This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.
About Next-Generation Firewall Discussions
Palo Alto Networks Next-Generation Firewalls provide true, complete visibility everywhere, along with precise policy control. Ask your questions or provide insightful answers in the discussion forum specific to NGFW.

Discussions

Start a conversation

Welcome to the Next-Generation Firewall Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 4599 Views
  • 0 replies
  • 1 Likes

Understanding Inline Cloud Analysis C2 Detections and False Positives in Cortex XDR

Hi everyone, I am currently investigating several Cortex XDR incidents that originate from Palo Alto Networks Firewall Security Profiles, specifically detections related to Inline Cloud Analysis, Anti-Spyware C2 classifications. What I am trying to better understand is why a relatively large amount of legitimate-looking web traffic is being clas...

NAT policy conversion

hello, im currenly converting the cisco asa's configuration to paloalto . so in cisco asa , the nat policy is configured as following : object network VMAnat (ADM,inside) static 10.15.65.3so if i get it right , this policy means that the traffic from the source VMA and source interface is ADM which is an object already created to destination an...

[SOLVED User-ID Domain Mismatch]: Resolving Domain's Conflicts Between Prisma Access GlobalProtect (CIE) and On-Premises Server Monitoring

Hello LiveCommunity Team! I created this post to share my experience regarding an issue involving the User-ID domain mapping issue between the Prisma Access Mobile Users GlobalProtect conflict with the NGFW On-Premises. The conflict arises when an On-Premises NGFW and Prisma Access GlobalProtect use a different user identity sources and domain N...

DanielSRomero_0-1781263908489.png

Resolved! basic network, complex problem (please help)

Hello Everyone!i have encountered an issue with my network testing environment and would like to ask for your opinion.I wanted to test for connectivity in my environment so the only policy rule is a full any/any on any service with action allow, so it overshadows everything. my layout is such:eth1/4 192.168.1.1/24 eth1/14.1 192.168.20.1/24eth1/1...

Delaying upgrade between an HA pair

Does any successfully perform their HA firewall upgrades in this manner? 1. Upgrade the Seconday(passive) firewall. 2. Make Secondary firewall Active. 3. Wait 1 or more days. 4. Upgrade the Primary(now passive) firewall. 5. Make the Primary firewall active. It would bring us a lot more comfort knowing that we can easily switch to a different...

jambulo by L4 Transporter
  • 193 Views
  • 1 replies
  • 0 Likes

Using ethernet 1/1 - 1/12 fo 10Gbps connections on a pa-3400 series firewall

The spec on pa-3410 front panel states "Ethernet ports 1 through 12 - Twelve RJ-45 10Mbps/100Mbps/1Gbps/2.5Gbps/5Gbps/10Gbps ports for network traffic." Is the speed determined by auto-negotiation? I assume one has to use cat6 copper cable for 2.5Gbps and higher. Can these ports be used for HA? Has anybody used these interfaces to connect to C...

[SOLVED] NORDLAYER VPN USERS LOSS INTERNET ACCESS BEHIND AN NGFW IT WORKS ONLY CHANGING THE MTU

Hello LiveCommunity Team! I created this post to share my experience regarding an issue involving the NordLayer VPN for internal users behind an NGFW causing losing their entire Internet connectivity after 5 minutes:Steps taken to resolve the issue:1- Verify the NordLayer virtual adapter MTU:On the laptop, I check the MTU value of the virtual ad...

DanielSRomero_2-1780635389819.png
DanielSRomero_3-1780635863195.png
DanielSRomero_4-1780636331022.png
DanielSRomero_5-1780636982035.png

[FIREWALL] - Commit Issue

Hi everyone, I'd like to request support for a recent problem I'm having. I have one cluster with two Palo Alto firewalls, one of which was recently updated to version 11.1.13-h5 and is currently active, while the other is on version 11.1.13 and is passive. The environment is currently in this state because we are still validating version 11.1.1...

jobs.png
ErrorQueue.png

CVE-2026-0261 PAN-OS_ Authenticated Admin Command Injection Vulnerability

Attention: Global TPM team, In the Security Advisory referenced in the subject, is it correct to understand that the behavior of the vulnerability exploitation by an authenticated administrator does not differ depending on the assigned role?Or does the behavior vary depending on the role of the authenticated administrator?

EDL Performance and Refresh Handling in Panorama

Hello, We are reviewing an EDL-based IOC blocking architecture using Palo Alto Networks firewalls with Panorama and Cortex XDR. Currently, IOC blocking is managed mainly with address objects/groups, but we are considering migrating to EDL-only management for operational simplicity and external emergency response through Cortex XDR. I would appre...

.522643 by L1 Bithead
  • 351 Views
  • 3 replies
  • 0 Likes

Multi-VSYS 11.2.8 - How to assign a dedicated Forward Trust Certificate per VSYS for SSL Decryption

Hi everyone,I’m running PAN-OS 11.2.8 with Multi-VSYS enabled (3 VSYS). I need a different Forward Trust Certificate per VSYS for SSL decryption, but since my certificates are imported in the Shared store, I can only select one Forward Trust Certificate globally.Should I import the certificates directly at the VSYS level instead of Shared to fix...

Palo Windows ARP Issue - Windows Hosts Not Installing ARP info

Hello, We have random issue with Windows 11 Enterprise ( 10.0.26200) hosts not installing ARP reply from a stack of PAs running 10.2.7-h8. I have captured the traffic with the (non ip) filter and I can see the ARP requests and the replys. The hosts are sourcing DHCP from a PA interface with standard options for mask, default gateway and dom...

NSutfin by L2 Linker
  • 420 Views
  • 2 replies
  • 0 Likes
  • 1587 Posts
  • 61 Subscriptions
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks