#GetAnswers from Ignite Q&A | jdelio

Community Team Member

This week's Discussion of the Week is going to depart from the usual and focus on the questions we got from Ignite.

The Live Community booth at Ignite 2017 was easily the busiest booth at Ignite. If you did not already know, we had customers post questions (on yellow paper) on our Ignite booth wall and we allowed other customers to answer (on blue paper) these questions for prizes.


If you missed out on the Ignite blogs with pictures and information on what was going on, please check out the Ignite blogs here:



I was able to grab about a third of the questions and am posting them below. 


These are broken up by category.  Also please note the answers provided are from customers and visitors at the booth, so they may not be the 'best' answer for a particular scenario (we did vet answers for accuracy), so feel free to add your own answer or take in the comments below.


Question on the yellow paper Answer on the blue paper
For designers - What is the best option for the VM's implementation when the customers need a micro-segmentations? On virtual system with hyper-v. Try PVALNs on the vswitch or PCI passthrough.
Why would you choose Palo Alto Networks vs other brands? Simple. Platform approach and innovation. Other players buy up "good idea" type companies and attempt to integrate. Palo Alto Networks chooses to innovate. Look up Unit 42. check out PAN-OS 8.0 new features list. Panorama template stacking and device groups. Traps from an endpoint standpoint. Acquisition? Yes. Wildfire on board? Yes. Proven track record and threat intelligence cloud.
What is the best way to establish a GlobalProtect session from a docker container? I don't think that is actually possible at this time.
How to do machine cert and user cert in GlobalProtect at the same time? 1. Export the certificate from the Palo Alto Networks Firewall.
2. Install an endpoint logging AD.
How do I reset user password when integrated with LDAP (GlobalProtect)? Go to AD user account setting and reset the password and ad policy will authenticate to LDAP GlobalProtect.
Allow user to reset for themselves by using the pre-login feature.
Why is GlobalProtect free for windows and MAC but not for mobile? Mobile requires HIP checks, which are licensed.
Will Palo Alto have a feature to print out the firewall policy rather than rely on external tools or screen print? Not directly. You can use the migration tool, cli, xml or printscreen to print the policy.
Traffic log shows 'threat' for an activity but threat log does not show any of this - what 'threat' reported in the traffic log? Threat logs show if it is blocked by AV, spyware, IPS. You have to double check that you have enabled AV, spyware, IPS on specific rule and choose to perform a packet capture to capture the threat. You have to check the traffic and threat logs in more detail to coordinate it with a real threat.
Why can't I create dynamic host object from FW's port and use it in rule-policies? (FW using DHCP addresses in 'untrust") This is a feature we may possibly be looking at for a future release - DDNS
How can I get the ssl session count/throughput? Is there a way to shew CPU utilization relating to SSL? 1. ACC provides session count + throughput.
2. No specific CPU counter for SSL - show system resources - will show all processes.
Why do routers run on the management plane? To not affect data plane when configuring.
Can we improve SSL decryption difficult for HIPAA and banking? You can selectively decrypt SSL based on PAN-DB categories - so compliance of HIPPA and banking depends on the quality of PAN-DB. Because of url speed of change, it will likely never be perfect. Normally Banking SSL traffic is NOT decrypted for the user's privacy.
How many levels of tunneling inspection can be done? Max 2 levels, which is configurable.
How easy is it to automate IR in Palo Alto Networks via triggers from Splunk --> correlated events? You can create a policy that denies a source or destination with a dynamic address group. You can then write to the Palo Alto Networks API to update members in this address group. Don't create addresses that are not dynamic via API because then you have to do a commit to have it take effect.
Can I use computer groups to apply policies? You can't use computer groups! It is currently not supported. User groups only...for the moment.
Are the interfaces bounded in group due to asic? Yes they are bounded, however, you can add appropriate columns in the logs to separate the traffic flows.
Best practice for decryption inbound/outbound or both? Decryption should be enabled for traffic initiated from the inside out. You already know about what you are hosting. Joe's add: Here is a technical document talking about all the decryption features and walks through configuring SSL Decryption: Configure Decryption
Open SSL does not always help or work to deny Psiphon. Do you have any new method to block it? How can I block it? Right now, since Psiphon constantly changes ports, the only way to disconnect Psiphon is to open SSL traffic or decrypt the traffic and inspect it, then apply blocking.
How many virtual firewalls can a PA-5250 be divided into? 25 baseline, 125 with a valid license.
Can PAN-OS 8.0 run SNMP to get ARP table? No.
Can or will GlobalProtect support multiple RADIUS servers? Yes, it is supported on PAN-OS 7.1.9.
Can PAN-OS 8.0 support Shibboleth SSO as an IDP? How to configure it? Both Panorama + FW support SAML 2.0 . Shibboleth is SAML...
Palo Alto Networks fully supports Shibboleth as an IDP. You can configure the IDP by adding it as a server profile + authentication profile (import metadata + configure the Palo Alto Networks server profile).
Migration Tool
How do you merge two firewall devices into one PA-500 appliance with PA migration tool? It depends on existing firewall. If you have both firewalls in zone based, then you can easily migrate via migration tool. Now, if you are merging, then you need to migrate one firewall and manually add the configuration via CLI or API.
Panorama template stack - how to get a management profile from a global template to a specific template in a template stack - I can do this with zones but I can't (I don't) think with these profiles. You can't, but if you create a management profile on the specific template with the same name, you can reference it locally and it will use the settings from the parent template.
What is the best way to enable all logging for user events via Panorama? Using a template and apply it to all users.
What is the best strategy to help on-prem SOCs to secure SaaS? You need to implement CASB type solution which will have visibility into SaaS platform, then monitor configuration changes, user activity and feed it to SIEM for SOC to detect and respond.
Is it possible to add trusted publisher in Traps with GUI? No! Only possible through a change in the SQL DB.
Traps - How can I whitelist PE from being blocked by local analysis?

Check out Traps version 4.0.1
Joe's add: Check out the "Manage Global Whitelists" section on the documentation site here: Manage Global Whitelist

How is traps licensed? Minimum number of licenses required? Are there diff licensing scheme for different endpoints? The min is 200 points. Server = 1 point, client = 1 point, vdi = 1 point. There is no diff classing. MSSP partners can offer licenses starting at 50 points.
Can Traps prevent ransomware? Yes if you have Wildfire - threat prevention license.
What is the best way to protect all the endpoints of my organization? Traps!
Is it possible to deploy traps alongside Sophos intercept-x during a phase out from Sophos? Sophos av should be ok, but their anti-exploit product should be deactivated prior to installing Traps.
Traps - why do I need to add a trusted signer directly in sql dbase rather than through the console? Adding this can be risky as a compromised vert manually added can be a severe compromise in security. WildFire path exclusions were added in 4.0.1 and should provide a good alternative.
Can Traps detect activity from Ubuntu running on Windows 10 as a subsystem or will it be a hidden process? No, Ubuntu is not yet supported for Traps. 
Can I use the same user id in a multi-vsys environment ? 1st vsys admin, 2nd vsys read only Yes, you would need to do a template commit on each vsys location on that firewall, but you can have the same group mapping/user groups on two different vsys simultaneously.
How many concurrent SSL VPN tunnels are supported by PA-220? 250 tunnel interfaces are supported with PA-220 + PAN-OS 8.0


That's all for now. 


As always, we welcome all comments and questions below.


For more Ignite2017 questions from @reaper and @kiwi please see the following links:

#GetAnswers from Kim / kiwi: Q&A from Ignite 

#GetAnswers from Tom / reaper: Q&A from Ignite 


Stay secure,

Joe Delio

Ask Questions Get Answers Join the Live Community