PAN-OS 10.2.17 HA A/P - Mgt interface reported as duplicate IP of data interface

After installing PAN-OS 10.2.17 to a PA-440 HA A/P pair  ( to address - CVE-2025-4615 PAN-OS: Improper Neutralization of Input in the Management Web Interface . ) 'duplicate IP' system logs reported where the stated MAC address appears to be the fw m

Not able to log XFF (Actual Client IP) in PaloAlto Logs even when we enable XFF and URL filtering profile in Palo's

Issue Summary – XFF Not Logged on Palo Alto (Even With Decryption ON)

We are running a flow where AWS ALB inserts X-Forwarded-For (XFF) and the Palo Alto firewall performs SSL decryption + re-encryption:

Flow:

Client --> Internet --> AWS ALB (HTTPS) (

Duplicate DNS packets

I'm encountering and issue where we are seeing duplicate DNS (UDP) packets coming out of the palo to the resolving server. Specifically TXT records with multiple packets at the server (resolver) side vs. the normal request/response. At the client sid

Limit User-ID Agent queries to cerain Windows event-IDs

We have been using PA-User-ID Agent for years an it was working fine. The Agent is connecting to Domain-Controller Log and maps user-name and ip-address of successful logins for firewall-policy usage.

Yesterday we changed GPOs on the Domain Controlle

Issue with allowing AnyDesk on a no-internet policy

Hey,

I have a need to block all internet traffic at a specific site.

I have created specific policies to allow needed services,

and at the bottom of the policy, I have added a drop all.

I have created a URL category for *.net.anydesk.com

and allowed

NGFW 1400 Series LACP / Failover issue (11.1.5)

This is a notification for anyone running 1420 boxes in a high-availability (HA) configuration in their environments >11.1.4. We recently encountered significant issues with our NGFW operating in HA mode. Specifically, the HA setup failed on the acti

Palo Alto T-Q28-100G-S4 and PA-5450 with PAN-PA-5400-NC-A

Hey everyone,

I am working on a project to integrate Cisco Catalyst 9500/Nexus 9300 switches with Palo Alto PA-5450 with PA-5400-NC-A cards using 100G QSFP transceivers. Specifically, I was testing with below transceivers.

• Cisco QSFP-100G-SR4-S

PAN OS integrated Use ID agent Server monitoring Status Showing "Access Denied"

Hi Team

Pan OS Integrated User ID is connected with one of our DC server with out having any issues while configuring in the other DC servers we are getting the "ACCESS Denied" in the server monitoring.

While seeing in the 

>less mp-log useridd.l

Cannot Access Primary in HA Pair – Need Failover & Recovery Advice"

**Subject: Unable to Access Primary Firewall in HA Setup — Need Guidance on Failover and Recovery**

Hello Palo Alto Community,

We are currently facing an urgent issue with our Active/Passive Palo Alto firewall setup:

Palo Alto Model:PA-3220
VERSION:10.2.

Palo Alto Firmware Downgrade

I want to downgrade the firmware of PA-410R from 11.1.4-h7 to 10.1.10-h1. I am trying to access the support portal, but it's not accessible, and I cannot even reach the help line numbers. I want to integrate the firewall with the existing Panorama wi

Request Advice – BGP Failover Route-Based IPsec VPN With WatchGuard (WG)

Hi Everyone,

I’m looking for guidance on the best-practice way to set up redundant route-based VPN tunnels using BGP between a Palo Alto firewall (PA-VM) and a WatchGuard firewall. The goal is to implement primary/secondary failover with dynamic rout