This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
About Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.

Discussions

Start a conversation

Welcome to the Next-Generation Firewall Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 4550 Views
  • 0 replies
  • 1 Likes

block yahoo mail

Hello Everyone, Does anyone have a way to block Yahoo web-based email without enabling decryption? 1. I have read through the forums, and tried blocking with a URL Profile with the following url configs. *.mail.yahoo.com *.mail.yahoo.com/ mail.yahoo.com mail.yahoo.com/ *.mail.yahoo.com/* mail.yahoo.com/* 2. I have also tried just blocking ...

AZURE Entra MFA for admin access via CLI

We are easily able to setup MFA for the Web UI for the management port vial SAML and Entra SAML auth. We have run into some challenges I was surprised exist. First here are the requirements and goals PA VM series firewalls in AZURE. No On prem AD, ISE or Kerberos dependencies. Our goal it to be 10)% clouds based. MFA to manage the PA for both ...

Carleton by L3 Networker
  • 1564 Views
  • 3 replies
  • 0 Likes

Migration problem from PA220 to PA540 - Virtual Router

I want to migrate from a PA220 with PAN OS 10.2.17 to a PA540 with PAN OS 12.1.3. I've exported the configuration from the old PAN, and imported in the new PAN. Everthing looks fine clicking through the various configuration settings. However on commit there is a problem: deviceconfig -> setting constraints failed : Disabling advanced rout...

daubsi by L1 Bithead
  • 1101 Views
  • 2 replies
  • 0 Likes

Update from 10.1.14-h13 to 11.1.13

Hello, We have aVM500 Active/Active cluster activated through the credit system. I have a question about licensing VMs in version 11.1 using credits. Previously, the VM series had limitations on the number of allocated VCPUs and memory, meaning, for example, a VM500 was only allowed 8 VCPUs and 16 GB of memory. I looked at the documentation a...

Device Certificate Enforcement Issue Encountered

Hi, I am following the instructions to apply the device certificate, but I am blocked by the following error:“Unable to execute OTP install operations command to some firewalls. Please identify the firewalls that failed the process from Panorama and retry OTP.” I followed the instructions provided in this link:https://live.paloaltonetworks.com/t...

Resolved! "More runtime stats" not loading when Advanced routing is enabled

Hi I believe I've ran into a bug where I'm unable to load virtual router "Runtime stats" We’re experiencing this issue across several of our firewalls where the Runtime Stats view for routes will not load. Because of this, we’re unable to view Static Route Monitoring status or the Forwarding Table from the GUI. Routing itself appears to be w...

IPSEC VPN for the FW MGMT

Hi There,I would like to establish an IPSEC VPN connection between the Palo Alto firewalls and the Fortigate. This setup is necessary to allow remote access to the Palo Alto firewalls from the Citrix servers. This is for Management connectivity.The inquiry is, IPSEC VPNs are generally configured to facilitate the passage of data traffic1. I want...

Windows Update - automatic policy without manual address definition

Hi,is there a way on Palo Alto firewalls to allow Windows Update traffic without manually defining a list of addresses?For example, is it possible to create a policy that automatically determines or updates the list of these addresses, without requiring manual administrator intervention?I would appreciate any information on whether such solution...

Resolved! HA on a PA-450 using Strata Cloud Manager

I’m attempting to configure active/passive HA on a PA-450 using Strata Cloud Manager as per this guide: https://docs.paloaltonetworks.com/ngfw/administration/high-availability/set-up-activepassive-ha/configure-active-passive-ha I’m aware a PA-450 doesn’t have dedicated HA ports, however when using Panorama I can set Eth1/7 & Eth1/8 to HA mod...

JamesWoodhouse1_0-1724423694145.png
JamesWoodhouse1_1-1724423694146.png
JamesWoodhouse1_2-1724423694148.png

Max number of units (aeX.Y subinterfaces) supported under a single AE interface?

Hi Team, I’m looking to confirm the maximum number of units (aeX.Y subinterfaces) that can be configured under a single Aggregate Ethernet (AE) interface on Palo Alto firewalls. Specifically for models like PA-440,PA-450, PA-820, and PA-850, and across recent PAN-OS versions: • What is the hard platform limit for aeX.Y units per AE?• Are there a...

VivekMs by L1 Bithead
  • 2293 Views
  • 2 replies
  • 0 Likes

Strange IP exiting our network and erasing its logs

Hi everyone! Good Afternoon, I'm from Brazil, and my organization have two appliances PA 3220 in HA. This morning we've noticed some suspicious traffic exiting our network with IPv6 ::b638:2a0a:ffff:0 (for example), there was more than one those IPv6. The payload was huge, something about 4.2GB. This can be an exfiltration data attack? Could ...

UNIRIO by L1 Bithead
  • 3023 Views
  • 2 replies
  • 0 Likes

Palo Alto for email security

Hi All, I would like to inquire whether Palo Alto Networks provides an on-premises email security solution. Specifically, we are looking for a product or platform that can handle email threat prevention, anti-phishing, and malware detection within our local infrastructure, rather than a cloud-based service.Could you please share information abou...

PAN-OS 10.2.17 HA A/P - Mgt interface reported as duplicate IP of data interface

After installing PAN-OS 10.2.17 to a PA-440 HA A/P pair ( to address - CVE-2025-4615 PAN-OS: Improper Neutralization of Input in the Management Web Interface . ) 'duplicate IP' system logs reported where the stated MAC address appears to be the fw mgt interface. This is reported as a duplicate of the 'facing' data interface. Example: Received c...

Azure to OnPrem Connectivity issue

We have migrated our on-premises firewall from FortiGate to Palo Alto and are experiencing an issue with VPN traffic routing that previously worked as expected. We have an Azure Point-to-Site (P2S) VPN and an Azure-to-Corporate Site-to-Site (S2S) VPN. A P2S client with IP address 10.40.1.2 is unable to access resources on the Corporate LAN (19...

H.Thiam by L2 Linker
  • 4814 Views
  • 2 replies
  • 0 Likes
  • 1588 Posts
  • 60 Subscriptions
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks