Problem with Security Zones.

Dear Members, 

I need some help regarding the Paloalto firewall. We are managing the firewalls using the Panorama. I am new in the environment. I have been told that the source subnet resides in the inside zone hence I added the source group in the i

Pan-OS stability?

It seems the number of new versions, and hotfixes, is becoming more frequent of late.  Is this something to be concerned about? It used to be that months separated each new release.

Inbound and outbound security rules

Hi Experts,

I have 2 rules which are for Inbound/Outbound traffic and both are using Geo locations. These 2 rules have the Negate feature checked.

Inbound and outbound rules allow 20 countries, and the rest are denied (China is on the denied list

Dynamic IP Pool utilization - 10.2.9-h1

Hi Team

We have an issue where we use Dynamic IP pool for outbound NAT but 'show running ippool' does not reflect the accurate NAT xlate pool usage.

For example, we see 9k Available IPs but on checking the global counter we can see the NAT Utili

SFP Interface are not showing in PA-445

Dear All,

SFP interfaces are not showing in PA-445.

We want to configure SFP interfaces, but interfaces are not showing in the GUI and CLI. Only Ethernet ports are visible.

Kindly help with this issue.

List of App-IDs that require decryption

Is there already a central location where all app-ids that require decryption to use/discover are listed? It's called out in the content release notes if an application requires decryption, but I haven't seen that noted anywhere else like Applipedia

How to exclude the source IP address

how to exclude the source IP from firewall alert in palo alto.The source IP is our internal scanner and should be excluded from alerts

IPSEC_ESP port 50 Traffic even when IKE Phase-1 is not up

We are running into an issue, where we have 2 Palo Firewalls and we are trying toe establish S@S VPN between them. Both the tunnels are behind NAT devices and we do have NAT-T Enabled.

We can see in IKE MGR.logs that the initiator is trying to reach

Connection Aged to archive.apache.org, but works through another PA firewall

We are trying to connect archive.apache.org from Cloud VM, it does not work but shows it is allowed in logs, but session shows aged out and application shows incomplete.

But the same is working through another PA firewall 

What could be it?

Firewall Rules

I was wondering if anyone had any interest or thoughts, but I am tired of always having to build rules for popular products that are not well-documented.  I was thinking of starting a forum to share these common configurations so we all don't have to

PANGFW integration with ESET XDR

Hi everyone,

Can i integrate PANGFW with ESET XDR like Cortex XDR? As i know Cortex XDR can read and understand PA logs and it can creates incidents and alerts via those logs. Can i do it with ESED XDR?

What does FBO stand for

We are troubleshooting something with TAC wherein they asked us to set the FBO to "Software". 

What, exactly, is an FBO? I cannot find any references thereto in the docs besides the CLI reference, and that tells me nothing.

Syslog forwarding to Microsoft Sentinel

hello everyone.

seems we got a weird one here.

So we took the CEF format that the pdf guide says

https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/cef/pan-os-10-0-cef-configuration-guide.pdf

heres the weird thing.

we truncated it to

HA Passive interfaces not coming up.

Hi All, I have searched the community before posting however I cannot find a solution for the issue I am experiencing.

We have a very straightforward physical topology. A cisco 9500 sw switch stack operating as a stackwise-virtual chassis. On Switc

Traffic Issues

Hi Friends,

We are seeing this issue with one of our customer in recent few days where a particular destination traffic which should go via security rule are passing via PBF policies which is not expected.

The Destination address which is not spe