#GetAnswers from Kim / kiwi: Q&A from Ignite

by 2 weeks ago - last edited 2 weeks ago (1,405 Views)

I've posted a set of additional questions and answers below.  The answers are provided from customers and visitors at the Live booth. They may not be the 'best 'answers for your situation, but I encourage everyone to expand upon to the answers in the comments section below.


These are broken up per category.


Questions on Yellow paper Answers on Blue paper Topic
1) What PA product can be used to replace Bluecoat ThreatPulse? GlobalProtect and the URL filtering offered by PAN-DB would be similar.  
2) How many vsys are supported on one [PA-3050?][PA-5050?] and if I don't have Panorama, how can I [provide] admin [support] for it? 25 vsys; Provide admin support for Panorama from the firewall GUI.  
3) What are the benefits of Aperture over Microsoft ASM for securing Office 365? The largest benefit is much better malware detection by leveraging WildFire. ASM's anti-malware capabilities are weak compared to competitors. Aperture
4) What is the best way to parse XML from the API? Use the ElementTree XML Python module. API
5) What's the recommended naming scheme to follow when creating security policies There is none. Just decide on one that suites your environment and use it consistently for your rules. If all else fails, keep it simple. Kim's favorite way is to use tags. Best Practices
6) How can we achieve multifactor authentication with GlobalProtect? What about Biometric security, like fingerprinted? Yes, MFA & OTP is supported. GlobalProtect
7) If I choose GlobalProtect cloud service to protect my remote users, how will be the connection speed in user experience approach? Will be transparent for them? GlobalProtect cloud connects to the closest cloud resource for optimized speed. GlobalProtect
8) Why does the 'show users' on GlobalProtect Gateway disappear? It doesn't disappear. It shows on the GUI for the current or previous users. GlobalProtect
9) Is it possible for PAN 8.0 clientless VPN to be used to access internal network resources? e.g. router, server. Yes, it is possible. GlobalProtect
10) Does LightCyber receive information from HP Arcsight? I mean logs from different tools like Symantec message gateway? Not yet, but the functionality may come at a future date via access to the API for the new logging. LightCyber
11) In 7.x, can I set URL blocks to critical rather than informational so my SIEM will see critical drops? No, but you can use the new log forwarding filters in PAN-OS 8.0 to solve this problem. Log Forwarding
12) How do you exclude legacy AV files created in temp folder during on demand/on access scan which are detected in Traps as threats? Whitelisting is possible in DB according to a KB article (Whitelist Local Analysis & Wildfire). Management
13) Question 1: How do you convince leadership to start hardening security? Question 2: What is the least intrusive way to begin SSL inspection?

Answer 1: You must discuss the technical risk in terms of business risk; things that biz leaders can understand. Signed, Rick Howard CSO, Palo Alto Networks.

Answer 2: Start with outbound SSL inspection using a CA cert for all outbound traffic. And then you can begin working on inbound SSL. Easy to do if you set the certs right.

14) How does the multifactor authentication work in a network through Palo Alto Networks [firewalls?] You can use existing MFA authentication through third-party provider through Okta RADIUS in 7.0 or SAML in 8.0. Management
15) Commit is giving error: Threat database handler failed. Can someone help me? Usually caused by a correct AV SIG DB or Content DB. A manual AV install from CLI should fix it. If it still fails, reach out to support who can manually remove the corrupt files.  Management
16) Why am I getting ERROR: FAILED TO HANDLE TDB_UPDATE_BLOCK? You need to install content version 708-4066. Management
17) How can I accurately assign a risk score to custom app? Assess the custom app for risk by looking at what other data sources the app is connecting to and how secure those apps are. How sensitive the data is if compromised and overall impact if lost. Management
18) How do you use dynamic tags to identify a host with malware? Create a tag with an abnormal xtics of an exploit, this then identifies a C2S traffic. Eg: Tag = Port 80 + bad.com user ==>Tag ---> PaloAlto:Detect. Management
19) How do you configure SSL intercept/decryption? First set up your cert, then set up a cert profile, then create a decryption police based on cats or source and destination. Management
20) How do you prevent phishing attacks against a specific group of AD users in PAN NGFW? Turn on user ID in url filtering and add to your AD. You can set rules based on app/site to allow, block, alert, etc. Management
21) How to automate tasks using external dynamic lists? MineMeld and AutoFocus policies. Management
22) How do you solve the issue of Palo Alto Networks firewalls blocking Oracle redirect sessions (port based policy)? Create custom App-Id and apply policy to redirect the session based on application, not ports. Management
23) Define how UBA algorithms work to find insider threats? Using LightCyber sensors to monitor user activities, including network traffic; these would entail finding insider threats. Management
24) Can I get DUO TFA for SSH? Do SSL decrypt instead. Management
25) What is the default pw for Palo Alto Networks firewalls? admin/admin, but be sure to change it! :-) Management
26) Traffic log shows 'threat' for an activity but threat log does not show any of this - what 'threat' is reported in the traffic log? Threat logs show if it is blocked by AV, spyware, IPS. You an enable AV, spyware, IPS on specific rule and download the viruses infected files from …..org download - http sample, check log in threat logs. Management
27) Why can't I create dynamic host object from FW's port and use it in rule-policies? (FW using DHCP addresses in 'untrust") This is a feature we are looking at for a future release - DDNS. Management
28) How to take in 3rd party's info vin "symbol = M in circle". I tried using Minemeld and I can manage IP vin "symbol = M in circle" (0365). But I'm not sure how to use information (ex. Threats arranged through 3rd party) - via Minemeld? Do you have any text on LIve Community? On Live Community there are good discussions. Check Live > Tools > Minemeld > Minemeld discussions. For some of the best information, https://live.paloaltonetworks.com/t5/MineMeld/ct-p/MineMeld/ MineMeld
29) When upgrading Panorama to 8.0, why do NGFW system logs stop populating in PAN...?? New database architecture. All old logs need to be converted after upgrading Panorama to 8.0 or check log forwarding profiles. Panorama
30) When will be support to multi-user on Panorama? [When will Panorama support multi-users?] PAN-OS 8.0 Panorama
31)When reverting changes in Panorama, how granular can you get? With 8.0 admin commits, you can roll back specific changes so long as you have not committed all, only commits change specifically. Panorama
32) Question 1: How does Traps compare to traditional AV? Question 2: What is the best way to deploy?

Answer 1: Traps is an AEP (Advanced Endpoint Protection) focused on finding exploitation techniques. 

Answer 2: Do a full deployment all over the endpoints. Even make sure how many 'ESM' you will use. Use SSL between endpoints and ESM. Be sure that the partner was 'CPSP' and certified on Traps.

33) How does Traps differ from regular A/V reporting of memory/CPU usage? Traps doesn't use traditional AV scanning/definitions. The combination of ML, WildFire, and behavioural analysis results in detection/reporting of even unknown threats based on actual behavior. Traps also has a much lower HDD/CPU/RAM usage compared to traditional AV. Traps
34) How can we integrate Traps with Virus Total? MineMeld! + WildFire already knows what Virus Total knows (mostly). You could reverify using AutoFocus API (verified by Traps experts). Traps
35) Is it possible to add trusted publisher in Traps with GUI? No! Only possible through a change in the SQL DB. Traps
36) Does version 8.x require an update from earlier User-ID agents 7.x for compatibility? No, it is not required, but it's the best practice. User-ID
37) LDAP refresh rate? Where to set? User ID > Group Mapping > Update interval. User-ID
38) Is there a way to use group id or security AD group? It appears we can also use security AD group when building a policy, but monitor; or traffic logs only filters user-id which is restricting specific formatting? You can use an AD group in a policy - but the log will print user ids - not the AD group. But you can use the group in your policy. You will need to add the AD group to the group mapping tab in the user-id set up on the device tab. User-ID
39) For an environment of 50 users and a PA-200. What type of user-ID would be preferred? Agent or agentless and why? Depends on if it is an AD environment where you can get the info easily. Agentless is manually the preferred way for less management, but you could use an agent as well. User-ID
40) Are there plans to add SNMP trap receiver to PAN-OS? If not, what is the best way to get user-->IP mappings from Cisco WLCs? No, not yet --> next gen. WLC is using RADIUS auth or windows. Auth will get your user mappings after you add the agent to the RADIUS server. User-ID
41) How to configure User-ID to block phishing sites in PAN-OS 8.0? Configure User-ID as described in white paper. Purchase URL filtering license and block all phishing sites for all known users. User-ID
42) How many concurrent VPN connections does PAN-3050 support? Site 2 Site: 3000 * IKE-peers: 2000 * GlobalProtect: 7000 * Clientless: 250 * 500000 concurrent connections (FW Sessions) VPN
43) How many different VPN tunnels? [We have many different firewalls -- can we make peer VPN tunnels?] Depends on mode: PA-7080 Max Site to Site - 8000/12000; PA-5260 Max - 15000; PA-5250 Max - 12000; PA-5060 Max 8000; PA-3060 Max 3000; PA-850 Max - 2000; PA-200 Max - 25. (1) Scripting with Ansible (2) Manually on the physical firewall VPN
44) Why no support for IKE alt gateways? Newest firewall version, PAN=OS 8.0.2 can accomplish this VPN
45) For WildFire false positives, can I manually override while waiting for a reclassification request? Only for Traps within ESM. Admin override lets you change the verdict. WildFire


As always, we welcome all comments and questions below. If you see an answer you'd like to expand upon, please feel free to do so.


For more Ignite2017 questions from@reaper and @jdelio, please see the following links:

#GetAnswers from Joe / jdelio: Q&A from Ignite

#GetAnswers from Tom / reaper: Q&A from Ignite 


Thanks for reading,


Ask Questions Get Answers Join the Live Community