This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
About Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.

Discussions

Start a conversation

Welcome to the Next-Generation Firewall Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 4551 Views
  • 0 replies
  • 1 Likes

Wildcard certificate-GPVPN certificates

Just imported new wildcard cert for firewall management GUI as the existing one is expiring soon. Certificate first imported to Panorama then pushed to Primary & Secondary firewalls (Active-Standby). Certificate is showing valid for Panorama but not for primary and secondary firewalls. Do we need to restart any services for the new certifica...

High Disk Space Usage on /opt/pancfg partition

Hi Mates, I am getting alerts on /opt/pancfg utilizing 90%. How ever I deleted the old, downloaded software and dynamic updates (around 1.5Gb file) but still space utilization is same as 90% using below KB. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLSJCA4 Filesystem Size Used Avail Use% Mounted on/dev/md2 3.8G...

GP-Agent, Allow with Ticket to disconnect the GP-Agent

Hi everyone, I have a use case to disconnect the GP agent through the ticket. By following up on the admin guide I configured it. But it's not working. I have attached screenshots of the error message. Configuration part: In Portal, Agent >App settings >allow users to disconnect GlobalProtect App(Always-on-mode)----Allow with Ticket. Th...

AkashThangavel_0-1676191600728.png
error3.png
error2.png
error1.png

Palo Alto - Security rules best practice for web filtering delegation

Hi, We deploy multiple PA-220 and configure them through a unified Panorama. The need is to provide local administrators with the ability to manage a part of the web filtering to do things like add/remove a website from the allow/blocklist URL category that has been defined locally. The biggest challenge to us, is in the way Palo Alto han...

What is the Certificate Chain of Trust?

The Chain of Trust refers to your SSL certificate and how it is linked back to a trusted Certificate Authority. In order for an SSL certificate to be trusted it has to be traceable back to the trust root it was signed off of, meaning all certificates in the chain – server, intermediate, and root, need to be properly trusted. There are 3 parts ...

ca-1.png
rmeddane by L2 Linker
  • 3065 Views
  • 0 replies
  • 0 Likes

Aggregate interace behaviour

Hi All, Facing an issue where doing an failover with aggregate interface not working. Example if I unshut any one link from aggregation link of passive firewall and shut both interfaces of aggregation link of primary firewall, still firewall don't switch it state from passive to active or vice versa. Is it firewall consider aggregate inter...

Migration from PA-3060 to PA-3260

I'm seeking advice regarding a migration from a PA-3060 HA pair with PAN-OS v9.1.X to PA-3260 HA pair v10.2.X. I understand that to have minimal issues for the migration, it is recommended to have the same OS version. From the Compatibility Matrix shown here, I can see that I am able to downgrade PA-3260 to version 9.1.X for the migration. ht...

Packets retransmission captured in packet capture on firewall but still seems dropping

Recently trying to debug a possible packet dropping issue at firewall (screenshot attached for reference). The issue is appearing when I try to make request to my server from my iOS device, some API calls works Ok but often few of those fails with 503 error code and this happens randomly against different APIs. When I looked at the firewall the ...

Does the Post-NAT Zone for security policy is for Source zone and Destination Zone?

I read the following from the palo alto study guide: A Security policy rule requires a source IP, destination IP, source zone, and destination zone. If you use an IP address in a Security policy rule, you must add the IP address value that existed before NAT was implemented, which is called the pre-NAT IP. After the IP address is translated (p...

Post NAT Zone.png
rmeddane by L2 Linker
  • 9469 Views
  • 2 replies
  • 0 Likes

User ID - Igonere User list

Hi, I have added a few users to the "Ignore USer list" for user-id configuration. But when I checked the User-IP mappings I still see the user-id is mapping the username with IPs even though the usernames are in ignore list. Any suggestions on what to check here?

srikarpuligandla_0-1703226223762.png

Resolved! HA pair not synchronizing

Hi all, I have a PA-220 HA pair without licenses running on PANOS 9.1.13-h3. Recently I had an issue with a HA passive Firewall, so it had to be replaced. I extracted the active firewall's running-config and uploaded it into the new passive one. I was able to synchronize App&Threat version by re-installing the active's FW current version. ...

JuanFelipeAyala_1-1703613361357.png
JuanFelipeAyala_2-1703613751019.png
JuanFelipeAyala_4-1703613921986.png

IPSec VPN Tunnel Interface with IP Addresses

I read the following example of Site to Site VPN IPsec with static routing : https://docs.paloaltonetworks.com/network-security/ipsec-vpn/administration/site-to-site-vpn-quick-configs/site-to-site-vpn-with-static-routing In the figure the example shown that both Tunnel Interfaces on the peers VPN are 10.10.10.10 and 10.10.10.11 in the same s...

Topo VPN.png
Tunnel.png
rmeddane by L2 Linker
  • 4635 Views
  • 5 replies
  • 0 Likes
  • 1588 Posts
  • 60 Subscriptions
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks