Ignite '17 edition, Kiwi's favorites Part 2

Community Team Member

Some more great questions and answers posted @ Ignite 2017. I'm sure these are very helpful to anyone with similar questions.


How do you record URLs without a URL filtering license?


Posted answer: You can record URLs without the URL filtering license BUT there will be no correct categorization.


My notes: Indeed, you can log all the URLs. Using a simple workaround, you can record URL logs even without a URL filtering license.  All you need to do is create a custom URL category containing the following wildcards:





Don't forget to use this custom category in a URL profile AND use that profile in the security policy in order to log all your traffic.

Note that ALL your URLs will be categorized as the CustomCategory this way.




Should we be using the default actions for spyware or should we define the actions in exceptions 


Posted answer: I usually tell clients to create custom spyware profiles and specify an action of block for severities critical + high and an action of 'default' for all other severities.


My notes: Palo Alto Networks next-generation firewalls have 2 built-in profiles. One called 'Default' which, personally, I do not recommend.  I believe this setting is not adequate for today's security standards ... that said, it is still better than having no profile configured at all. The default profile uses the default action for every signature, as specified by Palo Alto Networks when the signature is created.

Personally, I'd recommend using the strict profile to ensure blocking of vulnerabilities exploited by malicious documents.  he strict profile overrides the action defined in the signature file for critical, high, and medium severity threats, and sets it to the 'reset-both' action. The default action is taken with low and informational severity threats.


As the answer posted @ Ignite indicates, it is also possible to create a custom profile and tweak it as desired.


Don't forget to use the profile in a security policy!







How does GlobalProtect determine which gateway to assign when you have two gateways at the same priority level?


Posted answer: Uses SSL to determine fastest connection.


My Notes: There's a difference in pre- or post- PAN-OS 8.0.


  • Pre-8.0 : GlobalProtect client receives a list of gateways, each gateway with a single priority, and performs best gateway selection based on priorities and response times.
  • Post-8.0 : GlobalProtect client receives a list of gateways, each gateway has multiple priorities, one per (configured) region.
  • Post-8.0 : GlobalProtect client determines the region where it connects from, and uses this information to determine which priority of each gateway to use
    • some gateways may not be eligible for selection 

The screenshot below illustrates the difference between PAN-OS 7.1 and PAN-OS 8.0+







Please feel free to leave questions or comments. Let me know what you'd like me to tackle next.


That's it for me.

@kiwi out!


Ask Questions Get Answers Join the Live Community