Community Blog

The latest from the great wall of knowledge at Ignite

by ‎05-24-2018 12:39 PM - edited ‎06-01-2018 03:32 AM (6,386 Views)

We offer more questions and answers from the great wall of knowledge at Ignite. Adding to 'live' technical knowledge at the booth is Karthik Prakash, a very seasoned and experienced engineer on the escalation team at Palo Alto Networks.


karthik_work.jpgKarthik works a discussion with an Ignite attendee.joe_tom.jpgJoe and Tom share technical insight.


Q:  How do I search group monitoring rules?

  • Is global find available in API?
  • Is packed mode or IP-based service available?
  • Is there a way to disable not-used rules?
  • Do you have find and replace for address objects or groups? 

A: Use the search bar at the top of the rule base to match any string or use search functions to search builder and sign to the right.



Q:  How can I implement User-ID without AD agents -- 


  • Clientless / agentless
  • Captive Portal
  • SML
  • Syslog

User-ID allows you to match up an IP address with a username.


Q: Can Traps support cert-based white listing?

A: No, you can white list based on file name or path. Try using policy rules instead.


Q: Can you integrate authentication (auth) policies with AD?

A: Enable User-ID and add an LDAP server.


Q: How do you ship logs to multiple destinations from a collector?

A: Panorama

Manager / log  collector

Log collector forward


Q: When will you have or show unused objects?

A: PAN-OS 8.1


Q: How do you enable domain password blocking from being used outside your organization?

A: User must VPN in or use a third-party tool.


Q: How can routing protocols better protect a network?

A: Routing provides segregation of network segments.


Q: How do I fine tune my UTM for stricter rules?

A: Create different policy groups (high, med, low), and apply to policies as needed.


Q: What is the total FQDN objects a PA220 can take or hold?

A: 2000


Q: When will Panorama NOT auto select all device groups, templates, and log collectors when you push to device in Panorama? Is this possible to disable? 

A: With 8.0, it no longer does that. We are on 8.06h3 and it only selects the appropriate device groups now.



Q: How do I configure IPSec tunnel inside a Palo Alto Networks firewall? 

A: In your Network tab, create an interface.

  • Create tunnel interface
  • Create PKI phase 1
  • Create IPSec config
  • Apply policies to allow traffic
  • Add routes for internal and external traffic
  • Commit


Screen Shot 2018-05-05 at 8.50.21 PM.pngBe sure to get your Ignite '18 badge. If you didn't stop by the booth at Ignite, be sure to drop me a line to let me know you were here!


More to come.
















Ask Questions Get Answers Join the Live Community