This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
About Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.

Discussions

Start a conversation

Welcome to the Next-Generation Firewall Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 4508 Views
  • 0 replies
  • 1 Likes

User-ID with Azure AD

Hey all, I've set up User-ID with on-prem AD servers a few times - quite straightforward. My question is, how do I set up User-ID when my customer uses Azure AD (with no on-prem servers)? I need to someone get the user-to-IP mappings on the firewall but pulled from Azure AD but not sure how its done. I did see/hear about the "Cloud Identity En...

Palo Alto New User ID Agent Adding to Firewall

Hi All, We want to add new User ID Agent to our Palo Alto Firewalls and remove the existing user ID Agent from Firewalls. The reason is the current User-ID Agent is hosted on Window 2012 and we are going to decom that Window server. We will install new user ID Agent on new Window Server 2022. We already successfully added new User-ID Agent on Fi...

EvanRaci by L1 Bithead
  • 1510 Views
  • 1 replies
  • 0 Likes

Palo Alto Site to Site IPsec VPN went down

Hi , We've setup Site to Site IPsec VPN between Palo Alto Firewalls. The tunnel was up and working but it went down after some time. Look like the tunnel went down because there is no traffic passing through the tunnel. Everytime we need to trigger IPsec tunnel by using >test vpn ike-sa gateway to bring up. How can we configure the tunnel t...

EvanRaci by L1 Bithead
  • 2495 Views
  • 2 replies
  • 0 Likes

VPN internet access

I have set my VPN access with no split tunnel so the users gets their internet access through the access through the VPN. Even though I cloned the security rule to the internet from the one used when you are onsite, it does not give the same access to those on the VPN and I need access via vpn to be exactly the same as onsite. Let me know if any...

Resolved! Palo PA-450 High Availability ports

Hello everyone, wanted to deploy a pair of PA-450s in HA and I understand there are no dedicated HA ports on this model so we need use data ports - I could not find a deployment guide for the PA-450 to address HA specifically and I assume you could use any data port but does anyone have any experiences when selecting ports for HA? does it matter...

bormanb by L0 Member
  • 6455 Views
  • 3 replies
  • 0 Likes

TCP-RST-from-CLIENT

Hi Friends, We have a requirement we have cloud server Oracle cloud When ever user from LAN tries to access the resources over the cloud user is able to login but unable to access any resources. While checking in logs it is showing tcp-rst-from-client. I am attaching the screenshot and session flow for reference. I am also attaching the wire s...

Screenshot (207).png
Screenshot (209).png
Satyak by L3 Networker
  • 5981 Views
  • 2 replies
  • 0 Likes

HSCI port - 5410

Hello All, I'm trying to spec the SFP's for PA-5410's & per the below documentation. https://docs.paloaltonetworks.com/hardware/pa-5400-hardware-reference/pa-5400-series-firewall-overvi... The HSCI port is a 40G port & Palo Alto Networks recommends that you use an active or passive QSFP+ cable. As per the below documentation of P...

Resolved! Not updating low traffic session status with hw offload enabled

PA-32xx series with 10.1.9 (issue showed up after upgrade) There is long-lasting SSH session where only something like keepalive is sent every 5 minutes or so. With hardware offload enabled, this traffic is not registered in the dataplane (session stats are not increasing even though there is traffic for that session) and subsequently TTL is not...

nikoo by L3 Networker
  • 4535 Views
  • 3 replies
  • 0 Likes

snmp configuration question

as we all know , snmp can be configure at Setup -> Operiations ->SNMP Setup the snmp community string default is "public" I would like to ask 1. this is the read-only string or the read-write string ? 2. do we set the read-only string for the device ?

Multiple vsys share one pair of WAN circuits?

I have 4 vsys that are currently using individual ports to connect to the WAN circuits. I need to free up ports for additional vsys, and would like a shared circuit port for the multiple vsys to use. I've tried a layer 3 interface with sub interfaces, one for each vsys, tagged vlans 11,12,13,14 for example, trunked to a switch, but I'm getting p...

ZNetEng by L0 Member
  • 1390 Views
  • 1 replies
  • 0 Likes

IPSec VPN Negotiation Issues

Dear Members, Greeting to All! Curranty, I'm using site to site multiple VPN configuration with Palo alto Firewall to different vendor site. All of the tunnel is working fine VPN ok. My main problem is inside of my firewall public internet down then coming to UP in case, Some of the tunnel is came to up and show green. But one of the tunnel st...

Url access error

Hello Team, I am getting this error in the EDL, also confirm URL and certificate are correct.Gone thorough this kb : https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-release-notes/pan-os-9-1-release-information/known-issues/known-issues-related-to-pan-os-9-1-releases/pan-os-9-1-13-known-issues#idd45332c3-ff37-42df-a84c-a418356feb7d ---- ...

SKumarDoli_0-1685509176196.png

Query: SAML Integration Failed

Is there have a way or integration to use a thrid party MFA solution to login to the palo alto firewall as administrator? Do SAML profile can be added to authentication sequence? Furthermore, if the saml profile cannot be added to the authentication sequence what happens when the login fails can the user still login using the local account?

Resolved! LDAP authentication profile not listing in authentication settings

Hi, I have a problem in adding LDAP authentication profile to the authentication settings in Device>Management. I have also tried creating a new authentication profile with LDAP in it. But getting the below error "system -> authentication-profile 'LDAP_AUTH_WEBGUI' is not a valid referencesystem -> authentication-profile is invalid" ...

jeromej_0-1685089183840.png
jeromej by L1 Bithead
  • 12701 Views
  • 15 replies
  • 0 Likes

Troubleshooting traffic being blocked based on IP - FQDN rules

Trying to find which FQDN object in my FQDN cache resolves to an IP. show dns-proxy fqdn all | match <ip> shows me that it's in my cache, but doesn't show FQDN object name, so it doesn't really help. I'm not sure if there's a way to dump this to a file or something or a more straight forward way to do this. Any insights is appreciated. ...

  • 1794 Posts
  • 60 Subscriptions
Top Solution Authors
View All
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks