This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
About Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.

Discussions

Start a conversation

Welcome to the Next-Generation Firewall Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 4562 Views
  • 0 replies
  • 1 Likes

Resolved! If a specific CPU core is processing 100%, are new sessions processed by other cores?

Hi Team, If there are 6 DP CPU cores, and 1 of the 6 is processing 100%, will the new session be transferred to another core for processing? Sessions are classified using 5-tuples, but the problem is that if the DP CPU core assigned to the session is 100%, is there an internal mechanism to send it to another core? Please let me know. Tha...

SSL No-Decrypt issues

Hello, I'm testing on two different versions of PAN-OS (11.0 and 11.1). There's a couple of issues I'm noticing with decryption/no-decryption. I have a profile setup for no-decrypt in which healthcare-and-medicine is a category that isn't supposed to be decrypted. What I've noticed is that when HTTP/2 decryption is enabled, sometimes the fire...

Incorrect Geolocation classification

We have a user trying to connect with Global Protect from South Africa on IP 102.22.126.232This IP belongs to an ISP in South Africa, and is matching correctly on https://ipinfo.io/102.22.126.232 to be in Cape Town However, when looking up the IP location on any of our Palo Alto Firewalls, all of them match this to MU (Mauritius )This is incorre...

Packet Capture is getting on automatically in Palo Alto firewall

Hi Friends, We have a customer who is facing issue with Packet Capture. Due to few MP Issues we have asked the customer to reboot the firewall. After reboot customer has observed that in Packet Capture the options Filtering and Pre-Parse Match is turning on automatically. I was wondering is it an expected behavior or where can we check why it ...

4.png
Satyak by L3 Networker
  • 1132 Views
  • 1 replies
  • 0 Likes

HIP Check on Patch Management

I want to check if we can block connections if a device is missing critical patch (released May 2024) or any other critical patches within the last n months (where n is a user-defined timeframe).Can this be achieved with HIP configuration?

Resolved! Integrating FortiAuthenticator with PA Firewall for Multi-Factor Authentication on GlobalProtect

Hello, I need to integrate my FortiAuthenticator, which is located at a remote site, with my PA firewall to add additional authentication factors for users connecting to GlobalProtect. I haven't been able to find the documentation and procedures to accomplish this. I would appreciate it if someone with experience in this could provide the nece...

hamza_d by L1 Bithead
  • 6872 Views
  • 5 replies
  • 0 Likes

VPN over Multiple ISP connections

Hi, I am new to the PA world and I have the following design been given to setup. I am trying to find the best way to do this. I have done in Fortinet by creating SDWAN interface and it worked but not sure if Palo has the same kind of setup. If someone help me that would be great. Site Firewall -- 1.100 and 1.200 ( sub interfaces ) -- ( T...

gondolf by L1 Bithead
  • 2415 Views
  • 1 replies
  • 0 Likes

Log Retention for PA-1400

Hi, Specifically for PA-1420, I aware the storage capacity is 240GB. Is there anyway I can know the duration of log retention for 700 users? From what I understand, log retention is affected by the space on disk, not on the number of user. When you run out of it, firewall will automatically deletes oldest entries in that specific log, whethe...

Send File to CDL Receiver Failed

Hi all, I have a PA-440 currently at 10.2.7-h3. After performing PAN-OS upgrade, there is an error on telemetry stating "Send File to CDL Receiver Failed". I found a similar article and applied the suggestion by retrieving the license key again but with no successful. https://live.paloaltonetworks.com/t5/general-topics/enable-device-...

Black_Sunglass_0-1710311214322.png

Resolved! Distributed VPN attack

Recently we experience distributed VPN dictionary attack on our Palo Alto Global Protect from different countries, ISPs and hundreds of IP addresses. Since we have MFA the attack was unsuccessful so far but I want to stop it somehow. The malicious actor seems to adopt the attack to our protection measures. Originally it was addressing our Global...

Unable to get PCCET Certificate

Dear ALL, I have completed all my exam for PCCET certificate but i am unable to get the PCCET certificate. i have completed below exam and attached the certificate. SASE Fundamentals Cybersecurity Fundamentals Security Operations Fundamentals Cloud Security Fundamentals Network Security Fundamentals Please help me to get the PCCET Certificate.

1507dayalpathak_0-1717477173584.png

Allow dark trace rst packets

We have a 5220 at the core of our network making east / west decisions between LAN segments and dark trace (DT) appliance. I currently have the DT appliance configured to take autonomous action with DT respond. One of the ways DT enforces this is by sending TCP RST packets to the "infected pc," by spoofing the source and/or destination IP addre...

can not create Costomer Application to override google-cloud-storage-base for specific URLs

Hello everyone, On a required page the application google-cloud-storage-base is used as CDN:https://storage.googleapis.com/abc-bca-ger/uploads/....At the same time, the google-cloud-storage-base application should be blocked for all other purposes. To achieve this, I have tried to create a user-defined application. In the first step I tried e...

DenisB_0-1717397271175.png
  • 1589 Posts
  • 60 Subscriptions
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks