A wrap of our summer question leads into fall or autumn, as your preference may be, wherein we ask:
What is your favorite Palo Alto Networks feature?
Did it help solve a problem you were facing?
As a former support engineer, I always like to hear when customers arrive at that a-ha moment of understanding or discovery, when the firewall does something simple and basic, or amazing and extraordinary, but always in time to solve a problem.
I'm looking forward to hearing which feature(s) of the firewall most tickle your fancy. I've got a few of my own... You first.
I've got a few.
While you surely can't rely on wildfire for everything, I get a large amount of alerts throughout the day from users downloading dumb things, or actively seeing SMTP traffic that I can make sure was actively blocked by our spam gateway. It's amazing how much stuff Wildfire catches that I act upon on a daily basis, and how much traffic it stops throughout the day so that it doesn't even get onto the users machine. (Pair this with Traps and you have a winning combination)
It's amazing to me how easy this feature is to configure, but yet it's one of the least utilized features on the firewall when you actually start talking to other Palo Alto customers. Most people think this is some incredibly hard thing to configure, and really if you take your time it's stupid easy.
This is a fairly simple thing, but I love it from a feature prospective. I can ensure that any known malicious URLs aren't visited, and get a report everyday of those that did manage to visit a malicious URL. This used to be something that you had to manage another appliance for, and now it just ties right into your firewalls so that you can manage it just like you would anything else. Again a stupid easy feature, but one where I'll see people with active licenses not understand how it functions and do things like not include a profile in the correct security policies so that it actually functions.
Tha ability to have two default gateways.
we have dedicated pa’s for globalprotect and dedicated pa’s for internet access.
the globalprotect portal and gateway addresses can be within the external virtual router with an isp default gateway but the vpn tunnel interface can be within the internal virtual router and import a default gateway via ospf.
so... all vpn traffic not destined for the private network (we don’t allow split tunneling) is sent via the dedicated internet pa’s.
Too many to list!
One of my favorites is the Unified Log Viewer. It's so nice to be able to quickly determine the source of blocked traffic. (Security policy? Vulnerability Signature? WildFire signature? File Blocking? Data Filtering? Spyware? DNS? URL Category? etc.)
I'll use a query in the unified log viewer such as:
(addr in x.x.x.x) and (action neq alert) and (action neq allow) and (app neq quic) and (app neq teredo)
You could easily substitute the app neq quic/teredo with a rule name for 'known' blocked applications. I use (addr in x.x.x.x) because I'm interested to see what was blocked regardless of directionality. This catches the "outbound FTP" application logs, but also the "inbound file download" via that outbound FTP connection.
I highly recommend adding the Session ID column to the Unified Log Viewer output. That way you can fan out from a blocked log by filtering for that session ID and seeing which parts were permitted vs denied.
One example: I had a problem with Windows Updates a while ago. With a single query, the Unified Log Viewer surfaced a security policy that permitted windows updates but had a strict file blocking profile attached, which was blocking certain "required" file types from being downloaded.
I like the URL filtering category even though it has caused me some issues every now and then. The threat and wildfire submissions helped us track down some problematic packets a few times as well. I'd really live to dive more into the decryption and QoS features but haven't had time to learn how to properly implement them yet.
For troubleshooting the Palo's features are second to none.
4 stages of the pcaps, flow basic and counters produces indisputable logs for an issue being a palo's fault or an upstream device. More often than not its the later 🙂
The techncial support file for a recap of what happened after an event is very useful for explaining why something occcurred.
The OFF button!
Twenty five years in the firewall and network game and I've never had so much frustruation and exasperation with any piece of kit as I have with these Palo Altos. I've used Fortigates, Watchguards, Sidewinders and even been known to roll me own using iptables and none of them have been as confusing and illogical as these boxes.
Three years experience with Palo Altos and I still don't grok them! Nothing more pleasing than to switch them off;-)
It's hard to pick just one!
I love the grainualarity of the security policies - I can filter for individual IP's, users, applications, zones, times ... to allow just what I want to allow, to whom I want to allow it, where I want to allow it, and at the time I want to allow it.
The geofilter is nice and does massive amounts of "heavy lifting" filtering out nonsense.
The packet capture feature is a bit (a bit?) rough around the edges but functions well enough to be one of my favorite features.
The filtering in the logs is wonderful ... not so much in the session viewer but functional none the less.
Sounds basic but cloning is by far one of my favorite features. Prior to pulling all of our firewalls into Panorama it was limited to similiar rules to get started but once we were under the Panorama umbrella, Wow! How cool it was to define a block of rules then clone them across multiple firewalls. A few rule name clean-up and zone changes and your all set.
My next favorite feature is the ablitity to use the PAN Configurator. Again with the help of Panorama it's been amazing to be able to update a rule set across multiple firewalls with a few one liners on the PAN Configurator command prompt. Even grabbing a rule set across all my firewalls at once to view in an easy to read spreadsheet is huge.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!