Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
About Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.

Discussions

Welcome to the Next-Generation Firewall Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 4631 Views
  • 0 replies
  • 1 Likes

Microsoft Defender Outbound traffic policy

Trying to slim down a rule for outbound traffic with clients using MS defender. I built a custom URL list of the defender urls provided by MS. Added it to the policy under service/url category. The apps used are ms-update, ssl, web-browser, windows-defender-atp. The issue is I see traffic hitting ssl in the logs with url category as "any" whic...

PBR using Route failover

Hi All, Our organisation purchased two Mpls link and wants to configure an PBR like such 1) All intranet traffic like dns, ntp shoud go via primary MPLS 2) All internet related traffic should go via Secondary MPLS 3) In case Primary MPLS goes down all traffic (intranet and internet) should go via Secondary MPLS and vice versa. Please let m...

Diabled Application in VSYS1

I have received an high risk alert on PA3250 IOS 9.1.16 "Disabled applications in vsys1: 104apci-unnumbered-startdt-act 104apci-unnumbered-startdt-con 104apci-unnumbered-stopdt-act 104apci-unnumbered-stopdt-con 104apci-unnumbered-test-act 104apci-unnumbered-test-con 104asdu-file-transfer-type120 104asdu-file-transfer-type121 104asdu-file-transf...

Elaboration on the differences between the PAN-OS root certificate, the device certificate, and the certificate under cert management?

I've been requested to get as much information as I can on this topic, and I've found a good one on Reddit. A piece of info that i found on reddit It's great, but somehow I still need much more elaboration on this. Could anyone provide me a document that elaborates on the differences between the PAN-OS root certificate, the device certificat...

thumbnail_1000001488.png
MFEC by L0 Member
  • 5391 Views
  • 4 replies
  • 0 Likes

Resolved! Block privileged accounts from accessing the Internet

My company wants to block privileged accounts from accessing the internet on our servers using the Palo Alto firewalls. My first thought was to allow certain apps like ms-update and things of that nature to allow the access then block http and https right under that rule, but I'm not sure that would work. The company actually wants the privile...

Not able to login into URL from behind the palo alto

Dear Team, Greeting...! We are trying to access one URL from behind the palo alto, it was accessible but we are not able to log in to that URL, and when we checked using a mobile hotspot it was login successfully. Additionally, we checked the traffic logs and created a new security rule for the specific source to the destination to allow a...

Resolved! Need clarification on URL Filtering logs

Hi everyone, Please help me get through this. We have configured PA-450 firewall and everything is working fine as expected.But, We have used the option URL category in the security policy without an URL filtering profile for all user group. Which is working fine but I cant see any URL user activity report.But we need block URL summary report. T...

Arun_R_0-1713249886072.png
Arun_R_1-1713250275858.png
Arun_R by L1 Bithead
  • 2715 Views
  • 3 replies
  • 0 Likes

Layer 2 network extension

Is it possible to extend the layer 2 network over the layer 3 network to the other site using Palo Alto Basically I am trying to extend the VLAN to other site. Not sure if this can be achieved with Palo Alto. Any suggestion are welcome

Resolved! PA-220 shows alarm true for S1 12.0V IN B Power Rail

Hello Team, We have a PA-220 in our environment and we have received an alert which shows alarm is TRUE for 12.0V IN B Power Rail and voltage is 1.57 which is less than the min and max value. This is a standalone firewall. Please advise how can i proceed in this case. Can this impact our production? Below logs are for your reference: &gt...

Running 11.1.2 in production

Hi everyone I read that 11.1.2 is now the preferred release for 34xx, and desiring to upgrade due to some of the new features, I find myself concerned about this known issue: PAN-224763 - A TDB engine version mismatch issue affecting all firewalls, which in turn produces heartbeat failures, can cause the firewall to crash when installing conte...

SomeSuch by L1 Bithead
  • 2474 Views
  • 2 replies
  • 0 Likes

Firewalls communicating to public IPs on Management Interface

We are currently seeing the Management Plane of our Palo Alto Firewalls communicating to the following IP-Addresses: 34.96.84.34 107.178.249.217 35.238.108.32 This communication occurs on different Platforms. We see more activity since PAN-OS 10, currently on PAN-OS 10.2.3 Disabled all telemetry on the firewall Disabled PAN-OS Edge Service N...

mattlede by L1 Bithead
  • 7262 Views
  • 4 replies
  • 1 Likes

AWS-Palo VPN Phase-2 Rekeying

HI Team We have an issue with AWS Site to Site VPN, where we can see continuous rekeying of Phase-2 tunnels. It's a PA-3220 HA pair. It started happening recently as we can see previously the rekey did happen only after the Lifetime expired (Phase-2 Lifetime set to 3600 sec on both Palo and AWS). This VPN has been in place for over a year with...

Resolved! Security settings on NGFW to block dangerous user agent

Hi All, Good morning! I would like to get guidance from you regarding how to block user agents on Paloalto NGFW. I mean, when I am managing Web Application Firewalls (WAF) from other provider. I am able to configure a section within the security section in the WAF, where I can block bad bots, and any other bad user agent (e.g. python, Go lan...

  • 1597 Posts
  • 61 Subscriptions
Top Solution Authors
Top Liked Authors