This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
About Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.

Discussions

Start a conversation

Welcome to the Next-Generation Firewall Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 4550 Views
  • 0 replies
  • 1 Likes

Resolved! DNAT not working

This is my topology. From 30.0.0.10 i would like to access the server 192.168.0.2 with the help of PA wan interface IP(30.0.0.1)I have created DNAT and Security policy . Object Prenat IP is 30.0.0.1/8 and Webserver Ip is 192.168.0.2/24, when I try to open 30.0.0.1 from my web browser I am not able to see server's web page. I took a cap...

ArunKumar7_0-1707445707080.png
ArunKumar7_1-1707445706922.png
ArunKumar7_2-1707445707089.png

Device Certificate unable renew automatically

Hi All, Previously, the firewall PAN-PA-1420 had "Failed to renew device certificate. Invalid request. Authentication failed" until the device certificate status became Expired. This triggered an alert because the firewall couldn't establish a connection with the cloud service. However, the issue was resolved by manually renewing the device ...

XXF and building Security Policy

Hi all, I would like to know how I would go about creating security policies based of the XFF headers please, any help would be appreciated. I have read the documentation and I have to enable the XFF header Select ->Device ->Setup ->Content-ID and edit the X-Forwarded-For Headers settings. I need some help after that, so fr...

sxk654 by L0 Member
  • 3951 Views
  • 3 replies
  • 0 Likes

SSL and TLS vulnerabilities

Hi Team,We have to 2 Paloalto VM firewall running active-passive mode in AWS.As a part of internal Pentest we go the below findings for the Active and passive firewall nodes. The result refers to SSL and TLS vulnerabilities.Could you please suggest on how to mitigate this.

Senibo by L1 Bithead
  • 2418 Views
  • 3 replies
  • 0 Likes

Resolved! Custom URL category with directories

Hi guys, I am trying to create a custom url category to allow only these (s3.amazonaws.com/icount-pdfs😞 example: https://s3.amazonaws.com/icount-pdfs/57764_25566fbb6fd6bbab6b0f35eba91bb55e.pdf?17016197031 i have tried: s3.amazonaws.com/icount-pdfs/* s3.amazonaws.com/icount-pdfs s3.amazonaws.com/icount-pdfs/ None of these works. ideas?

chens by L3 Networker
  • 4266 Views
  • 3 replies
  • 0 Likes

PA-450 shutdown not working and device get rebooted after sometime .

Hello I have issued the "request shutdown system" to our PA-450, but we didn't unplug the power immediately. After 10 minutes, the system get rebooted. Base on the KB(How to Perform a Graceful Shutdown ), the system should be in halted state, in order to boot the system again, we must unplug the power and plug the power back. Is this a...

AndyLiao by L0 Member
  • 1750 Views
  • 1 replies
  • 0 Likes

Resolved! Including CVE in Threat Logs

For as long as the Palo Threat feature has been around, I can't believe this feature doesn't already exist. Would it be possible for Palo to include the associated CVE as a field next to the ThreatID? These mapps occur outside of the Firewall as part of the ThreatDB or Content Update emails, but not locally on the Firewall itself. It would ...

Azure SAML authentication: validate identity provider certificate. (best pratices)

Hi, We have configured SAML on our portal and gateway. By default Microsoft generates a self signed certificate that is valid for 3 years for every Enterprise application you create. Is this secure enough to use the default self signed one and not validate it on my gateway/portal leave the check unmarked. According to this article it should be ...

zGomez by L3 Networker
  • 6181 Views
  • 3 replies
  • 0 Likes

Resolved! QoS configuration based on destination (sub)interface on 3400 series

I am migrating a configuration from PA-3200 series device on PAN-OS 10.1 to PA-3410 where minimum version is 10.2. On migration I noticed error messages about destination interface in QoS configuration: network -> qos -> interface -> ae3 -> regular-traffic -> groups -> regular-traffic-group -> members -> aaaa -> matc...

santonic by L6 Presenter
  • 2605 Views
  • 2 replies
  • 0 Likes

How Palo Alto NGFW Prevent Unknow CVEs?

Dear Team, I hope all of you are doing well. I have one question. How can PA prevent an unknown CVE on NGFW? Why I brought up this question is because I saw that from one vendor to another, they have different CVE numbers and IDs. I was wondering if you could advise me. Thanks!

Advanced Wildfire Allowing High Severity Verdicts but blocking Informational

Hi I have Advanced Wildfire in our Lab env and have noticed something very odd, when the firewall is submitting any files to Wildfire if they are returning "informational" they are blocked, if they are returning Malicious and "High" the action is allow, this has also been confirmed by the fact that the samples of Malware are being blocked by t...

i can‘t commit after upgrading to 11.0.2 version

hi, i can't commit after upgrading 11.0.2 version from 10.2.X, For testing purposes, I changed any of the small options and did not make any other changes, but I cannot commit them。 tip: Details Partial changes to commit: changes to configuration by administrators: admin Changes to policy and objocts confguration DHcP Client Interface has no...

david.ge by L1 Bithead
  • 1869 Views
  • 1 replies
  • 0 Likes
  • 1588 Posts
  • 60 Subscriptions
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks