#GetAnswers from Tom / reaper: Q&A from Ignite

by 2 weeks ago - last edited a week ago (1,999 Views)

Ignite brought us many different questions and answers posted on the wall of #GetAnswers.

There were so many questions we (the Community Engineers) first picked our favorites and posted those right after Ignite ended, and now we're posting the leftover questions as they may be of interest or could spark some discussion. 

If you missed out on what happened at Ignite, please check out the blogs at https://live.paloaltonetworks.com/t5/Ignite-Blog/bg-p/Ignite2017_Blog

Disclaimer: The answers provided are from customers and visitors at the booth, so may not be the 'best' answer (we did vet for accuracy), so feel free to add your own answer or take in the comments section below.



Question on the yellow paper Answer on the blue paper
1) Why do logs only show one vsys interface instead of listing all different vsys? That's a config problem. Logs are usually shown for ALL vsys!
2) Why is GlobalProtect free for some clients (laptops, wks) but not for mobile devices, tablets, & phones? Because laptops/pc/Mac/ws works on user license while the. Mobile devices require device licenses. (By default, you get 5 (??) free device licenses).
3) How do I use a certificate to authenticate my iOS clients to GlobalProtect? You can specify the portal & gateway authentication to use certs, but you may need an MDM solution to deploy the certificates for you. Note that mobile devices require a gateway license!
4) When will we see support for exclude split tunneling in GlobalProtect? It is available with PAN-OS 8.0.
5) When will Palo Alto Networks have commit confirm? Auto-rollback? Through the XML API, you can create a Python script easily to find the commit job for each commit, so that you can monitor the job till it is complete.
6) I manually shut down an interface. Why am I not seeing that in syslog? It was already down / config change --> informational security won't show in syslog.
7) How do you measure throughput of a Palo Alto Networks firewall after enabling all feature sets like (TP, WF, URL, and GP)? There are different options: (1) SNMP (2) Netflow.
8) Can dynamic external lists be configured to pull from non-HTTP/S such as SMB or SQL? Yes, it will block for non-HTTP also.
9) How do I check if an application needs to have dependency apps? You can find that information within the App Object or application.
10) How can we exactly calculate the SSL decryption throughput of the Palo Alto Networks firewall? You cannot calculate since every company has a different unit of traffic and ciphers. The only way to find this out is via POC. PANW and your distributor will be happy to help you with this.
11) How do I get throughput data on an interface, including historical data, not using SNMP? (1) QoS provides historical data (2) SNMP can provide data also.
12) Does PAN-OS support EIGRP? PAN-OS does nt support EIGRP, it is Cisco proprietary.
13) How to block or control communication on interfaces between different virtual routers. You can use multiple VSYS and then use external zones.
14) Why can't system logs be 'per vsys?' Because system is host.
15) When will Palo Alto Networks support IPv6 in OSPF? IPv6 is supported in OSPFv3 PAN-OS 7.0.4
16) Is it possible to use command line or PowerShell to open other VPN clients to a remote host? More details are required for this, but it may be possible with different vendors' VPN if there are multiple NICs to establish the VPN tunnel. More details are needed.
17) What does packet buffer protection actually do? Helps protect from DDoS.
18) How can I send logs per signature rather than per severity? You cannot with 7.x. Yes with 8.x.
19) What is the best practice when transitioning from traditional network design to zero trust model? Where to start? Greenfield if you can. If that's not possible, work in stages and take your time. If you have the equivalent of an IP Any Any, look at monitor for that threat rule and start adding more specific rules using the observed traffic. If you have/have not been doing L7, then make both a L4 and L7 rule and treat the L7 as needed until traffic no longer hits L4 rule. If you haven't been doing threat, URL, etc, turn on a subset and test before using on all your rules.
20)How Palo Alto Networks is different from CheckPoint, ASA, Juniper, etc. (1) Don't want to know about SP3. (2) Is there any other difference? CheckPoint, Cisco, Juniper do NOT have (1) credential theft check (2) can commit to all the firewalls differentiated by user (3) PAN can upload to sandbox WildFire in 5 minutes, almost realtime.
21) How to properly deploy decrypt and not destroy my network? Start with one test user. Use global counters to identify the issue: show counter global filter delta yes severity drop -- Plus add filters to limit what ip's are matched by global counters.
22) When can we use App-Override? App Override works well when you don't have a detailed understanding of the contents of the session, but can identify Layer 3 info. BE CAREFUL. It short circuits packet inspection path. You won't get normal App-ID and features like threat protection are disabled. Use custom app signatures, if possible, when you need those.
23) What's the best practice to protect DNS service? Allow DNS via the application of DNS and not the port. Only allow DNS to/from DNS servers.
24) How many aggregate interfaces can I configure on my system? Each chassis supports up to 8 aggregate interfaces.
25) How do you know if an attack is targeted? Look for AutoFocus, how often if sees the same attack on others.
26) How can PAN-DB block adult images on non-English versions of craigslist? Make a custom category and 'whitelist' 'blacklist' the domain names of all craigslist groups.
27) Can PAN-OS 8.0 prevent data leakage on gmail personal & email corporate emails? Not yet supported but should be a feature request or part of roadmap.
28) What is the best way to utilize the migration tool when using Panorama to manage firewalls? The migration tool can import and export to device groups and templates in Panorama. You can also import from a different product and export that to a Panorama device group.
29) Can I use Panorama to forward system logs from firewalls t a logging server via SNMP? No!!
30) What is the purpose of a separate log collected when the Panorama VM appilance already does a log collecting and managing function? The reason for that hierarchical structure is performance and scalability. When you have dedicated log collectors, they take the load off management box and allow it to stay responsive for management tasks.
31) Is reporting more stable when running 8.0.x Panorama with 7.1.x gateways? According to PAN, reporting in Panorama has significantly improved in V8 (still waiting before I upgrade).
32) Do you find that the throughput numbers listed in the spec sheets are pretty true to real life experience? Yes, in realty, the throughput is much higher than in the datasheet.
33) Does Traps run on OSX? Yes!
34) Can Traps prevent PowerShell from running or connecting to a website outside of my perimeter firewall? No, because Traps is not able to detect if the client is internal or external. But you can use GP to create a logical perimeter. Use always- on VPN with full tunnel.
35) For Traps: After putting the ESM from POC environment to production environment, the servers show unlicensed while all workstations have automatically picked up the licenses. Delete the ESM from the monitor tab and check in from the ESM Traps client.
36) Does User-ID now have support for pulling logged-in users from the 'manage engine' desktop central database? The User-ID agent needs to be installed on each desktop server (@reaper : this should actually be the TerminalServer Agent)
37) How can you synchronize User-ID with AD without changing Captive Portal every time? You can extract AD logging log data and populate User-ID via a panagent host.


As always, we welcome all comments and questions below. If you see an answer you'd like to expand upon, please feel free to do so.


For more Ignite2017 questions from @kiwiand @jdelio, please see the following links:

#GetAnswers from Joe / jdelio: Q&A from Ignite

#GetAnswers from Kim / kiwi: Q&A from Ignite 


Reaper out.


by kairoosto

How can I recategorize a survey URL that the firewall is categorizing me as financial


@kairoosto, If you want to "recategorize" a URL yourself, then you can always create a Custom URL group, and then use that in a rule BEFORE any rule to block that traffic (with the URL Categorization profile)..  That should do what you need it to do.

Ask Questions Get Answers Join the Live Community