>
    Strata Copilot
    Device Settings: Device Setup
    Focus
    Download PDF
    Focus
    1. Home
    2. Strata Cloud Manager
    3. Strata Cloud Manager Getting Started
    4. Configuration: Strata Cloud Manager
    5. Configuration: NGFW and Prisma Access
    6. Configuration: Device Settings
    7. Device Settings: Device Setup
    Download PDF
    Strata Cloud Manager

    Device Settings: Device Setup

    Table of Contents

    Device Settings: Device Setup

    Learn about the device setup tables for cloud managed NGFWs.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Strata Cloud Manager)
    • Strata Cloud Manager Pro
    Use Device Setup to configure the following settings for your Strata Cloud Manager managed NGFWs.

    Device Setup (Management)

    Learn about the device setup management tabs.
    In Strata Cloud Manager, select Manage > Configuration > NGFW and Prisma Access and set the Configuration Scope to the folder or NGFW you wish to configure. From the scope of your folder or NGFW, select Device Settings > Device Setup > Management.

    General Settings

    General SettingsDescription
    Domain
    Enter the name of the network domain for the NGFW (up to X characters).
    Login BannerEnter text (up to X characters) to display on the login page below the Name and Password fields.
    Force Admins to Acknowledge Login BannerSelect this option to display and force administrators to select I Accept and Acknowledge the Statement Below (above the login banner on the login page), which forces administrators to acknowledge that they understand and accept the contents of the message before they can Login.
    SSL/TLS Service ProfileAssign an existing SSL/TLS service profile or create a new one to specify a certificate and the SSL/TLS protocol settings allowed on the management interface (see Objects > Certificate Management > SSL/TLS Service Profile)
    Time ZoneSelect the time zone of the NGFW.
    LocaleSelect a language for the NGFW.
    LatitudeEnter the latitude (-90.0 to 90.0) of the NGFW.
    LongitudeEnter the longitude (-180.0 to 180.0) of the NGFW.
    Automatically Acquire Commit LockSelect this option to automatically apply a commit lock when you change the candidate configuration.
    Certificate Expiration CheckInstruct Strata Cloud Manager to create warning messages when on-box certificates approach their expiration date. This option is enabled by default.
    Use Hypervisor Assigned Mac Addresses
    Select this option to have the VM-Series NGFW use the MAC address that the hypervisor assigned, instead of generating a MAC address using the PAN-OS custom schema.
    If you enable this option and use an IPv6 address for the interface, the interface ID cannot use the EUI-64 format, which derives the IPv6 address from the interface MAC address. In a high availability (HA) active/passive configuration, a commit error occurs if you use the EUI-64 format.
    Tunnel AccelerationSelect this option to improve performance and throughput for traffic going through GRE tunnels, VXLAN tunnels, and GTP-U tunnels This option is enabled by default.
    Fail OpenCertain NGFW models have fail-open ports that can be configured to provide a pass-through connection in the event of a power or operating system failure. This feature is disabled by default and must be enabled.

    Service Route Settings

    Service Route SettingsDescription
    Use Management Interface for All/Customize
    Configure your device to route all management traffic (such as updates, logging, and administrative access) through the dedicated management interface instead of through your regular data interfaces. This keeps your management traffic separate from your network traffic.
    Allow you to manually specify which types of management traffic use the management interface and which use your data interfaces. This gives you granular control over how different services communicate.
    IPV4sThe IPv4 network address or address range that your device will use for routing management service traffic. Specify an individual IP address or subnet range depending on your network configuration.
    DestinationsEnter the Destination IP address where your device will send management traffic (such as DNS server, update server, or log collector). This determines where your device routes different types of administrative communications.

    Management Interface Settings

    Management Interface SettingsDescription
    SpeedConfigure a data rate and duplex option for the interface. The choices include 10 Mbps, 100 Mbps, and 1 Gbps at full or half duplex. Use the default autonegotiate setting to have Strata Cloud Manager determine the interface speed.
    MTUEnter the maximum transmission unit (MTU) in bytes for packets sent on this interface (range is 576 to 1,500; default is 1,500).
    IP Type
    Static—Manually enter the IPv4 or IPv6 address (or both) and one or more default gateways, which are described further down in this table.
    DHCP Client—Configures the MGT interface as a DHCP client so that the NGFW can send DHCP Discover or Request messages to find a DHCP server. The server responds by providing an IP address (IPv4), netmask (IPv4), and default gateway for the MGT interface. DHCP on the MGT interface is turned off by default for the VM-Series NGFW (except for the VM-Series NGFW in AWS and Azure). If you select DHCP Client, optionally select either or both of the following Client Options:
    Send Hostname—Causes the MGT interface to send its hostname to the DHCP server as part of DHCP Option 12.
    Send Client ID—Causes the MGT interface to send its client identifier as part of DHCP Option 61.
    IP Address
    Assign an IP address to the interface.
    Alternatively, you can assign the IP address of a loopback interface for NGFW management. By default, the IP address you enter is the source address for log forwarding.
    NetmaskIf you assigned an IPv4 address to the interface, you must also enter a network mask (for example, 255.255.255.0).
    Default GatewayIf you assigned an IPv4 address to the interface, you must also assign an IPv4 address to the default gateway (the gateway must be on the same subnet as the interface).
    Administrative Management Services
    • HTTP—Use this service to access the NGFW web interface.
    HTTP uses plaintext, which isn't as secure as HTTPS. Therefore, Palo Alto Networks recommend you enable HTTPS instead of HTTP for management traffic on the interface.
    • Telnet—Use this service to access the NGFW CLI.
    Telnet uses plaintext, which isn't as secure as SSH. Therefore, Palo Alto Networks recommend you enable SSH instead of Telnet for management traffic on the interface.
    • HTTPS—Use this service for secure access to the NGFW web interface.
    • SSH—Use this service for secure access to the NGFW CLI.
    Network Services
    Select the services you want to enable on the interface:
    • HTTP OCSP—Use this service to configure the NGFW as an Online Certificate Status Protocol (OCSP) responder. For details, see Device > Certificate Management > OCSP Responder.
    • Ping—Use this service to test connectivity with external services. For example, you can ping the interface to verify it can receive PAN-OS software and content updates from the Palo Alto Networks Update Server. In a high availability (HA) deployment, HA peers use ping to exchange heartbeat backup information.
    • SNMP—Use this service to process NGFW statistics queries from an SNMP manager. For details, see Enable SNMP Monitoring.
    • User-ID—Use this service to enable data redistribution of user mappings among NGFWs.
    • User-ID Syslog Listener-SSL—Use this service to enable the PAN-OS integrated User-ID™ agent to collect syslog messages over SSL. For details, see Configure Access to Monitored Servers.
    • User-ID Syslog Listener-UDP—Use this service to enable the PAN-OS integrated User-ID agent to collect syslog messages over UDP. For details, see Configure Access to Monitored Servers.
    Permitted IP AddressesEnter the IP addresses from which administrators can access the NGFW through the interface. An empty list (default) specifies that access is available from any IP address.

    Services

    ServicesDescription
    Services
    Update ServerEnter the hostname or IP address of the update server that provides software updates, security patches, and configuration updates for the device.
    Verify Update Server IdentityEnable the NGFW to verify that the server from which the software or content package is downloaded has an SSL certificate signed by a trusted authority. This will help prevent man-in-the-middle attacks and ensure updates come from trusted sources.
    DNS Settings
    Choose the type of DNS service—Servers or DNS Proxy Object—for all DNS queries that the NGFW initiates in support of FQDN address objects, logging, and NGFW management. Options include:
    • Primary and secondary DNS servers to provide domain name resolution.
    • A DNS proxy configured on the NGFW as an alternative to configuring DNS servers. If you enable a DNS proxy, you must enable Cache and EDNS Cache Responses. ManageConfigurationNGFW and Prisma AccessSecurity ServicesDNS Security
    Primary DNS ServerEnter the IP address of the primary DNS server for DNS queries from the NGFW. For example, to find the update server, to resolve DNS entries in logs, or resolve FDQN-based address objects.
    Secondary DNS Server(Optional) Enter the IP address of a secondary DNS server to use if the primary server is unavailable.
    Encrypted DNS Connection TypeSpecify the encryption protocol for DNS queries (e.g., DNS-over-HTTPS, DNS-over-TLS) to protect DNS traffic from eavesdropping and tampering.
    Fallback on Unencrypted DNS Enable to determine whether the device should use standard unencrypted DNS queries if encrypted DNS connections fail. May compromise privacy but ensures connectivity.
    TCP Timeout (sec)Specify the maximum time in seconds to wait for a TCP-based DNS query response before considering it failed and retrying or falling back to alternative servers.
    Minimum FQDN Refresh Time (sec)Set a limit on how fast the NGFW refreshes FQDNs that it receives from a DNS. The NGFW refreshes an FQDN based on the TTL of the FQDN as long as the TTL is greater than or equal to this Minimum FQDN Refresh Time (in seconds). If the TTL is less than this Minimum FQDN Refresh Time, the NGFW refreshes the FQDN based on this Minimum FQDN Refresh Time (that is, the NGFW does not honor TTLs faster than this setting). The timer starts when the NGFW receives a DNS response from the DNS server or DNS proxy object resolving the FQDN (range is 0 to 14,400; default is 30). A setting of 0 means the NGFW will refresh the FQDN based on the TTL value in the DNS and does not enforce a minimum FQDN refresh time.
    FQDN Stale Entry Timeout (min)Specify the length of time (in minutes) that the NGFW continues to use stale FQDN resolutions in the event of a network failure or unreachable DNS server —when an FQDN is not getting refreshed (range is 0 to 10,080; default is 1,440). A value of 0 means the NGFW does not continue to use a stale entry. If the DNS server is still unreachable at the end of the state timeout, the FQDN entry becomes unresolved (stale resolutions are removed).
    ServerIf the NGFW needs to use a proxy server to reach Palo Alto Networks update services, enter the IP address or host name of the proxy server.
    PortEnter the port for the proxy server.
    UserEnter the username for the administrator to enter when accessing the proxy server.
    Password/Confirm PasswordEnter and confirm the password for the administrator to enter when accessing the proxy server.
    Proxy for Cloud Services
    Enable all communication with cloud-based services (such as software updates, telemetry, licensing servers, and remote management platforms) to be routed through the specified proxy server rather than connecting directly to the internet.
    This is commonly required in corporate environments where direct internet access is restricted or where traffic inspection is mandatory for security compliance.
    Proxy for Inline Cloud ServicesSeparate proxy configuration specifically for inline cloud services that may require different routing or authentication than general cloud services.

    Identity Settings

    Identity SettingsDescription
    Collector InterfaceSpecify the network interface designated for collecting and aggregating log data, telemetry, and monitoring information from network traffic or connected devices.

    Dynamic Updates Scheduler

    Dynamic Update SchedulerDescription
    RecurrenceDefine the schedule pattern (daily, weekly, monthly) for automated tasks such as updates, backups, or maintenance operations.
    Minutes Past HourSpecify the exact minute offset within each hour when scheduled tasks should execute (e.g., 15 minutes past every hour would run at 1:15, 2:15, etc.).
    Action
    Download Only—Strata Cloud Manager will download the scheduled update. You must manually install the update on NGFWs and Log Collectors.
    Download and Install—Strata Cloud Manager will download and automatically install the scheduled update.
    Download and SCP—Strata Cloud Manager will download and transfer the content update package to the specified SCP server.
    Disable New Apps in Content Update
    (Applications and Threats)
    You can disable new apps in content updates only if you set the update Type to App or App and Threat and only if Action is set to Download and Install.
    Select to disable applications in the update that are new relative to the last installed update. This protects against the latest threats while giving you the flexibility to enable the applications after preparing any policy updates. Then, to enable applications, log in to the NGFW, select DeviceDynamic Updates, click Apps in the Features column to display the new applications, and click Enable/Disable for each application you want to enable.
    Threshold (hours)The time duration in hours that must elapse before a specified action is triggered or a condition is considered met.
    New App-ID Threshold (hours)
    (Applications and Threats)
    		Specify the window in hours during which newly discovered application identifiers are considered "new" before being integrated into standard threat detection processes.
    Sync to PeerEnables synchronization of configuration, policies, or state information with peer devices in a high-availability or clustered deployment.

    Authentication and Accounting Settings

    Authentication and Account SettingsDescription
    Authentication ProfileSelect the authentication profile (or sequence) the NGFW uses to authenticate administrative accounts that you define on an external server instead of locally on the NGFW (see Device > Authentication Profile). When external administrators log in, the NGFW requests authentication and authorization information (such as the administrative role) from the external server.
    Authentication Profile (Non-UI) Specify the authentication method and credentials used for programmatic or API-based access that doesn't involve the web user interface.
    Certificate ProfileSelect a certificate profile to verify the client certificates of administrators who are configured for certificate-based access to the NGFW web interface. For instructions on configuring certificate profiles, see
    Accounting Server ProfileConfigure the RADIUS or TACACS+ accounting servers that log user authentication events, session duration, and resource usage for auditing purposes.
    Idle Timeout (min)Enter the maximum time (in minutes) without any activity on the web interface or CLI before an administrator is automatically logged out (range is 0 to 1,440; default is 60). A value of 0 means that inactivity does not trigger an automatic logout.
    API Key Lifetime (min)
    Enter the length of time (in minutes) for which the API key is valid (range is 0 to 525,600; default is 0). A value of 0 means that the API key never expires.
    Expire All API Keys to invalidate all previously generated API keys. Use this option with caution because all existing keys are rendered useless and any operation where you are currently using those API keys will stop functioning.
    API Key CertificateSelect a certificate that will utilize the PAN-OS device certificate management function to encrypt the API key.
    Failed AttemptsEnter the number of failed login attempts (0 to 10) that the NGFW allows for the web interface and CLI before locking out the administrator account. A value of 0 specifies unlimited login attempts. The default value is 0 for NGFWs in normal operational mode and 10 for NGFWs in FIPS-CC mode. Limiting login attempts can help protect the NGFW from brute force attacks.
    Lockout Time (min)Enter the number of minutes (range is 0 to 60) for which the NGFW locks out an administrator from access to the web interface and CLI after reaching the Failed Attempts limit. A value of 0 (default) means the lockout applies until another administrator manually unlocks the account.
    Max Session Count (number)Enter the number of concurrent sessions allowed for all administrator and user accounts (range is 0 to 4). A value of 0 (default) means that an unlimited amount of concurrent sessions are allowed.
    Mass Session Time (min)Enter the number of minutes (range is 60 to 1,499) that an active, non-idle administrator can remain logged in. Once this max session time is reached, the session is terminated and requires re-authentication to begin another session. The default value is set to 0 (30 days), which cannot be manually entered. If no value is entered, the Max Session Time defaults to 0.

    Aux1 and Aux2 Interface Settings

    Aux1 and Aux2 Interface SettingsDescription
    Enable InterfaceActivates or deactivates the specified network interface for data transmission.
    IP AddressAssign an IP address to the interface. Alternatively, you can assign the IP address of a loopback interface for NGFW management. By default, the IP address you enter is the source address for log forwarding.
    NetmaskIf you assigned an IP address to the interface, you must also enter a network mask (for example, 255.255.255.0).
    Default GatewayIf you assign an IP address to the interface, you must also assign an IPv4 address to the default gateway (the gateway must be on the same subnet as the interface).
    SpeedConfigure a data rate and duplex option for the interface. The choices include 10Mbps, 100Mbps, and 1Gbps at full or half duplex. Use the default auto-negotiate setting to have the NGFW determine the interface speed.
    MTUEnter the maximum transmission unit (MTU) in bytes for packets sent on this interface (range is 576 to 1,500; default is 1,500).
    Administrative Management Services
    • HTTP—Use this service to access the NGFW web interface.
    HTTP uses plaintext, which is not as secure as HTTPS. Therefore, Palo Alto Networks recommend you enable HTTPS instead of HTTP for management traffic on the interface.
    • Telnet—Use this service to access the NGFW CLI.
    Telnet uses plaintext, which is not as secure as SSH. Therefore, Palo Alto Networks recommend you enable SSH instead of Telnet for management traffic on the interface.
    • HTTPS—Use this service for secure access to the NGFW web interface.
    • SSH—Use this service for secure access to the NGFW CLI.
    Network Services
    Select the services you want to enable on the interface:
    • HTTP OCSP—Use this service to configure the NGFW as an Online Certificate Status Protocol (OCSP) responder. For details, see Device > Certificate Management > OCSP Responder.
    • Ping—Use this service to test connectivity with external services. For example, you can ping the interface to verify it can receive PAN-OS software and content updates from the Palo Alto Networks Update Server. In a high availability (HA) deployment, HA peers use ping to exchange heartbeat backup information.
    • SNMP—Use this service to process NGFW statistics queries from an SNMP manager. For details, see Enable SNMP Monitoring.
    • User-ID—Use this service to enable Redistribution of user mappings among NGFWs.
    • User-ID Syslog Listener-SSL—Use this service to enable the PAN-OS integrated User-ID™ agent to collect syslog messages over SSL. For details, see Configure Access to Monitored Servers.
    • User-ID Syslog Listener-UDP—Use this service to enable the PAN-OS integrated User-ID agent to collect syslog messages over UDP. For details, see Configure Access to Monitored Servers.
    Permitted IP AddressesEnter the IP addresses from which administrators can access the NGFW through the interface. An empty list (default) specifies that access is available from any IP address.

    Banners and Messages

    Banner and MessagesDescription
    Message of the Day
    Select this option to enable the Message of the Day dialog to display when an administrator logs in to the web interface.
    Enter the text (up to 3,200 characters) for the Message of the Day dialog.
    Allow Do Not Display AgainSelect this option (disabled by default) to include a Do not show again option in the Message of the Day dialog. This gives administrators the option to avoid seeing the same message in subsequent logins.
    TitleEnter text for the Message of the Day header (default is Message of the Day).
    Background ColorSelect a background color for the Message of the Day dialog. The default (None) is a white background.
    Icon
    Select a predefined icon to appear above the text in the Message of the Day dialog:
    • None (default)
    • Error
    • Help
    • Information
    • Warning
    Header BannerEnter the text that the header banner displays (up to 3,200 characters).
    Header ColorSelect a color for the header background. The default (None) is a transparent background.
    Header Text ColorSelect a color for the header text. The default (None) is black.
    Same Banner for Header and FooterSelect this option (enabled by default) if you want the footer banner to have the same text and colors as the header banner. When enabled, the fields for the footer banner text and colors are grayed out.
    Footer BannerEnter the text that the footer banner displays (up to 3,200 characters).
    Footer ColorSelect a color for the footer background. The default (None) is a transparent background.
    Footer Text ColorSelect a color for the footer text. The default (None) is black.

    SNMP Settings

    SNMP SettingsDescription
    Physical LocationSpecify the physical location of the NGFW. When a log or trap is generated, this information allows you to identify (in an SNMP manager) the NGFW that generated the notification.
    ContactEnter the name or email address of the person responsible for maintaining the NGFW. This setting is reported in the standard system information MIB.
    Use Event-Specific Trap DefinitionsThis option is selected by default, which means the NGFW uses a unique OID for each SNMP trap based on the event type. If you clear this option, every trap will have the same OID.
    Version
    Select the SNMP version: V2c (default) or V3. Your selection controls the remaining fields that the dialog displays.
    SNMP Community String (V2C)
    Enter the community string, which identifies an SNMP community of SNMP managers and monitored devices and also serves as a password to authenticate the community members to each other when they exchange SNMP get (statistics request) and trap messages. The string can have up to 127 characters, accepts all characters, and is case-sensitive.
    Don’t use the default community string public. Because SNMP messages contain community strings in clear text, consider the security requirements of your network when defining community membership (administrator access).
    Views (V3)You can assign a group of one or more views to the user of an SNMP manager to control which MIB objects (statistics) the user can get from the NGFW. Each view is a paired OID and bitwise mask: the OID specifies a MIB and the mask (in hexadecimal format) specifies which objects are accessible within (include matching) or outside (exclude matching) that MIB.
    Users (V3)
    SNMP user accounts provide authentication, privacy, and access control when NGFWs forward traps and SNMP managers get NGFW statistics. For each user, click Add and configure the following settings:
    • Users—Specify a username to identify the SNMP user account. The username you configure on the NGFW must match the username configured on the SNMP manager. The username can have up to 31 characters.
    • View—Assign a group of views to the user.
    • Auth Password—Specify the authentication password of the user. The NGFW uses the password to authenticate to the SNMP manager when forwarding traps and responding to statistics requests. The password must be 8-256 characters and all characters are allowed.
    • Priv Password—Specify the privacy password of the user. The password must be 8-256 characters and all characters are allowed.
    • Authentication Protocol—The NGFW uses Secure Hash Algorithm (SHA) to hash the password.
      • SHA-1, SHA-224, SHA-256, SHA-384, SHA-512
    • Privacy Protocol—The NGFW uses the password and Advanced Encryption Standard (AES) algorithm to encrypt SNMP traps and responses to statistics requests.
      • AES-128, AES-192, AES-256

    Minimum Password Complexity

    Minimum Password ComplexityDescription
    EnabledEnable minimum password requirements for local accounts. With this feature, you can ensure that local administrator accounts on the NGFW will adhere to a defined set of password requirements.
    Password Format Requirements
    There are no restrictions on any password field character sets.
    Commonly used words and phrases are not allowed as passwords, regardless of any combination of upper and lower case letters.
    Minimum LengthRequire a minimum password length (range is 1 to 16 characters).
    Minimum Uppercase LettersRequire a minimum number of uppercase letters (ranges is 0 to 16 characters).
    Minimum Lowercase LettersRequire a minimum number of lowercase letters (range is 0 to 16 characters).
    Minimum Numeric LettersRequire a minimum number of numeric letters (range is 0 to 16 numbers).
    Minimum Special CharactersRequire a minimum number of special (non-alphanumeric) characters (range is 0 to 16 characters).
    Block Repeated Characters
    Specify the number of sequential duplicate characters permitted in a password (range is 3 to 16).
    If you set the value to 3, the password can contain the same character in sequence three times but if the same character is used four or more times in sequence, the password is not permitted.
    For example, if the value is set to 3, the system will accept the password test111 or 111test111, but not test1111, because the number 1 appears four times in sequence.
    Block Username Inclusion (Including Reversed)Select this option to prevent the account username (or reversed version of the name) from being used in the password.
    Functionality RequirementsDefines the operational and behavioral rules that passwords must follow beyond basic format complexity to ensure secure password management practices. This setting establishes functional constraints and policies for password usage.
    New Password Differs by CharacterWhen administrators change their passwords, the characters must differ by the specified value.
    Require Password Change on First LoginSelect this option to prompt administrators to change their passwords the first time they log in to the NGFW.
    Prevent and Reuse LimitRequire that a previous password is not reused based on the specified count. For example, if the value is set to 4, you could not reuse any of your last 4 passwords (range is 0 to 50).
    Block Password Change Period (days)Users cannot change their passwords until the specified number of days is reached (range is 0 to 365 days).
    Required Password Change Period (days)Require that administrators change their password on a regular basis (in days) (range is 0 to 365). For example, if the value is set to 90, administrators are prompted to change their password every 90 days.You can also set an expiration warning from 0 to 30 days and specify a grace period.
    Expiration Warning Period (days)If a Required Password Change Period is set, you can use this Expiration Warning Period to prompt users at each log in to change their password when there are less than a specified number of days remaining before the required change date (range is 0 to 30).
    Post Expiration Admin Login CountAllow the administrator to log in a specified number of times after the required change date (range is 0 to 3). For example, if you set this value to 3 and their account has expired, they can log in 3 more times without changing their password before their account is locked out.
    Post Expiration Grace Period (days)Allow the administrator to log in for a specified number of days after the account has expired (range is 0 to 30).

    LLDP

    LLDPDescription
    EnableEnable the Link Layer Discovery Protocol (LLDP).
    Transmit Interval (sec)Specify the interval (in seconds) at which LLDPDUs are transmitted. Range is 1 to 3600; default is 30.
    Transmit Delay (sec)
    Specify the delay time (in seconds) between LLDP transmissions sent after a change is made in a TLV element.
    The Transmit Delay must be less than the Transmit Interval. Range is 1 to 600; default is 2.
    Hold Time MultipleSpecify a value that is multiplied by the Transmit Interval to determine the total TTL Hold Time. Range is 1 to 100; default is 4.
    Notification IntervalSpecify the interval (in seconds) at which LLDP Syslog Messages and SNMP Traps are transmitted when MIB changes occur. Range is 1 to 3600; default is 5.

    Policy Rulebase Settings

    Policy Rulebase SettingsDescription
    Require Tag on PoliciesRequires at least one tag when creating a new policy rule. If a policy rule already exists when you enable this option, you must add at least one tag the next time you edit the rule.
    Require Description on PoliciesRequires that you add a Description when you create a new policy rule. If a policy rule already exists when you enable this option, you must add a Description the next time you edit the rule.
    Fall Commit if Policies Have No Tags or Descriptions
    Forces your commit to fail if you do not add any tags or a description to the policy rule. If a policy rule already exists when you enable this option, the commit will fail if no tag or description are added the next time you edit the rule.
    To fail the commit, you must Require tag on policies or Require description on policies.
    Require Audit Comment on PoliciesRequires Audit Comment when creating a new policy rule. If a policy rule already exists when you enable this option, you must add Audit Comment the next time you edit the rule.
    Audit Comment Regular ExpressionSpecify requirements for the comment format parameters in audit comments.
    Wildcard Top Down Match ModeWhen Wildcard Top Down Match Mode is enabled, when a packet matches Security policy rules that use a source or destination IP address with wildcard mask and the masks overlap, the NGFW chooses the first of those matching rules (in top-down order) that fully matches all address bits based on masking. The default is disabled; in the event of matching overlapping wildcard masks, the NGFW chooses the rule with the longest matching prefix in the wildcard mask.
    Policy Rule Hit CountTracks how often traffic matches the policy rules you configured on the NGFW. When enabled, you can view the total Hit Count for total traffic matches against each rule along with the date and time when the rule was Created, Modified, was First Hit and Last Hit.
    Policy Application UsageDefine how security policies are applied to and enforced on network applications and traffic flows. This setting controls the scope and behavior of policy rules when evaluating application-specific traffic.

    Log Interface

    Log InterfaceDescription
    IP AddressEnter the IP address of the log interface port.
    NetmaskSpecify the network mask for the IP address of the log interface.
    Default GatewayEnter IP address of the default gateway to enable the path for outgoing log.
    IPv6 AddressThe IPv6 address of the log interface port.
    IPv6 Default GatewayThe IPv6 address of the default gateway for the port.
    Link SpeedSelect the interface speed in Mbps or select auto (default) to have the NGFW automatically determine the speed based on the connection. For interfaces that have a non-configurable speed, auto is the only option.
    Link DuplexSelect whether the interface transmission mode is full-duplex (full), half-duplex (half), or negotiated automatically (auto).
    Link StateSelect whether the interface status is enabled (up), disabled (down), or determined automatically based on the connection (auto). The default is auto.

    Custom Logos

    Custom LogosDescription
    Login ScreenUpload an image for the login screen.
    Main UIUpload an image for the UI.
    PDF Report Title PageUpload an image for the report title page.
    PDF Report FooterUpload an image for the report footer.

    PAN-OS Edge Service Settings

    PAN-OS Edge Service SettingsDescription
    Enable User Context Cloud ServiceEnable the service that the Cloud Identity Engine uses to communicate with your NGFW.
    Enable Host Compliance Cloud ServiceActivate the cloud-based host compliance monitoring service that continuously assesses and validates the security posture of endpoint devices connecting to the network.

    SSH Management Profile Settings

    SSH Management Profile SettingsDescription
    Server ProfileA type of SSH service profile that applies to the SSH sessions for the CLI management connections on your network. To apply an existing server profile, select a profile, click OK, and Commit your change.

    Logging and Reporting Settings

    Logging and Reporting SettingsDescription
    Improved DNS LoggingEnable enhanced DNS query logging that captures additional metadata such as query types, response codes, and client information for better security analysis.

    ACE Settings

    ACE SettingsDescription
    Disable App-ID Cloud Engine
    Disable the App-ID Cloud Engine (ACE). ACE is enabled by default. To disable ACE, click the check box so that ACE is not enabled.

    PAN-OS Security

    PAN-OS SecurityDescription
    Device Security Settings–System Behavior When Security Violation Detected
    Define the device's response when security threats or policy violations are detected, such as blocking traffic, generating alerts, initiating quarantine procedures, or triggering automated remediation actions.

    Device Setup (Session)

    Learn about configuring the device setup Session settings.
    In Strata Cloud Manager, select ConfigurationNGFW and Prisma Access and set the Configuration Scope to the folder or NGFW you wish to configure. From the scope of your folder or NGFW, select Device Settings > Device Setup > Session.

    Session Settings

    Session SettingsDescription
    Rematch All Sessions on Config Policy Change
    Enable to cause the NGFW to apply newly configured security policy rules to sessions that are already in progress. This capability is enabled by default. If this setting is disabled, any policy rule change applies to only those sessions initiated after the change was committed.
    For example, if a Telnet session started while an associated policy rule was configured that allowed Telnet, and you subsequently committed a policy rule change to deny Telnet, the NGFW applies the revised policy rule to the current session and blocks it.
    ICMPv6 Token Bucket SizeEnter the bucket size for rate limiting of ICMPv6 error messages. The token bucket size is a parameter of the token bucket algorithm that controls how bursty the ICMPv6 error packets can be (range is 10 to 65,535 packets; default is 100).
    ICMPv6 Error Packet Rate (per sec)Enter the average number of ICMPv6 error packets per second allowed globally through the NGFW (range is 10 to 65,535; default is 100). This value applies to all interfaces. If the NGFW reaches the ICMPv6 error packet rate, the ICMPv6 token bucket is used to enable throttling of ICMPv6 error messages.
    Enable IPv6 NGFWing
    Enable the NGFW capabilities for IPv6 traffic.
    The NGFW ignores all IPv6-based configurations if you do not enable IPv6 NGFWing. Even if you enable IPv6 traffic on an interface, you must also enable the IPv6 NGFWing option for IPv6 NGFWing to function.
    Enable ERSPAN SupportEnable the NGFW to terminate Generic Routing Encapsulation (GRE) tunnels and decapsulate Encapsulated Remote Switched Port Analyzer (ERSPAN) data. This is useful for Security services like IoT Security. Network switches mirror network traffic and use ERSPAN to send it to the NGFW through GRE tunnels. After decapsulating the data, the NGFW inspects it similar to how it inspects traffic received on a TAP port. It then creates enhanced application logs (EALs) and traffic, threat, WildFire, URL, data, GTP (when GTP is enabled), SCTP (when SCTP is enabled), tunnel, auth, and decryption logs. The NGFW forwards these logs to the logging service where IoT Security accesses and analyzes the data.
    Enable Jumbo Frame
    Select to enable jumbo frame support on Ethernet interfaces. Jumbo frames have a maximum transmission unit (MTU) of 9,192 bytes and are available only on certain models.
    • If you do not Enable Jumbo Frame, the Global MTU defaults to 1,500 bytes (range is 576 to 1,500).
    • If you Enable Jumbo Frame, the Global MTU defaults to 9,192 bytes (range is 9,192 to 9,216 bytes).
    Enable DHCP Broadcast SessionIf your NGFW is acting as a DHCP server, select this option to enable session logs for DHCP broadcast packets. The DHCP Broadcast Session option enables generation of Enhanced Application Logs (EAL logs) for DHCP for use by IoT Security and other services. If you do not enable this option, the NGFW forwards the packets without creating logs for the DHCP broadcast packets.
    NAT64 IPv6 Minimum Network MTUEnter the global MTU for IPv6 translated traffic. The default of 1,280 bytes is based on the standard minimum MTU for IPv6 traffic (range is 1,280 to 9,216).
    NAT Oversubscription Rate
    Select the DIPP NAT oversubscription rate, which is the number of times that the NGFW can use the same translated IP address and port pair concurrently. Reducing the oversubscription rate decreases the number of source device translations but will provide higher NAT rule capacities.
    • Platform Default—Explicit configuration of the oversubscription rate is turned off and the default oversubscription rate for the model applies. (See default rates of NGFW models at https://www.paloaltonetworks.com/products/product-selection.html).
    • 1x—1 time. This means no oversubscription; the NGFW cannot use the same translated IP address and port pair more than once concurrently.
    • 2x—2 times
    • 4x—4 times
    • 8x—8 times
    ICMP Unreachable Rate (per sec)
    Define the maximum number of ICMP Unreachable responses that the NGFW can send per second. This limit is shared by IPv4 and IPv6 packets.
    The default value is 200 messages per second (range is 1 to 65,535).
    Accelerated Aging
    Enables accelerated age-out of idle sessions.
    Select this option to enable accelerated aging and specify the threshold (%) and scaling factor.
    When the session table reaches the Accelerated Aging Threshold (% full), PAN-OS applies the Accelerated Aging Scaling Factor to the aging calculations for all sessions. The default scaling factor is 2, meaning that accelerated aging occurs at a rate twice as fast as the configured idle time. The configured idle time divided by 2 results in a faster timeout (one-half the time). To calculate the accelerated aging of a session, PAN-OS divides the configured idle time (for that type of session) by the scaling factor to determine a shorter timeout.
    For example, if the scaling factor is 10, a session that would normally time out after 3,600 seconds will time out 10 times faster (in 1/10 of the time), which is 360 seconds.
    Packet Buffer Protection
    Protect against packet buffer exhaustion attacks or high-volume traffic that could overwhelm the device's packet processing capabilities.
    Monitor OnlyEnable to monitor and log traffic patterns and threshold violations but not take active blocking or mitigation actions. Used for observation and tuning before implementing active protection.
    Latency Based ActivationEnable protection mechanisms based on network latency thresholds rather than just packet volume, helping to identify and respond to performance degradation that may indicate attacks or network issues.
    Alert (%)Define the percentage threshold at which the system generates alerts or notifications when packet buffer utilization or other monitored metrics reach this level. This is typically a warning level before more serious actions are taken.
    Activate (%)Define the percentage threshold that triggers the activation of protection mechanisms. When monitored metrics exceed this percentage, active protection features will engage.
    Block Countdown Threshold (%)Define the percentage level that initiates a countdown timer before blocking actions are implemented to provide a grace period or final warning before more aggressive protection measures activate.
    Block Hold Time (sec)Define the duration in seconds that the system maintains blocking decisions or protection states before re-evaluating whether to continue, modify, or lift the protective measures.
    Block Duration (sec)Define the total time in seconds that blocking or protective actions remain in effect once triggered, after which the system will reassess the threat level and potentially return to normal operation.
    Multicast Route Setup Buffering
    Select this option (disabled by default) to enable multicast route setup buffering, which allows the NGFW to preserve the first packet in a multicast session when the multicast route or forwarding information base (FIB) entry does not yet exist for the corresponding multicast group. By default, the NGFW does not buffer the first multicast packet in a new session; instead, it uses the first packet to set up the multicast route. This is expected behavior for multicast traffic. You only need to enable multicast route setup buffering if your content servers are directly connected to the NGFW and your custom application cannot withstand the first packet in the session being dropped.
    Buffering SizeIf you enable Multicast Route Setup Buffering, you can tune the buffer size, which specifies the buffer size per flow (range is 1 to 2,000; default is 1,000.) The NGFW can buffer a maximum of 5,000 packets.

    Session Timeout

    Session TimeoutDescription
    Default (sec)Maximum length of time, in seconds, that a non-TCP/UDP, non-SCTP, or non-ICMP session can be open without a response (range is 1 to 15,999,999; default is 30).
    Discard Default (sec)Maximum length of time (in seconds) that a non-TCP/UDP/SCTP session remains open after PAN-OS denies the session based on Security policy rules configured on the NGFW (range is 1 to 15,999,999; default is 60).
    Discard TCP (sec)Maximum length of time (in seconds) that a TCP session remains open after PAN-OS denies the session based on Security policy rules configured on the NGFW (range is 1 to 15,999,999; default is 90).
    Discard UDP (sec)Maximum length of time (in seconds) that a UDP session remains open after PAN-OS denies the session based on Security policy rules configured on the NGFW (range is 1 to 15,999,999; default is 60).
    ICMP (sec)Maximum length of time that an ICMP session can be open without an ICMP response (range is 1 to 15,999,999; default is 6).
    Scan (sec)Maximum length of time, in seconds, that a session can be inactive before the NGFW clears the session and recovers the buffer resources the session was using. The inactive time is the length of time that has passed since the session was last refreshed by a packet or an event. Range is 5 to 30; default is 10.
    TCP (sec)Maximum length of time that a TCP session remains open without a response, after a TCP session is in the Established state (after the handshake is complete and/or data transmission has started); (range is 1 to 15,999,999; default is 3,600).
    TCP Handshake (sec)Maximum length of time, in seconds, between receiving the SYN-ACK and the subsequent ACK to fully establish the session (ranges is 1 to 60; default is 10).
    TCP Init (sec)Maximum length of time, in seconds, between receiving the SYN and SYN-ACK before starting the TCP handshake timer (ranges is 1 to 60; default is 5).
    TCP Half Closed (sec)Maximum length of time, in seconds, between receiving the first FIN and receiving the second FIN or a RST (range is 1 to 604,800; default is 120).
    TCP Time Wait (sec)Maximum length of time, in seconds, after receiving the second FIN or a RST (range is 1 to 600; default is 15).
    Unverified RST (sec)Maximum length of time, in seconds, after receiving a RST that cannot be verified (the RST is within the TCP window but has an unexpected sequence number, or the RST is from an asymmetric path); (ranges is 1 to 600; default is 30).
    UDP (sec)Maximum length of time, in seconds, that a UDP session remains open without a UDP response (range is 1 to 1,599,999; default is 30).
    Captive Portal (sec)
    The authentication session timeout in seconds for the Authentication Portal web form (default is 30, range is 1 to 1,599,999). To access the requested content, the user must enter the authentication credentials in this form and be successfully authenticated.
    The authentication session timeout in seconds for the Authentication Portal web form (default is 30, range is 1 to 1,599,999). To access the requested content, the user must enter the authentication credentials in this form and be successfully authenticated.

    TCP Settings

    TCP SettingsDescription
    Forward Segments Exceeding TCP Out-of-Order QueueSelect this option if you want the NGFW to forward segments that exceed the TCP out-of-order queue limit of 64 per session. If you disable this option, the NGFW drops segments that exceed the out-of-order queue limit.
    Allow Arbitrary ACK in Response to SYNEnable this option to allow a response to a challenge ACK (also known as an arbitrary ACK) for cases where the server responds to the client SYN with an ACK instead of a SYN/ACK. For example, challenge ACKs can be sent from the server for attack mitigation purposes, and enabling this setting on the NGFW allows communication between the client and server so that the challenge ACK process can be completed even when the handshake is out of state or out of sequence.
    Drop Segments with Null Timestap OptionThe TCP timestamp records when the segment was sent and allows the NGFW to verify that the timestamp is valid for that session, preventing TCP sequence number wrapping. The TCP timestamp is also used to calculate round trip time. With this option enabled, the NGFW drops packets with null timestamps.
    Asymmetric Path
    Set globally whether to drop or bypass packets that contain out-of-sync ACKs or out-of-window sequence numbers.
    • Drop—Drop packets that contain an asymmetric path.
    • Bypass—Bypass scanning on packets that contain an asymmetric path.
    Urgent Data Flag
    Use this option to configure whether the NGFW allows the urgent pointer (URG bit flag) in the TCP header. The urgent pointer in the TCP header is used to promote a packet for immediate processing—the NGFW removes it from the processing queue and expedites it through the TCP/IP stack on the host. This process is called out-of-band processing.
    Because the implementation of the urgent pointer varies by host, setting this option to Clear (the default and recommended setting) eliminates any ambiguity by disallowing out-of-band processing so that the out-of-band byte in the payload becomes part of the payload and the packet is not processed urgently. Additionally, the Clear setting ensures that the NGFW sees the exact stream in the protocol stack as the host for whom the packet is destined.
    Drop Segments Without FlagIllegal TCP segments without any flags set can be used to evade content inspection. With this option enabled (the default) the NGFW drops packets that have no flags set in the TCP header.
    Strip MPTCP OptionEnabled globally by default to convert (Multipath TCP) MPTCP connections to standard TCP connections.
    SIP TCP Cleartext
    Select one of the following options to set the cleartext proxy behavior for SIP TCP sessions when a segmented SIP header is detected:
    • Always Off—Disables the cleartext proxy. Disable the proxy when the SIP message size is generally smaller than the MSS and when the SIP messages fit within a single segment, or if you need to ensure TCP proxy resources are reserved for SSL forward proxy or HTTP/2.
    • Always enabled—Default. Uses TCP proxy for all SIP over TCP sessions to help with the correct reassembly and ordering of TCP segments for proper ALG operation.
    • Automatically enable proxy when needed—When selected, the cleartext proxy is automatically enabled for sessions where the ALG detects SIP message fragmentation. Helps optimize the proxy when it is also used for SSL forward proxy or HTTP/2.
    TCP Retransmit ScanIf enabled, the checksum for the original packet is scanned when a retransmitted packet is seen. If the checksum are different between the original and retransmitted packet, the retransmitted packet is assumed to be malicious and dropped.

    VPN Session Settings

    VPN Session SettingsDescription
    Cookie Activation Threshold
    Specify a maximum number of IKEv2 half-open IKE SAs allowed per NGFW, above which cookie validation is triggered. When the number of half-open IKE SAs exceeds the Cookie Activation Threshold, the Responder will request a cookie, and the Initiator must respond with an IKE_SA_INIT containing a cookie. If the cookie validation is successful, another SA session can be initiated.
    A value of 0 means that cookie validation is always on.
    The Cookie Activation Threshold is a global NGFW setting and should be lower than the Maximum Half Opened SA setting, which is also global (range is 0 to 65535; default is 500).
    Maximum Half Opened SASpecify the maximum number of IKEv2 half-open IKE SAs that Initiators can send to the NGFW without getting a response. Once the maximum is reached, the NGFW will not respond to new IKE_SA_INIT packets (range is 1 to 65535; default is 65535).
    Maximum Cached CertificatesSpecify the maximum number of peer certificate authority (CA) certificates retrieved via HTTP that the NGFW can cache. This value is used only by the IKEv2 Hash and URL feature (range is 1 to 4000; default is 500).

    Device Setup (Content-ID)

    Learn about device setup Content-ID settings.
    In Strata Cloud Manager, select ConfigurationNGFW and Prisma Access and set the Configuration Scope to the folder or NGFW you wish to configure. From the scope of your folder or NGFW, select Device Settings > Device Setup > Content-ID.

    Content-ID Settings

    Content-ID SettingsDescription
    Extended Packet Capture Length (packets)Set the number of packets to capture when the extended-capture option is enabled in Anti-Spyware and Vulnerability Protection profiles (range is 1 to 50; default is 5).
    Forward Segments Exceeding TCP App-ID Inspection QueueEnable this option to forward segments and classify an application as unknown-tcp when the App-ID queue exceeds the 64-segment limit. Use the following global counter to view the number of segments exceeding the queue limit, regardless of whether you enabled or disabled this option:
    Forward Segments Exceeding TCP Content Inspection QueueEnable this option to forward TCP segments and skip content inspection when the TCP content inspection queue is full. The NGFW can queue up to 64 segments while waiting for the content engine. When the NGFW forwards a segment and skips content inspection due to a full content inspection queue, it increments the following global counter:
    Forward Datagrams Exceeding UDP Content Inspection QueueEnable this option to forward UDP datagrams and skip content inspection when the UDP content inspection queue is full. The NGFW can queue up to 64 datagrams while waiting for a response from the content engine. When the NGFW forwards a datagram and skips content inspection due to a UDP content inspection queue overflow, it increments the following global counter:
    Allow HTTP Partial ResponseEnable this HTTP partial response option to enable a client to fetch only part of a file. When a next-generation NGFW in the path of a transfer identifies and drops a malicious file, it terminates the TCP session with an RST packet. If the web browser implements the HTTP Range option, it can start a new session to fetch only the remaining part of the file. This prevents the NGFW from triggering the same signature again due to the lack of context into the initial session while, at the same time, allows the web browser to reassemble the file and deliver the malicious content; to prevent this, make sure to disable this option.
    Use X-Forwarded-For Header
    • Disabled—When disabled, the NGFW does not read the IP addresses from X-Forwarded-For (XFF) header in client requests.
    • Enable for User-ID—Enable this option to specify that User-ID reads IP addresses from the X-Forwarded-For (XFF) header in client requests for web services when the NGFW is deployed between the internet and a proxy server that would otherwise hide client IP addresses. User-ID matches the IP addresses it reads with usernames that your policies reference so that those policies can control and log access for the associated users and groups. If the header has multiple IP addresses, User-ID uses the first entry from the left.
    In some cases, the header value is a character string instead of an IP address. If the string matches a username that User-ID mapped to an IP address, the NGFW uses that username for group mapping references in policies. If no IP address-mapping exists for the string, the NGFW invokes the policy rules in which the source user is set to any or unknown.
    URL Filtering logs display the matched usernames in the Source User field. If User-ID cannot perform the matching or is not enabled for the zone associated with the IP address, the Source User field displays the XFF IP address with the prefix x-fwd-for.
    • Enable for Security Policy—Enable this option to specify that the NGFW reads the IP addresses from the X-Forwarded-For (XFF) header in client requests for web services when an upstream device, such as proxy server or load balancer, is deployed between the client and the NGFW. The proxy server or load balancer IP address replaces the client IP address as the request source IP. The NGFW can then use the IP addresses in the XFF header to enforce policy.
    Strip X-Forwarded-For Header
    Enable this option to remove the X-Forwarded-For (XFF) header, which contains the IP address of a client requesting a web service when the NGFW is deployed between the internet and a proxy server. The NGFW zeroes out the header value before forwarding the request: the forwarded packets don’t contain internal source IP information.

    HTTP/2 Settings

    HTTP/2 SettingsDescription
    Connection LoggingEnables the NGFW to log HTTP/2 connection sessions as tunnel inspection log entries.

    Content Cloud Settings

    Content Cloud SettingsDescription
    Service URLVarious Palo Alto Networks cloud-based services operating on the NGFW use the specified FQDN to facilitate service requests. The default FQDN connects to hawkeye.services-edge.paloaltonetworks.com and then resolves to the nearest cloud services server. You can override the automatic server selection by specifying a regional content cloud server that best meets your data residency and performance requirements. Keep in mind, the content cloud FQDN is a globally used resource and affects how other services that rely on this connection send traffic payloads.

    URL Inline Cloud Categorization

    URL Inline Cloud CategorizationDescription
    Max Latency (ms)Specify the maximum acceptable processing time, in seconds, for Inline Cloud Categorization to return a result.
    Allow on Max LatencyEnables the NGFW to take the action of allow, when the maximum latency is reached. De-selecting this option sets the NGFW action to block.
    Log Traffic Not ScannedEnables the NGFW to log URL categorization requests that exhibit the presence of certain advanced webpage threats, but have not been processed by Inline Cloud Categorization.

    WildFire Inline Cloud Analysis

    WildFire Inline Cloud AnalysisDescription
    Max Latency (ms)Specify the maximum acceptable processing time, in milliseconds, for Advanced WildFire Inline Cloud Analysis to return a result. The range is 1 to 240,000 ms; the default is 30,000 ms.
    Allow on Max LatencyEnables the NGFW to take the action of allow, when the maximum latency is reached. De-selecting this option sets the NGFW action to block.
    Log Traffic Not ScannedEnables the NGFW to log Advanced WildFire Inline Cloud Analysis requests that exhibit the appearance of malware, but have not yet been processed.

    Threat Prevention Inline Cloud Analysis

    WildFire Inline Cloud AnalysisDescription
    Max Latency (ms)Specify the maximum processing time, in milliseconds, for Advanced Threat Prevention Inline Cloud Analysis to return a result.
    Allow on Max LatencyEnables the NGFW to take the action of allow, when the maximum latency is reached. De-selecting this option sets the NGFW action to block.
    Log Traffic Not ScannedEnables the NGFW to log traffic requests that exhibit anomalous traits indicating the presence of advanced and evasive command-and-control (C2) threats, but have not been processed by Threat Prevention Inline Cloud analyzers.

    Realtime Signature Lookup

    Realtime Signature LookupDescription
    Enable DNS Signature Lookup Health MonitorYou can enable the DNS Signature Lookup Health Monitor to monitor whether the DNS server is responding to client requests.
    DNS Signature Lookup Timeout (ms)Specify the duration of time, in milliseconds, for the NGFW to query the DNS Security service. If the cloud does not respond before the end of the specified period, the NGFW releases the associated DNS response to the requesting client (range is 0 to 60,000; default is 100).
    Hold for WildFire Real-Time Signature LookupEnables the option to use WildFire real time signature lookup hold mode on a per-antivirus profile basis.
    WildFire Real-Time Signature Lookup Timeout (ms)Specify the duration of time, in milliseconds, for the NGFW to query the real time signature cloud for real time signature lookups. If the real time signature cloud does not respond before the end of the specified period, the NGFW applies the user-specified Action On Real Time WildFire Signature Timeout to the requesting client (range is 1000 to 5000; default is 1000).
    Action on Real-Time WildFire Signature Timeout
    Specify the action to take when the signature lookup exceeds the configured WildFire Real Time Signature Lookup Timeout setting:
    • Allow—The packets are released and the file continues transmission to the client.
    • Reset Both—Resets the connection on both client and server ends.

    Container Pages

    Container PagesDescription
    Custom URL Content Types
    Use these settings to specify the types of URLs that the NGFW tracks or logs based on content type, such as application/pdf, application/soap+xml, application/xhtml+, text/html, text/plain, and text/xml. Container pages are set per virtual system, which you select from the Location drop-down. If a virtual system does not have an explicit container page defined, the NGFW uses the default content types.
    Add and enter a content type or select an existing content type.
    Adding new content types for a virtual system overrides the default list of content types. If there are no content types associated with a virtual system, the default list of content types is used.

    © 2026 Palo Alto Networks, Inc. All rights reserved.