This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
About Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.

Discussions

Start a conversation

Welcome to the Next-Generation Firewall Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 4550 Views
  • 0 replies
  • 1 Likes

How to Patch Vulnerability - Plugin 43160 (CGI Generic SQL Injection) on GlobalProtect

Body: We have detected a blind SQL injection vulnerability (Plugin ID: 43160) on GlobalProtect login CGI (/global-protect/login.esp) using Nessus. Details: - CVSS Score: 7.5 (High) - Affected Parameter: 'action' - Example: /global-protect/login.esp?action=';WAITFOR DELAY '00:00:3';-- Environment: PAN-OS version: [Your Version] GlobalProtect ...

Resolved! Inquiry Regarding CEF Configuration Guide and Custom Log Format Variables for PAN‑OS 11

Attention: Global TPM team Question ①: Regarding the CEF Formatting Guide for PAN-OS 11The following link contains CEF formatting guides for various versions of PAN-OS, but I cannot find a guide for PAN-OS 11. https://docs.paloaltonetworks.com/resources/cef Is it correct to understand that the CEF configuration guide for PAN-OS 11 is not current...

Issues with credit card processing terminals

We have about 560ish credit card terminals from Bank of America, the hardware is from PAX. We are constantly getting reports of transactions failing due to “communication” issues with BoA. It’s not just one terminal and it’s not every single transaction. It’s random terminals and it’s random transactions. BoA is telling us that the transactions ...

andber by L0 Member
  • 782 Views
  • 2 replies
  • 0 Likes

port issue / nmapping

Hi everyone, I’m facing a strange issue and would appreciate your input. We created a security policy to block certain ports. When we check the traffic logs and packet captures, they clearly show that the traffic is being dropped. However, when we run an Nmap scan, it still reports the ports as open, even though they should be closed. I also che...

wally4 by L2 Linker
  • 2122 Views
  • 11 replies
  • 0 Likes

About UIA SSL connection

Hello Team, I'm currently dealing with an issue where UIA is unable to validate certification. The certificate does not have a SAN setting. I plan to change the certificate to one that has both CN and SAN set, but have not been able to do so yet. The certificate validation has occurred since applying an OS patch, so I have asked the OS ven...

Upgrading Active/Passive pair, pause in between upgrades?

When upgrading PAN-OS on an Active/Passive pair, does any pause for 1 or more days after upgrading the first firewall (and before upgrading the second firewall)? The idea here is we will have a bit more time to test for issues. If there is a failure post upgrade, we will have the option to suspend the upgraded firewall and make the firewall th...

jambulo by L4 Transporter
  • 1467 Views
  • 4 replies
  • 0 Likes

Resolved! Best practices for Palo Alto security policy when destination IP/FQDN is dynamic or unknown

Group Company A is implementing surveillance cameras and requires communication to send data from the cameras to an external cloud server. The cloud server (destination) cannot be restricted by IP address or FQDN (only ports can be restricted), so IP addresses and FQDNs must be opened with ANY. ※ Restricted ports are TCP 443 (HTTPS), UDP 123 (NT...

Question regarding source NAT in S2S VPN

Hi All, I need to create a S2S Tunnel to a customer. We need to reach 1 Server on their side (e.g. 192.168.100.1). The connection is needed from multiple Hosts from 2 different Subents on our Side (10.0.112.0/21 and 172.18.2.0/24). The customer does not want to allow both subnets instead they want to allow only 1 IP.Now my question is: Is it pos...

shaq4242 by L0 Member
  • 1049 Views
  • 3 replies
  • 0 Likes

while do the factory reset of pa 5250 showing error: findfs: unable to resolve 'label=sysroot0

Hi , We have Palo alto 5250 we have forgotten the password so we are planning to do factor reset of the device but we have done factor reset to but while completing the percentage automatically it's reboot and went again maintenance mode when we click the factory reset again it's Looping again and again same maintenance mode if go disk image al...

Unable to block download and upload for chatgpt and messengers

Hi Friends, Recently i am trying to acheive an requirement where i want to allow messenger and chatgpt in my network but files uploading and downloading should be blocked. I tried configuring decryption and flie blocking profiles along with two seperate policies blocking chatgpt-base and messenger-base applications. I am able to decrypt the...

Satyak by L3 Networker
  • 916 Views
  • 2 replies
  • 0 Likes

Resolved! Backup Peer HA1 IP Address ?

Just completed the PALO BPA and we have a recommendation for "No backup to the HA1 peer IP address is configured" We've tested failover and it works perfectly but my understanding is that this is incase the primary HA connection went down. I read different opinions that using the management interface IP for this fine? Has anyone done that? And i...

Walt by L1 Bithead
  • 857 Views
  • 1 replies
  • 0 Likes

Resolved! PAN-OS HA UGRADE PATH

Hi All, Please I'm upgrading a palo alto firewall in HA mode remotely, I'm having some issues with remote access and for me not to loose access and be able to finish my upgrade is it ok to upgrade the Passive first before failing over to the passive and then upgrade the Active ?

Resolved! About PAN-300837

Attention: Global TPM team, Hi, I have a question about PAN-300837.// PAN-OS 11.1.13-h1 Addressed Issueshttps://docs.paloaltonetworks.com/pan-os/11-1/pan-os-release-notes/pan-os-11-1-13-known-and-addressed-issues/pan-os-11-1-13-h1-addressed-issues Q1)How often does this issue occur? Best regards,MasaW

MasaW by L2 Linker
  • 1207 Views
  • 2 replies
  • 0 Likes
  • 1588 Posts
  • 60 Subscriptions
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks