View from the Ignite Floor

Community Team Member

Questions and answers from LIVEcommunity Ignite '18. Check out the questions and let us know if you answers.


We started with a bigger, blank board, and it keeps growing with great questions and awesome answers.

A picture of the LIVE community theme that says We need a bigger board! Picture of the question board with several blue and yellow post-it notes



Here's a glimpse of the activity @Ignite for #AskQuestions/#GetAnswers:


Q: Will behavioral analytics become a feature?

A: Autofocus.


Q: How to identify a pat over subscription and how would you fix it?

A: Show IP-pools, increase over subscriptions, add IP.


Q: How can I migrate rules from migration tool?

A: The migration tool has been upgraded. It is now called the Expedition tool. It’s a VM you connect to your firewall to help migrate your rules from non Palo Alto to Palo Alto.


Q: How do you create a global rule within Panarama for a group of forewalls that has different src tdst addresses, but the same zones?

A: You create address object or FW level. Every FW can have address obj with same name but different IP. In Panarama rule, you use address object.


Q: Does 8.x move the UserID collection and allow centralization on the Panarama?

A: Yes.


Q:  Can you have a Layer 2 subinterface and a Layer 3 subinterface on the same physical interface?

A: No! Interface type either L2 on L3 io configured on physical interface level.


Q:  How can I determine the Optics currently installed in a PA-7050 chassis?

A: Look at brdagent.log file. Follow up to the answer:  CLI show system state filter-prettysys.s*.p*.phy


Q: What is the easiest way to convert IP based to APP-ID based rules?

A: 1) Go to monitor tab, view all traffic for a particular rule.

2) Note source zone/destination zone/App being used.

3) Create rule with source zone, destination zone and App.

4) Place the newly created rule above old rule.

5) Validate that traffic is hitting new rule.

6) Remove old rule.

7) Repeat for other IP-based rules.

8) Optional: consolidate redundant roles.


Q: In Magnigfer, what is Pathfinder?

A: Pathfinder is a component of Magnifier that is used to scan endpoints that have shown “interesting” behavior. It is deployed as a Virtual Machine within the enterprise.


Q: How do we deploy Traps 5.0 with Cloud SIEM. Need real-time syslog.

A: Log Forwarder Configuration.



Q: What is the main cause of user-id not populating a new user gets an IP that was previously assigned to a different user?

A: If multiple AD are used for user auth, sync between AD logs may not happen quickly enough*


Log volume could also be too much for user-id agent to process.


* If user-id is only monitoring master AD


Q: How to switch from Fortinet to Palo Alto?

A: Migration tool will help migrate the configuration.



Q: How can I roll back content updates via Panorama?

A: You cannot roll back from Panorama, you roll back on firewalls themselves. If you want to do it from Panorama, you need to submit a new feature request.



Q: How can Panorama monitor VPN session connection? Login/Logout session?

A: No, you need a siem to correlate the events.


Q: How can we decrypt?

A:  1. Make the Palo Alto a subordinate CA of your internal PKI.

  1. Set up the forward trust and untrust certs.
  2. Configure a decryption profile.
  3. Configure a decryption exclude profile above – you will break things without.
  4. Commit.

 A picture of two people having a discussion standing next to a table


Q: How can I use a “container” to automate a WM-100 installation?

A: Download Container from PAN website & install all data first!


Q: How can we stop Zero-Day Attack?

A: Defense in-depth. Traps (Endpoint Protection) is a good start. Anything else that disrupt the kill chain will slow or stop the complete breach (ex. Threat protection, URL filtering, etc.). Wildfire analysis can help with detection.


Q: SSL Decryption: What are overrides? How do we implement it?

A: Customer URL Policy.


Q: Auto focus: What added value does it give to Wildfire?

A: Auto focus is used to filter specifics within Wildfire DB.


Q: Can we search users by First name only?

A: Depends on your user ID agent and how your Active Directory is set up.


Q: Can HA1 (control of ports) be configured on NPC data ports of a 5250 firewall?

A: Yes.


Q: We have hundreds of PA firewalls managed by Panorama. Local admin accounts on the Global Template all “expire” after a while.

A: Use Radius or Kerberos or LDAP.


Q: Need to always block or remove Patient 0 from wildfire analysis with automated user ID’s of who received malware after Wildfire identified as bad. How do I do this?

A:  1. Traps

  1. Post-Mortem log analysis


Q: Can you create groups for countries for geo-location?

A: Country Groups are built-in. You can then create a group with multiple groups.


Q: Why are NAT configurations so complicated while migrating from Cisco ASA to PA?

A: Use the Migration Tool.


Q: How do I correlate FW + Traps logs?

A: Splunk.

Close-up image of the questions and answers on post-it notes 


Q: What are the best practices when implementing SSL Decryption?

A: 1. Get Management Support or it will never happen. 2. Identify supported browsers & OS’s. 3. Deploy CA from Palo Alto. 4. Deploy policy to test users. 4. Deploy policy to test users. 5. Test. 6. Deploy to everyone!


Q: How does Panarama work?

A: Panarama enables centralization policy and object management of PAN firewalls and NSP VMware.


Q: How do you use user-id for AWS workstations?

A: Integrate AD with user-id to populate workstation logins.


Q: Why does it take so long to commit on a PA-220 compared to a PA-5250?

A: 1 Board vs. 3 board. (the PA-200 only has 1 board that is responsible for all tasks, the PA-5250 has a dedicated management plan.


Q: We have deployed 220 PA. How can we manage them?

A: Panarama.


Q: Can I make my own power supply for a PA-220?

A: No.


Q: What is the best way to update URL database (PAN DB or BRIGHT CLOUD) on offline firewalls?

A: Service Route.


Q: Can you deploy PA VM series in HA mode in Azure?

A: No. You will deploy a scale (Auto) set.

 A picture of a group of male engineers having a discussion


Q: How can Panorama benefit multi-tenant MSPs Support their clients?

A: Single pane of glass from all PAN’s and vsys.


Q: What is the throughput of the PA 7050 with threat preventions turned on?

A: 60 Gbps.


Q: How do you test a new deployment prior to putting live production traffic through firewall?

A: If greenfield, then build nearest and leave more permitting temporary rule to the end to identify what you missed.

If migration with Palo Alto Networks in vwire mode to collect data. Also, check new migration tool to get rid of allow any/any rules.


Q: How can I review firewall log effectively?

A: Migration tool.


Q: Can we get customizable output from the migration tool?

A: The output from migration tool can be edited with text editor (Notepad, BBedit, textWrangler).


Q: Are multiple forests supported on clientless agents?

A: No, clientless only supports single domains.

The best option is to stand up Mongo servers with agents. Or use other sources like NAC/ISE.

 A picture of Joe Delio (left) and Tom Piens (right) standing in front of the question board


Q: How quickly can you migrate Juniper firewalls to Palo Alto?

A: Relatively quickly. You can use the Migration Tool to easily move from Juniper to Palo Alto


Q: When is URL analyzing with Wildfire and Proofpoint happening?

A: Proofpoint check s URL’s in emails before it enters your firewall. Wildfire as it passes through it.

Ask Questions Get Answers Join the Live Community