Next-Generation Firewall Discussions

Welcome to the Next-Generation Firewall Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

Why would an active firewall in an active-passive HA configuration broadcast gratuitous ARPs every 60 seconds?

I found a KB article stating that the active firewall sends out gratuitous ARPs every 60 seconds during normal operation, but it doesn't explain why. What is the reason for this behaviour? https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004Ny3CAE

HA failover on Acitve Passive concerns

Hello all, I would like to get some idea/thoughts about the current setup on my two PA1410 Active/Passive FW failover concerns. Few weeks ago, our Active FW has some issues and hung on the data plane. I found there was some missing configurations on our network side so the Failover didn't work at all. So eventually I resumed it, and raised the...

Security Policy Disappears After Commit – Palo Alto in Azure with Panorama

We have Palo Alto deployed in Azure, using Panorama. When my colleague created a policy, it took time to commit, and then the policy automatically disappeared. We want to understand possible reasons for a policy deletion in this setup. She created the policy again from starting.

Study Material (PDF) for Next generation Firewall Engineer

Hi people,May I have the link to download the Next Generation Firewall Engineer study material, which is a PDF doc? I am looking to prepare for the certification. Thank you

Firewall SSH, the login succeeds with TACACS Account, but there is an issue that closes the session immediately.

Hello, everyone. Firewall has OS of 10.2.4-H2. When TACACS account to connect to Firewall SSH, the login succeeds, but there is an issue that closes the session immediately. In Firewall System-log, authentication and authorization were successful and it was confirmed that the Superuser role was granted.. However, a "create-admin-acct-err...

Stupid question, but how to show all vsys in CLI with one command?

Hey guys, this may be a stupid question but I just cannot find the appropriate command for this after googling for nearly an hour. I just want to display all vsys via CLI in one command without the need of "?". Something like show virtual-system all or so. Is this even possible?

VPN peer ID

Hi guys, we have a 3rd party VPN peer who must set the Peer Identification value, the tunnel works fine, but on their side the tunnel ID IP address can change depending on whether they are on their active or standby firewall, and that means we need to update config and push policy to get it online (this is a regular occurrence) I thought abo...

Resolved! HSCI port - amber blinking LED on both primary and secondary devices (5445)

Hey guys I have 2 PA-5445 in HA setup, I noticed that the HSCI port shows blinking amber LED on both sides. Dashboard shows HA is up. Should it be green or is it fine? Because the 5260 models show solid green LED.

InPlace Upgrade Windowsserver with User ID Agent

Hello, we are planning to upgrade a windows 2016 server to windows server 2022. On the server we have installed the User ID Agent for NGFWs. Has someone experience with the upgrade? Is it possible to make a InPlace Upgrade or is it better to install the agent on a new server? Thanks!

Source and destination is APIPA or Soure is Legit machine and destination to Internet(zone) is APIPA

In Palo Alto firewall we see legit source from zone inside to Internet zone send traffic to destination 168.254.x.x it's apipa ip. why do we see this traffic? in some cases its from APIPA to APIPA IP. or Legit source to APIPA IP (internet zone)

Resolved! Clear ARP for spesific ae interface

Hi All is it possible to clear arp for spesific sub ae interface ? for example, clear arp for interface ae1.10 and if possible, what is the command ? Thanks

Firwall is uable to send logs to the Panorma (Log collector is showing inactive)

Hi Team, I am currently managing multiple firewalls through Panorama; however, one of the HA firewalls is not forwarding logs to Panorama. Please find the CLI output below for your reference. show logging-status -----------------------------------------------------------------------------------------------------------------------------Type Las...

Increasing config size beyond max reccomended values 450s

Hi I have a customer who is getting the following alert on their Palo Alto PA-450 on 11.1.13, I believe these alerts have come about with new features on 11.1. To try and clear error we have set to the max recommended configuration file size per this article for the model. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1...

Intrazone-default Rule

I have a question and would like some advice! We currently operate by applying an “any-any deny” policy at the bottom of the stack and opening ports only for necessary traffic.I noticed that the hit count is increasing on the “intrazone-default” allow policy at the bottom, even though the “any-any deny” policy is in place.I enabled logging for t...

Decryption policies and Short-Lived Certificates

Hi All, So basically, certificate validity will be shortened gradually until it is down to 47 days. The prospect of importing and reconfiguring our decryption policies that often is not very appealing. The problem i see is that, while we can automate certificate renewal on the servers, and the actual import process using CLI/API, there's sti...

Discussions

Welcome to the Next-Generation Firewall Discussions!

Why would an active firewall in an active-passive HA configuration broadcast gratuitous ARPs every 60 seconds?

HA failover on Acitve Passive concerns

Security Policy Disappears After Commit – Palo Alto in Azure with Panorama

Study Material (PDF) for Next generation Firewall Engineer

Firewall SSH, the login succeeds with TACACS Account, but there is an issue that closes the session immediately.

Stupid question, but how to show all vsys in CLI with one command?

VPN peer ID

Resolved! HSCI port - amber blinking LED on both primary and secondary devices (5445)

InPlace Upgrade Windowsserver with User ID Agent

Source and destination is APIPA or Soure is Legit machine and destination to Internet(zone) is APIPA

Resolved! Clear ARP for spesific ae interface

Firwall is uable to send logs to the Panorma (Log collector is showing inactive)

Increasing config size beyond max reccomended values 450s

Intrazone-default Rule

Decryption policies and Short-Lived Certificates

Exporting Dynamic address Group but not show list address

Clear ARP for spesific ae interface

GlobalProtect 6.3.3-1016 Failed to Open File Mac M3 Pro (Apple Silicon) macOS Tahoe 26.5.1

PA 445 setup

basic network, complex problem (please help)

Re: GlobalProtect 6.3.3-1016 Failed to Open File Mac M3 Pro (Apple Silicon) macOS Tahoe 26.5.1

Re: Receive errors on all traffic interfaces

Re: Global Protect is having issues with newer MACOS version.

GlobalProtect 6.3.3-1016 Failed to Open File Mac M3 Pro (Apple Silicon) macOS Tahoe 26.5.1

Re: Delaying upgrade between an HA pair

Unlock your full community experience!

Resolved! HSCI port - amber blinking LED on both primary and secondary devices (5445)

Resolved! Clear ARP for spesific ae interface