Final round of Q&As from Ignite '18

by ‎06-01-2018 03:23 AM - edited ‎06-04-2018 02:28 PM (3,379 Views)

Q: How do I set up HA with two different ISPs?

A: Equal Cost Multi Path (ECMP) or Policy Based Forwarding (PBF).

 

Q: Why can’t I send my GlobalProtect Cloud Service logs to Splunk?

A: This is a product road map question. Please talk with your SE about this..

 

Q: How can I identify a custom application ie ring app on Android?

A: Packet capture, create custom application based on the data pattern of signatures found in the capture.

 

Q: What is DOS policy?

A: A rule that protects a resource (server) by applying a DOS profile (syn flood, etc.)

 

Q:. How is DOS profile different from DOS policy?

A:. There is none. You would use the DOS profile in the policy.

 

Q: When will destination NAT entry be FQDN and not IP only? Used in AWS for ELB.

A: In PAN-OS 8.1, DNAT supports FQDN address objects.

 

Q: What MFA solutions do you support for GlobalProtect?

A: OKTA Duo.

 

Q; How to create nodes in MineMeld with an API call?

A: Send an email to LMORI@paloaltonetworks.com

 

Q: What is required to make a custom App-ID work?

A: Packet captures and lots of them. Find a regularly appearing pattern of data that reliably appears in all sessions.

 

Refine to a signature that’s accurate enough to identify app but not cause a false positive. Plug this into a custom app config.

 

 

Q: How does malware protection work?

A: In Traps, based on behavior.

In the firewall, based on signature and WildFire verdict.

WildFire verdict is based on result of sandbox analysis.

Also, may other factors are taken into account, like DNS resolution, malicious URLs, etc.

 

Q: Why does dynamic updates check fail 1-2 times a day?

A: DNS issue troubleshooting.

 

Q: Why GlobalProtect Cloud Service instead of hardware?

A: It is a SaaS solution. No hardware to deal with.

 

Q: Talking about VM Series, can DVM and OoenStack do live migration?

A: No live migration.

 

Q: Does Traps support LINUX?

A: Yes.

 

Q: Will Traps still be available in-house vs cloud after the next version?

A: Yes.

 

Screen Shot 2018-06-01 at 2.42.15 AM.pngQUESTION: What is a tap interface? ANSWER: A passive interface in promiscuous mode.

 

 

Q: What does a TAP interface do and how does it work? 
A: TAP interface is used to get a copy of all traffic across the designated port. Any interface can be a TAP interface except management. Take a look at Reaper's extensive coverage of tap interface in

What's a TAP interface and what can it do?

 

 

Q: Is there a limit to how may VPN sessions can be active at a time before performance is degraded for VPN users only?

A: That’s a loaded question! J Depends on WAN bandwidth, LAN bandwidth, CPU, and memory on your Palo Alto Networks device.

 

Q: What is maximum URL cache size to save during a reboot?

A: Cache is cleared on reboot.

 

Q: Why can only tech support delete package files that end up clogging the disk space? Deletion of package files should be automatic.

A: Some files live in protected partitions. Update to a new PAN-OS version.

 

Q: How do you assess your firewall’s security policies?

A: Rules are assessed left to right and top down.

 

Q: How to make the firewall in A/A mode.

A: Bad idea. Use A/P. There’s really no benefit to A/A except asymmetric routing.

 

Q: How can I implement SSL Decryption with least impact to user base?

A: Active directory certificate authority to have trusted CA sign a decrypt cert.

 

Q: How do I used a PA-220 at my house with an IPTV multicast TV provider?

A: In your virtual router, make sure you multicast on the interface in your LAN. It needs to function as an IGMP querier for proper multicast forwarding.

 

Q: Will Panorama respect the content update ‘delay’ scheduled for each individual firewall?

A: Yes, it does.

 

Q: Will Traps ever do device control? Blocking / Permit specific USB data storage devices?

A: No, just blocks the exe program on the connected device.

 

Q: What’s the maximum acceptable latency between Panorama in HA?

A: < 500 ms recommended.

 

Q: Why does the PA-500 have problems trying to upgrade the physical memory?

A: Buy a PA-850! Best upgrade ever!

Editeur: Ah, but we like that answer! :-)

 

Q: What are best practices for captive portal?

A: Use redirect mode instead of transparent. Better to have redirect interface as one of the firewall interfaces.

 

Q: How does AutoFocus work with MineMeld?

A: MineMeld is a node and AutoFocus is a threat intel that ties to MineMeld. MineMeld can be used to update EDLs on firewalls.

 

Q: What is AutoFocus?

A: AutoFocus is a context-based threat intelligence service used for analysis and correlation.

 

Q: Can DNS proxy replace the blue coat proxies?

A: Yes, for DNA queries.

 

Q: Will SSL decryption take a hit on my network performance?

A: Yes, it depends on the platform.

 

Q: Is it true that the Palo Alto Networks firewall needs to see 3 packets exchanged between 2 endpoints to consider the traffic to be a session? Does this apply to UDP traffic (such as DNS) as well?

A: Yes, the NGFW considers 3 packets as a session and puts it in the session table.

 

Q: How do I ask a question in the Live Community?

A: There are several ways to ask a question:

 

  • Ask a question below an existing article or blog.
  • If you are a customer, contact our support team and ask your question there.
  • Go to our discussion forum and ask you questions. The forum is very active and both employees and Palo Alto Networks customers are active on the forum:

https://live.paloaltonetworks.com/t5/General-Topics/bd-p/members_discuss

 

Q: How do we do it?

A: We get by with a little help from our friends.

Comments
by fgarcia_distecna
3 weeks ago

Q: Where can I get the black mesa sticker?


Ask Questions Get Answers Join the Live Community