 replies
  • 0 Likes

Palo Alto Admin UI SAML authentication failures

A few months ago, a failure occurred with SAML authentication configured between Azure and Palo Alto for firewall management. It is believed to have arisen from a flaw that occurred with Microsoft in late October and early November.The issue is that the SSO works in even takes you to Microsoft authentication with their MFA and such and it redire...

nportilla_0-1735839255571.png
nportilla_1-1735839291165.png

Issue connecting to GlobalProtect with public wifi

Hi guys, I'm at a coffee shop and using their public wifi to connect to my company GP VPN. I was able to enter my credentials and MFA. The GP showed that I'm connected, but I'm not able to connect to my company's local stuff and can't browse the internet while connected. The GP client also popped up a message below every few minutes:After 20 min...

tinhnho_0-1733243948609.png
tinhnho by L3 Networker
  • 2311 Views
  • 1 replies
  • 0 Likes

Unable to upgrade past 11.0.4-h1

Trying to get to 11.1 but when we upgrade, after a period of time, usually 30-60 minutes after the upgrade outbound traffic begins to fail. We see traffic allowed and going out but 0 returned. We have tried several versions of 11.1 as well as even 11.0.6-h1 and always have the same issue and have to revert to 11.0.4-h1. We are hearing that oth...

  • 1589 Posts
  • 60 Subscriptions
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks