This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
About Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.

Discussions

Start a conversation

Welcome to the Next-Generation Firewall Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 4510 Views
  • 0 replies
  • 1 Likes

Citrix (Terminal services) UserID Deployment

Hello everyone,I would like to deploy UserID Terminalservices Agent in a Citrix environment.There are approx 30 servers deployed from the same Master Image.I have TA successfully running on dedicated (non-Citrix) Terminalservers with Certificates generated by a PKI-root within the firewalls. Each TS has its own cert signed by that Root with the ...

Prevent bypassing captive portal?

We are in an environment where we have captive portal (with MS SSO) but users are able to get around the authentication redirects via VPN. We'd like to ensure that the only traffic that is allowed by unauthenticated users on this network is traffic that is redirected to captive portal and cannot be bypassed. Would we just be looking at placi...

Palo Alto DHCP Relay Stops Working After Reboot

After rebooting the firewall due to a power activity, we noticed that the DHCP relay stopped working. We could see the DHCP Discover and Offer messages in Wireshark, but the firewall’s DHCP relay did not seem to function properly. The firewall was running PAN-OS version 11.0.4-h5, and we upgraded it to 11.0.4-h6 to see if the newer version would...

Jagdeep1 by L2 Linker
  • 1498 Views
  • 1 replies
  • 0 Likes

Monitoring Palo Alto VPN IPSEC tunnels on PRTG

Hi, Our company recently acquired new Palo Alto PA440 and have set up VPN IPSEC tunnels (both Ikev1 and ikev2). We currently need to montitor thise tunnels efficiently using PRTG to be alerted in case one of the tunnels go down. Can anyone who did this before guide me how it can be done or suggest any alternative using PRTG? Or if you could shar...

CNGFW Integration with Panorama, its Stability, & Performance

To integrate the Cloud NGFW service with Panorama virtual appliance, panorama running software version 10.2, 11.0, or 11.1 and not greater than 11.1 as per the below KB Article. Panorama Integration Prerequisites However, I recently deployed VM Series Panorama running on 11.2.4-h1, which being integrated with CNGFW (azure plugin version 5.2.1)...

set system setting target-vsys is not an option 10.2.10-h9

I am trying to test the authentication profile for ldap. However I am unable to successfully because it is checking vsys0 and the ldap is set for vsys1. but when using set system setting the target-vsys is not an option for the command. I just get invalid syntax. Did this change along the way because every page i find and read says to set s...

Change of the interface's name order in the commit

Hello, when I verify the configuration changes on the firewall before committing them I see a line that begins with "interface [" and lists all the interface and subinterfaces that exist, but in the running config they have an order and in the candidate configuration the names are the same but the order is different, so for example:"interface [...

Packet Capture Issue

Hi Team, I am seeing an active session for a specific traffic , but when I try to capture the packets there is no packets has been captured. Also "debug dataplane packet-diag show filter-marked-session" command also not showing any session details. I am pasting session details below, Session 2780057c2s flow:source: 10.30.9.145dst: 10.130.160.1...

Edsnow by L3 Networker
  • 1005 Views
  • 1 replies
  • 0 Likes

Resolved! Has anyone configured and tested the new functionality within Pan OS 11.0 Web Proxy in Transparent mode?

Hi team, I've set up the Web proxy in transparent mode, but I'm unsure of its functioning. Our Palo Alto device doesn't support WCCP and only allows Inline mode deployment. With only the admin guide available for reference and study, I may be the sole individual who has done this. Particularly, I'm uncertain about the D-NAT aspect of transparent...

AkashThangavel_0-1715591008571.png
AkashThangavel_1-1715591098465.png

Resolved! Red/Green "LED"s in GUI are useless to screen reader software. Please Add ALT TEXT!!!

So, Panorama and NGFW both use Red and Green status "lights" to denote interface, IKE, and IPSec status. Typical coding, but for someone who sees Red and Green differently (Technically in 1970s speak "Minor Red/Green Color Deficient", a.k.a. "ColorBlind") the GUI colors are useless. They didn't even use a light enough green like a lot of other...

Testing interfaces on Passive Node

Dear Community, I have a strange problem related to my PAN1410. My FW are build to HA Active-Passive. Everythink works until failover occcure.. after that I lost connections to GlobalProtect. It seems that I have problem with WAN interface, because when I return to Primary node, connectivity goes back. So if I have connectivity, how can I chceck...

Rule Order Best Practice

We recently migrated to the Palo Alto Firewalls. I am looking for best practice/recommendations on how to properly order firewall rules. We have all our block rules first (geoblocking, malicious sites, specific apps, etc) up top. But what about the rest? Is it supposed to be more defined rules (specific ip to ip) up top? Do general application...

SIP/RTP Traffic Issues in Palo Alto Active-Active vWire Setup Causing MAC Flapping In L3 devices

In a Palo Alto Active-Active vWire setup, traffic entering a port on Device A is not supposed to egress from any port on Device B. The HA3 link is typically used to forward packets from the active-secondary device to the active-primary device for processing and evaluation against security policies. However, in your setup, you are observing that ...

  • 1794 Posts
  • 60 Subscriptions
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks