Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
About Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.

Discussions

Welcome to the Next-Generation Firewall Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 4656 Views
  • 0 replies
  • 1 Likes

Resolved! IPSec Dynamic Peer VPN, failure to send traffic over attached tunnel interface

Is anyone aware of a known issue with sending traffic over an IPSec tunnel interface when using multiple dynamic peers with FQDN (host) peer identification? I have multiple existing branch locations connected to the PA with IKEv2 IPSec tunnels using dynamic FQDN (host) peer identification from Cisco branch routers. Up to now it has worked fine...

Policy Optimizer not available in PAN-OS 12.1

Hello there, with the brand-new PA-520 and PAN-OS 12.1.4-h3 is the Policy Optimizer missing (see my screenshots). I have found this info "(PAN-OS 12.1.2 and later versions) To ensure the best performance, customize your view to display the Policy Optimizer, only when you need it. The system fetches data for this component on-demand, which prev...

J.Dhling by L1 Bithead
  • 65 Views
  • 0 replies
  • 0 Likes

Commit Protection – Automatic Restore Point Before Every Commit

The ProblemAs network technicians, we all know that committing a configuration is the most critical action on a firewall.Most commits complete successfully.Sometimes they don't.A wrong static route, a Virtual Router change, an interface modification or an incorrect NAT rule can immediately affect the firewall after the commit.The firewall is sti...

Is there a way to configure Pan-OS to integrate with an ACME server for certificate enrollment?

Hello, I am working with an IPsec VPN setup on my Palo Alto Networks firewall and am currently using certificate-based authentication. My organization utilizes an internal Certificate Authority (CA) that supports ACME (Automatic Certificate Management Environment) for certificate enrollment. However, I haven't been able to find any resources or ...

Is 10.2.17 affected by CVE-2026-0287?

Hi, I'm looking into the new CVE-2026-0287, and I can't figure out if PAN-OS version 10.2.17 is affected.In the “Product Status” table, the following versions are listed as affected: "<10.2.7-h36, < 10.2.10-h39, < 10.2.13-h23, < 10.2.16-h9, < 10.2.18-h8“ and these others as unaffected ” >= 10.2.7-h36, >= 10.2.10-h39, >= 1...

G.Valfre by L0 Member
  • 103 Views
  • 0 replies
  • 0 Likes

"Use Default Browser" option not showing in Strata cloud manager

Hello Team, We have client firewall managed with strata cloud manager. We were trying to use the default browser for SAML authentication. When we checked that option on firewall under GlobalProtect Portal > Authentication >"Use Default Browser" it worked. But we had to do that locally, because we do not see similar option in strata cloud m...

Jagdeep1 by L2 Linker
  • 940 Views
  • 1 replies
  • 0 Likes

validation error "poe unexpected here"

I'm trying to push policy from Panorama (11.1.6) to a PA-440 (10.2.13). In Panorama, when looking at the config of an interface such as Ethernet1/1, it has a tick box for "PoE". However, on the same dialog on the PA-440 there is no PoE depicted. Now, when i try to push policy (whether PoE is ticked or not) it comes back with: Validation Error:n...

SCM management routing mode change failed

Hi, I’m trying to manage PA-460 from SCM, but I still get error, even after a factory reset. The firewall still disconnects and cannot complete bootsrap process, but SCM receive telemetry data. I also try to change [routing mode] to advanced routing, same result. PAN OS version is 11.1.6-h3 (preferred) Strata cloud management essential No str...

JTurcotte_0-1745857522021.png
JTurcotte_1-1745857534120.png

PA-VM KVM 10.2.5 Trial Setup Issues

Hi community, I'm trying to set up a PA-VM KVM lab in GNS3 on a native Ubuntu 26.04 host and running into an issue, Hoping someone with GNS3 + KVM experience can point me in the right direction. --- ENVIRONMENT- Host: Ubuntu 26.04 LTS bare metal (dual-boot, not a VM)- QEMU version: 10.2.1 (Debian 1:10.2.1+ds-1ubuntu3.1)- GNS3 version: 2.2.59- KV...

I see a log indicating that the number of hints exceeded 5,000 after the OS upgrade.

Hello Team, After upgrading the OS (11.1.6-h10 -> 11.1.13-h7), hint-related logs are appearing in the system logs. I am aware of the cause. I am not using Panorama, and the log forwarding profile has "Panorama" checked as the forwarding method, with this profile applied to the policy. However, despite having the same configuration, hint-r...

SangHoonLee_0-1782434882221.png

Global Protect is having issues with newer MACOS version.

Hi, I have problems trying to sign in some mac users that are running some SEQUOIA and TAHOE version, the only version that is working is 15.7.4 Sequoia version. It seems that the gl client is unable to authenticate. I checked in logs and it seems that the gp client is not able to open a .dat file 04/15/2026 17:06:14:954 [Info ]: Portal pre...

  • 1601 Posts
  • 61 Subscriptions