This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
About Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.

Discussions

Start a conversation

Welcome to the Next-Generation Firewall Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 4510 Views
  • 0 replies
  • 1 Likes

PAN-DB URL Filter expired even if Advanced URL filtering is still valid

I purchased service bundle for my PA firewall, PAN-PA-220-BND-LAB4-R, which includes PA-220 Lab Unit Renewal Service Bundle (Threat Prevention, DNS, PANDB URL Filtering, GlobalProtect, WildFire, SD-WAN, Standard Support) Period. After activation, I retrieve the license key from the license server, I found the Advanced URL Filtering is valid u...

sysint by L0 Member
  • 2715 Views
  • 1 replies
  • 0 Likes

PA 3260 Policy Rule losing DNS resolution to FQDN-defined site - 4.19.23

We have a policy rule that contains an FQDN-defined website destination (yandr.wiredrive.com). When initially configured to pass traffic to required cloud-based resources, DNS resolution to the wiredrive.com site would happen regularly, usually after an hour or so. A Palo Alto knowledgebase article about the Fast-DNS caching used by cloud-based ...

getting system alerts

Hi Team, frequently we were getting system alerts as " PANDB: Authentication or Client Certificate failure" after restarted the management server we didn't get error for PANDB, but now we are getting " failed to resolve host wildfire paloaltonetwork.com" kindly help me to resolve this case and please let me know why we got PANDB error ...

sujithGovindaraj_0-1681716245223.png

SSL Decryption Exclusion - What does "Obsolete (Enable me to clean)" mean?

When viewing the SSL Decryption Exclusion list you can click to see obsolete entries. When you do they say OBSOLETE (Enable me to clean) - what does that mean? If you enable it then it will get removed? I'm not certain what this is trying to tell me other than the obvious but how does it actually work? What "clean"-ing is it talking about?

DNS Proxy

Hey, i am configuring an isolated Vlan and i need some static DNS entries to be "supplied" to the clients instead exposing our internal dns servers. i thought about using the DNS Proxy feature, but i seam to be stucked. 1) when DNS Proxy is enabled, is it enabled across all interfaces and if a client configure the FW's IP as a DNS the PA shoul...

DorMarcovitch_0-1681807912675.png
DorMarcovitch_1-1681808292449.png

Cannot see an option to select the management interface for HA1 backup link - PAN-OS 10.2.4

I'm trying to configure HA Active/Passive on a pair of PA-5410's running PAN-OS 10.2.4. I'd like to use the dedicated HA1-A port for the primary HA1 link and the management interface for the HA1 backup link but I cannot see an option to select the management interface for HA1 backup link.

Palo Alto Migration

Currently, we have 2 3020s in our production network but I am also tasked with setting up two new 3410s to replace the current setup. I have gone through the initial setup and committed the admin password change. I have a current config backed up, I edited the XML file to set the mgmt interface IP to 192.168.1.1 /24 so I can access the web inter...

Proxy ARP for Private VLAN?

Is there a 'proxy arp' interface command (or equivalent) to allow l3 communication between isolated devices on private VLANs? I am looking to move our DMZ to a private VLAN. I would like all ports to be isolated, but allow some communication between certain machines. This is where I would generally set up 'proxy arp' on the router to allow l3 ...

BackUp Firewalls

Hi Team, What is the best solution to Backup our firewalls? As we have standalone firewalls we need to make sure we have backup collected and stored. Please let me know the best way. Thanks. Regards, Sanjay S

HIP match log not found

In pan-os 9.1.15-h1 , I have configured hip object and also called in hip profile, The Agent submits the hip data to the firewall after that also no log is found in HIP-Match log, then even i had changed and try for hip match OS as windows that too had no matches. global-protect log it is found that gateway hip report is successful but there is...

Screenshot 2023-04-12 134142.png
Screenshot 2023-04-12 125751.png
Screenshot 2023-04-12 130114.png
Screenshot 2023-04-12 130210.png

X-Forwarded-For on Threats logs

what`s mean below article? https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/policy/identify-users-connected-through-a-proxy-server/use-xff-values-for-ip-based-security-policy-and-logging For non-URL Filtering logs, XFF IP logging is supported only when packet capture is not enabled.-->> It mean that XFF ip is visible only whe...

CIE(Cloud Identity Engine) Deactivated?

Could not understand why the CIE account was deactivated. It was setup to sync with Azure AD and one on-prem DC. And atleast one firewall was configured to use it. Is this caused by the 3 month certificates? Also are these certs meant to be renewed manually every 3 months? If so its very challenging to use CIE for on-prem infrastructure. Does...

image.png
raji_toor by L4 Transporter
  • 1377 Views
  • 0 replies
  • 0 Likes
  • 1794 Posts
  • 60 Subscriptions
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks