This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
About Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.

Discussions

Start a conversation

Welcome to the Next-Generation Firewall Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 4597 Views
  • 0 replies
  • 1 Likes

Block Surfshark VPN

Hi All, We have a block for Proxy Avoidance and Anonymizers on our DMZs. But we are able to see that the users can access Surfshark VPN on our SDWAN. Also, I am unable to see any logs on the firewall. Could anyone please help me on how we can block the Surfshark VPN traffic? Thanks in advance.

YeshasNB by L0 Member
  • 4028 Views
  • 3 replies
  • 2 Likes

Resolved! Outbound blocking of incomplete applications

I have security rules in place to block applications such as 'msrpc-base' and 'ms-rdp' from exiting the network. However, I still see logs showing traffic egressing to ports 135 and 3389 with the application being listed as 'incomplete' and session end reason as 'aged-out'. Is this a concern? Should I be creating rules to block the protocol/p...

Resolved! SD-WAN BGP Configuration via Panorama Plugin specific prefix

Hi guys,we have one core Palo Alto firewall and round about 50 Palo Alto firewalls at customer side.All firewalls are managed by one Panorama and on all devices are running PanOS 11.1-4x. The sd-wan license is activated and the sd-wan plugin version is 3.2.1.We like to connect the customer sides via sd-wan to our core firewall but we do not like...

D.Henze by L1 Bithead
  • 1959 Views
  • 2 replies
  • 0 Likes

PAN-OS-11.1.2-h3 - No incomming traffic after upgrade

Hi, We recently upgraded our Palo Alto 1410 Firewall to PAN-OS-11.1.2-h3 from PAN-OS-11.0.4-h1. After Upgrade there was no incoming traffic from external networks. There were no hits or logs showing incoming traffic. Internet Outbound traffic was going through normally. IPSEC VPN tunnels were working normally. Support team checked and wanted u...

I am curious about the processing method in terms of hardware architecture.

Hi I recently compared the H/W architecture of the PA-3200 series and the PA-3400 series and had a question. Looking at the architecture below, it appears that N/W and Security Processing, which were previously separate, have been merged into one starting with the 3400 Series. Does this mean parallel processing in DP? Otherwise, is it just...

YChoi597679_0-1729644217845.png
YChoi597679_1-1729644272945.png

error in placement of IPS diagram

this picture shows the IPS before the firewall : https://www.paloaltonetworks.com/cyberpedia/firewall-vs-ids-vs-ips#ips BUT in the matrix belowyou state that an IPS is: Positioned right after the firewall, before the internal network.Thanks for the whole page, very educational, but that one discrepancy is killing me, it makes me wonder if I am...

edwardpw by L0 Member
  • 652 Views
  • 0 replies
  • 0 Likes

CPU issues on PA-3410

Hi Team, Need some help with respect to below query: Issue - We are using PA-3410 in our environment. We are monitoring this device using Logic Monitor tool. Our monitoring team states that they monitors CPU and memory utilization for Palo Alto devices using the “show system resources” command using API key instead of using SNMP OID. Our mon...

SSL policy rule and needed match application values

Hello, I have a quick question in regards to SSL decryption and policy match values. If I have SSL decryption, and I want to allow 'facebook-chat' for example, I know a policy rule with the app facebook-chat and it's dependencies 'facebook-base,mqtt-base' is needed. I also understand that the implicit use applications will be allowed through t...

Punite by L1 Bithead
  • 779 Views
  • 0 replies
  • 1 Likes

Please check the Max Decrypt session value of PA-3410.

HelloI'm curious about the number of SSL Decrypt sessions for PA-3410.I could see this on the product comparison site before, but I can't see it now.A customer using Decrypt wants that information.It's not even in the spec sheet or data sheet, where can I check it?- Max concurrent decryption sessionsI'd appreciate it if you could tell me

Rule UUIDs Always Change

Greetings Community! Apologies if this has been answered in a previous thread- I couldn't find anything... When exporting configuration files from PA-3220 I have noticed that sometimes the rule UUIDs are different than the previous config dump and sometimes they are the same. Can someone please explain why this is? What causes the rule UU...

Global Protect Custom Setup

Hi Guys I have 5 separate GP Captive Portals and I want to make a custom setup for all of them separately. I will deploy them separately from the network. Can we change the global protect msi package? I heard it can be done from Expedition, is it true? So how do we add the relevant portal into the msi package?

Fly_Al by L0 Member
  • 693 Views
  • 0 replies
  • 0 Likes

Resolved! Not able to apply QoS profile to interface

I am preparing firewall for interface change, and moving 2 sub interfaces to a separate aggregate ethernet. Current AE1.10, .20, .30, .40 Upcoming AE1.10, .20 AE10.30, .40 I have already created aggregate and its subinterfaces and are disabled, added fake IP/s routes and created NAT rules using new interfaces, to make it easier on the chan...

raji_toor by L4 Transporter
  • 7467 Views
  • 12 replies
  • 0 Likes
  • 1586 Posts
  • 61 Subscriptions
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks