A couple more great questions and answers posted on the #GetAnswers wall at Ignite2017 I hope can be useful to anyone with similar questions
How can you do a wildcard search in Traffic Monitor?
Posted answer: Wildcards cannot be used in the traffic log filter.
My side notes; While you can't use a traditional * in Traffic Log, you can use a subnetmask to address a range of IP addresses, effectively functioning as a wildcard
subnetmask in search string
What Is the best policy approach to use on Panorama, pre or post?
This depends how your local policy is set up, if at all.
Pre rules are usually great to enforce specific policy, like DNS sinkhole or certain URL categorization filtering to comply with corporate policy. They can also be used to ensure administrative access in case a local administrator accicentally commits an 'any any deny' for example.
Post rules are great for cleanup if you want to log/not log certain protocols and want to ensure anything that was missed in the policy is met by a default action identical across the organization.
Do you have to download the base version when upgrading your Palo Alto Networks firewall and can you sync the downloads across an HA pair?
Posted answer: Yes (on both parts of the question).
My side notes: The base image, usually the X.X.0 version, is required as a repository of operating system files not included in the maintenance releases. This was done to keep the size of later maintenance versions limited. Best practice is to download and install the base image, reboot, download and install the latest maintenance release.
Any packages downloaded by one peer of an HA cluster (PAN-OS, content updates, ...) can be synced and, optionally, installed on the HA peer.
What is better: App-ID or service/standard ports in reference to traffic?
Posted answer: App-ID is better because it can handle traffic that changes ports or elastic traffic. It can also add security allowing only the traffic you wish, not everything on the port
My side notes: App-ID should be used alongside services (ports) as this will strengthen security:
-restricting the ports will ensure no applications run on suspicous ports, or are accidentally exposed (eg. an admin web interface on port 8001)
-leveraging App-ID will ensure applications can be allowed and blocked based on real-world behavior (eg. ssh on port 80 is properly identified as ssh, which could be a command and control connection trying to bypass the firewall by using port 80)
What is a method to intro span VLANS [drawing of vlan1, 2 and 3 connected to one box]
Posted answer: Layer2 interfaces.
My side notes: Layer2 interfaces can be configured to bridge VLANS without interfering with spanning-tree protocol which could be tricky in a switching environment. The customer in this question wanted to segment a single subnet by introducing VLANs for his servers and client network while using as few interfaces on the firewall as possible. A single trunk carrying all the VLANs can be connected to the firewall on a Layer2 interfaces, then bridging between these VLANs can be enabled and security policies enforced based on zones attached to the tagged sub-interfaces to the trunk Layer2 interface.
Why does Palo have to initially allow traffic for App-ID?
Posted answer: On a new flow 5tuple is analyzed and the rule base is processed based on 5tuple ignoring App-ID in rules. FW will allow a 3-way handshake so the fw can analyze real packets to identifythe app. Once the App is identified the FW will process the rule base again including the App-ID. The FW will then take action on the flow based on the matching rul (allow/deny)
My side notes: I challenged this booth visitor to write up a reply that took only 1 page in exchange for a LiveCommunity backpack. He nailed it.
The SYN packet can only be analysed based on the 5-tuple (source network, source zone, destination network, destination zone, destination port). This is because in the SYN packet, an application cannot be identified yet.
The firewall first does a pass, top to bottom, to find a match based on this 5-tuple, temproarily ignoring any applications configured in the security policy (an SSH session on port 80 could therefore 'match' a web-browsing policy at this stage of the connection). If a positive match is found, the SYN is allowed to pass through and a session is created that allows the returning syn/ack and the final ack through. Now data packets begin to flow, App-ID can attempt to identify the application and once an application is matched, the security policy is checked again top to bottom, now including the application. If a policy is found that matches the 6-tuple (src net, src zone, dst net, dst zone, app, port) the session is rematched and allowed through, else it will be dropped by the default policy.
I hope you liked these questions as much as I did, feel free to post any additional uestions or comments below!