Question about upgrading to PAN-OS 11.1.6-h14

Hi There

We are currently running PAN-OS 10.2.13-h7 and are planning to migrate to 11.1.6-h14.
Before moving forward, I’d like to ask if this version (11.1.6-h14) is considered stable and safe to install, and if there are any known critical vulnerabili

Palo Alto QOS configuration question

 created the below QOS configuration to limit the bandwidth to wasabi to 10 mbps on PA 440. When I checked the QOS statistics, the default group is getting used and not the one I created and also the default group is restricted to 10 Mbps. Please gui

Script for pulling disabled rule in set format

Hi Team 
I am trying to pull the details of disabled rule in set format. I am using pan-sdk .
I can pull the complete list but not able to retrieve only rule which are disabled.
And is to possible to pull rule in "set" format or need to use XML API ?

Any

Palo Alto Firewall Migration – VSYS Consolidation

Dears,

We currently have a production environment running on two Palo Alto 5220 firewalls. We are planning to migrate to new Palo Alto 5410 firewalls.

In the existing setup, the firewalls are divided into two VSYS (Vsys1 and Vsys2). Since Vsys1 is no l

Step by Step Radius Configuration for PA-1410

Dear Everybody,

I have a problem in configuring Radius on PaloAlto Firewall 1410 series , I find different manual for different methods as below :

Configuring Administrator Authentication with Windows 2008 RADI... - Knowledge Base - Palo Alto Networks

Palo Alto Kerberos for sso

Anyone hit the same issue before?

2025-08-16 20:35:38.768 +0800 debug: pan_auth_cache_get_authprof_info(pan_auth_cache_authprof_n_authseqprof.c:218): prof "KRB-SSO", vsys "vsys1" (method: Kerberos pre-auth) has sso hash table id: 1 (0 means no or inv

'cfg.general.need-acknowledgement-to-login': NO_MATCH

I have deployed a new VM series PA FW, however whenever I am trying to login, it is giving 'cfg.general.need-acknowledgement-to-login': NO_MATCH

Any suggestions?

Policy destination field when using URL filtering

I need to write a rule that looks like this

Source zone: Internal

Destination zone: External

Source address: 10.38.105.201

Destination address: This is where it is tricky, I need the destination addresses to be *.myqlink.biz *.med.myqlink.net

Finding IP of threat blocked via DNS Proxy

As our PA is configured at the moment, I see some notifications in the threat logs where a request from the Palo DNS proxy has been blocked from looking up something determined to be spyware.

I can't find a matching log anywhere to indicate the IP

Data plane cpu 100% (pa-3410)

Hello!

We have a PA-3410 in our corporate network, and yesterday we encountered a problem: the data plane CPU reached 100%, and disabling the Decryption rules helped. Are there any solutions to this issue?

Renew of Self Signed SSL Forward Trust Certificate without Root CA

Hello,

I have a self-signed (self-generated) certificate without a Root CA on a firewall, which is used for SSL Forward Proxy to decrypt traffic.

The certificate is valid for 10 day and has been imported on client machines as a trusted root CA.

Th

HA error when configuring

• High-availability ha1 encryption requires an import of the high-availability-key(Module: ha_agent)
• client ha_agent phase 1 failure

Any ideas why this is happening? I have configured 3 other HA pairs with no issue.

PA1

PA2

Security Profile Evaluation

Hey Community!

In Palo Alto NGFW, when multiple Security Profiles (like Antivirus, Anti-Spyware, Vulnerability Protection, URL Filtering, File Blocking, DLP, etc.) are applied to a Security Policy

How does the inspection happen?

• Is it sequential (one