The latest from the great wall of knowledge at Ignite

Community Team Member

We offer more questions and answers from the great wall of knowledge at Ignite. Adding to 'live' technical knowledge at the booth is Karthik Prakash, a very seasoned and experienced engineer on the escalation team at Palo Alto Networks.

 

karthik_work.jpgKarthik works a discussion with an Ignite attendee.joe_tom.jpgJoe and Tom share technical insight.

 

Q:  How do I search group monitoring rules?

  • Is global find available in API?
  • Is packed mode or IP-based service available?
  • Is there a way to disable not-used rules?
  • Do you have find and replace for address objects or groups? 

A: Use the search bar at the top of the rule base to match any string or use search functions to search builder and sign to the right.

  

 

Q:  How can I implement User-ID without AD agents -- 

Answers:

  • Clientless / agentless
  • Captive Portal
  • SML
  • Syslog

User-ID allows you to match up an IP address with a username.

 

Q: Can Traps support cert-based white listing?

A: No, you can white list based on file name or path. Try using policy rules instead.

 

Q: Can you integrate authentication (auth) policies with AD?

A: Enable User-ID and add an LDAP server.

 

Q: How do you ship logs to multiple destinations from a collector?

A: Panorama

Manager / log  collector

Log collector forward

 

Q: When will you have or show unused objects?

A: PAN-OS 8.1

 

Q: How do you enable domain password blocking from being used outside your organization?

A: User must VPN in or use a third-party tool.

 

Q: How can routing protocols better protect a network?

A: Routing provides segregation of network segments.

 

Q: How do I fine tune my UTM for stricter rules?

A: Create different policy groups (high, med, low), and apply to policies as needed.

 

Q: What is the total FQDN objects a PA220 can take or hold?

A: 2000

 

Q: When will Panorama NOT auto select all device groups, templates, and log collectors when you push to device in Panorama? Is this possible to disable? 

A: With 8.0, it no longer does that. We are on 8.06h3 and it only selects the appropriate device groups now.

 

 

Q: How do I configure IPSec tunnel inside a Palo Alto Networks firewall? 

A: In your Network tab, create an interface.

  • Create tunnel interface
  • Create PKI phase 1
  • Create IPSec config
  • Apply policies to allow traffic
  • Add routes for internal and external traffic
  • Commit

 

Screen Shot 2018-05-05 at 8.50.21 PM.pngBe sure to get your Ignite '18 badge. If you didn't stop by the booth at Ignite, be sure to drop me a line to let me know you were here!

 

More to come.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Ask Questions Get Answers Join the Live Community
Labels