Got Questions? Get Answers!

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Team Member

Each year, after Ignite, we have a whole bunch of great questions, a handful of strange ones, and usually a few unanswered ones. We feel that we owe it to the community to get as close as we can to a 100% reply rate, so here are a few unanswered questions and my attempt at answering to the best of my ability.


Ignite '19 QuestionsIgnite '19 Questions


1. Is there Expedition training?

YES! There was a webinar. Check the Palo Alto Networks website.

Actually, the webinar page currently doesn't have any Expedition webinars.
That said, make sure to bookmark our webinar page. You never know when an Expedition webinar might pop up there. In the meantime, there's plenty of information and guides on our Expedition portal page: Welcome to Expedition.


2. What is Zero Trust?

Trust no packet!

Default drop anything.

Where to start... There is plenty of information on this topic!
Check out  Zero Trust information here to get you started:
Zero Trust - Never trust, always verify
Reducing Risk with Zero Trust and Best Practices
What is a Zero Trust Architecture?
5 Steps to Zero Trust


3. How do I use BPA to improve my security posture?

Generate a BPA file and submit via the portal to get started.

Run the Best Practice Assessment (BPA) to evaluate your security posture and prioritize improvements. Use technical documentation to take the next steps to implement those improvements and transition safely to a best practice state without risking the availability of critical applications. Run the BPA again to measure progress and prioritize the next set of security improvements, use the documentation to implement the improvements, and repeat the cycle until you reach your security goals. Security best practices reduce the attack surface, increase visibility into network traffic, prevent known and unknown attacks, and protect what’s most valuable to your business—proprietary source code, sensitive company and customer data, critical infrastructure—whatever gives your company a competitive advantage.
Check out our transition to best practices :
Reach Your Security Goals with the BPA


4. As a new Palo Alto Networks customer, how can Fuel help?

Fuel is a customer-led user group. Fuel can answer questions about topics such as:

  • SSL Decrypts
  • Deploy Firewall
  • Tips & Tricks
  • Local Fuel chapter meetings

With Fuel membership, you’re plugged into a community of thousands of Palo Alto Networks users with endless opportunities to advance your knowledge and your career.
Don’t miss your chance to join Fuel User Group at its upcoming Spark User Summits where you’ll hear directly from Palo Alto Networks about the latest product updates, share lessons learned with fellow Palo Alto Networks users, and get in-depth discussions on the industry’s hottest topics like mobile and cloud security.
Visit the FUEL User Group for more information.

5. Is updating to PAN-OS 9.0 recommended yet?


Let me nuance this answer a little bit. PAN-OS 9.0 hasn't reached the maturity level of some of our other software branches yet. If you absolutely need some of the new PAN-OS 9.0 features, then you can, of course, go ahead and download and install it. With that said, as with any new software versions, you might be experiencing some early bugs. There have been some discussion and blogs about why you should or should not upgrade to the latest (greatest?) software version.

Check out the following links on this topic:

Customers only may access this resource: PAN-OS Software Release Guidance


6. What is the best feature of PAN-OS 9.0?

  • Policy Optimizer
  • GRE Tunnels

Obviously, this depends on the actual feature that you need. With that said, the above answers are indeed awesome new features. ^_^

Check out what's new in PAN-OS 9.0:
PAN-OS® New Features Guide

7. Is it a good idea to use a [VM-Series] firewall to secure a hardware environment?

While this is possible, it is not recommended.

Can it be done? Yes.
Is it a good idea? That's an opinion, I guess. 🙂
Hardware can leverage hardware offloading and purpose built chipsets, which equals speed gains. If you don't have room for hardware, you could use a VM-Series solution.


8. What is the impact of decryption on throughput?

It doesn't impact the throughput but CPU/memory utilization of the firewall.

It also depends on your hardware. For some models, decryption is being done in software as compared to hardware on the bigger Palo Alto Networks firewalls.


- Kiwi out!! 

L0 Member



I have configured route aggregate in bgp to advertise 10.100/16  and its working - Peer is receiving 10.100/16 in routing table . I have to advertise along with 10.100/16 summary routes to peers. 


I tried creating suppress filter and not taking effect - Can you help as how to advertise small subnet along with summary routes in bgp.




L7 Applicator

@Senthilkumar1 ,

Please post a new discussion in the General Topics area ( about this issue. 



L0 Member

Hello team. I'm in need to renew the licenses of a PA-220  LAB registered under my PA account, who is familiar with this  that can help me.  thanks in advance.

Cyber Elite
Cyber Elite


Please contact your sales team.



L0 Member

Thanks for your response @OtakarKlier I need help from someone else. Who sold this is not responding or helping . I'm looking for other way to buy the licenses renewal. Thanks 

L4 Transporter

@JPizarro4 Please copy the question/request over to the General Topics area: and it will be more likely you'll get someone to reach out to help with this issue. Thanks!

Register or Sign-in
Top Liked Authors