Read some of the unanswered questions asked at Ignite 2019 in Austin, TX. Engage with the LIVEcommunity team to see how some of the unanswered questions were answered by the one and only Reaper. Don't forget to subscribe to our blog to get up-to-date information about all things Palo Alto Networks. Got Questions? Get Answers from LIVEcommunity!
Each year, troves of enthusiasts gather at the LIVEcommunity booth at Ignite to share knowledge, business cards, and beers (or coffee if it's still pretty early)! Questions are put on the board, lively discussions are had, and answers get posted. Sometimes, a few questions are left unanswered so we make it a point to answer those on here, so anyone who asked and still would like an answer may find it here.
Here's a grab from the few that were left:
Some of the unanswered questions
I'll try to answer a few here, but as always, feel free to chime in via the comments section below or ask away in the discussion forum!
1. How do you get IPv6 traffic to route through [VM-Seires] in AWS without NAT?
(answer) Add the ::/0 route. No NAT is required to make IPv6 work. Simply enable it on the system, device, or instance and the interfaces. Then add the default route.
2. Is it possible to capture traffic when the action of vulnerability profile is "drop?"
(answer) Yes, it is. The firewall can capture all packets that belong to the session, including packets that are discarded.
3. What is the recommended default config for Expedition? cpu, mem, etc.?
5. Make [Palo Alto Networks] work with my gaming consoles?
(answer) OK! Most gaming consoles rely heavily on an interesting protocol called UPnP (Universal Plug and Play), which basically tells your router to go ahead and open up a bunch of ports directly to the gaming console. Pretty easy but not great for security. In a Layer3 routed environment, one of the only ways to resolve that issue is to set up static NAT.
These are some common ports that would need to be forwarded to these gaming systems to simulate UPnP:
- PS4: TCP 80, 443, 1935, 3478-3480 UDP 3478-3479
- Xbox TCP 3074 UDP 88, 500, 3074, 3544, 4500
Other gaming systems may use different ports and the abovementioned ports could also change. Another solution is to set up Layer2 (switching), as this will not interfere with the gaming system wanting to open random ports, and you can apply security profiles on all traffic to make sure no malignant connections are piggy-backing on the UPnP opened ports.
6. Would it be the forum where we can post a question?
(answer) Never use the default settings of zone protection as chances are slim they will fit your network footprint. A good way to baseline your network is to enable zone protection with a ridiculously high value for anything to be dropped, and figure out your comfort zone using alerting. If you keep an eye on your alerts for a few weeks and tune to a value where you find where your peaks are, you will be able to confidently enable dropping at a level slightly higher (10-30% depending on your overall capabilities) than the alert action.
For Random Early Drop, I'd recommend the "activate" setting to commence at the same level as alert. For SYN cookies, you could opt to always use them, as they have no negative impact but help reject irregular syn packets at an early stage (before they become problematic).
8. Will TwistLock require another type of license?
(answer) Please stay tuned, we will be sending out more information soon.
If you liked these answers, feel free to swing by next year and ask in person or check out the upcoming Ignite '19 Europe event!