A Fall/Autumn Question: What is your favorite Palo Alto Networks feature?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

A Fall/Autumn Question: What is your favorite Palo Alto Networks feature?

L7 Applicator

A wrap of our summer question leads into fall or autumn, as your preference may be, wherein we ask:

 

What is your favorite Palo Alto Networks feature?

Did it help solve a problem you were facing?

 

As a former support engineer, I always like to hear when customers arrive at that a-ha moment of understanding or discovery, when the firewall does something simple and basic, or amazing and extraordinary, but always in time to solve a problem.

 

I'm looking forward to hearing which feature(s) of the firewall most tickle your fancy. I've got a few of my own... You first.

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!
25 REPLIES 25

Cyber Elite
Cyber Elite

I've got a few.

 

Wildfire

While you surely can't rely on wildfire for everything, I get a large amount of alerts throughout the day from users downloading dumb things, or actively seeing SMTP traffic that I can make sure was actively blocked by our spam gateway. It's amazing how much stuff Wildfire catches that I act upon on a daily basis, and how much traffic it stops throughout the day so that it doesn't even get onto the users machine. (Pair this with Traps and you have a winning combination) 

 

DoS/Zone Protection:

It's amazing to me how easy this feature is to configure, but yet it's one of the least utilized features on the firewall when you actually start talking to other Palo Alto customers. Most people think this is some incredibly hard thing to configure, and really if you take your time it's stupid easy. 

 

URL Filtering:

This is a fairly simple thing, but I love it from a feature prospective. I can ensure that any known malicious URLs aren't visited, and get a report everyday of those that did manage to visit a malicious URL. This used to be something that you had to manage another appliance for, and now it just ties right into your firewalls so that you can manage it just like you would anything else. Again a stupid easy feature, but one where I'll see people with active licenses not understand how it functions and do things like not include a profile in the correct security policies so that it actually functions. 

L7 Applicator

Tha ability to have two default gateways.

 

we have dedicated pa’s for globalprotect and dedicated pa’s for internet access.

 

the globalprotect portal and gateway addresses can be within the external virtual router with an isp default gateway but the vpn tunnel interface can be within the internal virtual router and import a default gateway via ospf.

 

so... all vpn traffic not destined for the private network (we don’t allow split tunneling) is sent via the dedicated internet pa’s.

 

 

L7 Applicator

Too many to list! 

 

One of my favorites is the Unified Log Viewer.  It's so nice to be able to quickly determine the source of blocked traffic.  (Security policy?  Vulnerability Signature?  WildFire signature?  File Blocking?  Data Filtering?  Spyware?  DNS?  URL Category?  etc.)  

 

I'll use a query in the unified log viewer such as:

  (addr in x.x.x.x) and (action neq alert) and (action neq allow) and (app neq quic) and (app neq teredo)

 

You could easily substitute the app neq quic/teredo with a rule name for 'known' blocked applications.  I use (addr in x.x.x.x) because I'm interested to see what was blocked regardless of directionality.  This catches the "outbound FTP" application logs, but also the "inbound file download" via that outbound FTP connection.  

 

I highly recommend adding the Session ID column to the Unified Log Viewer output.  That way you can fan out from a blocked log by filtering for that session ID and seeing which parts were permitted vs denied.  

 

One example:  I had a problem with Windows Updates a while ago.  With a single query, the Unified Log Viewer surfaced a security policy that permitted windows updates but had a strict file blocking profile attached, which was blocking certain "required" file types from being downloaded.  

L2 Linker
Really it’s awesome product, I hope I don’t forget any of amazing features that Palo Alto Firewalls can provide to us.

#Visibility and control
# Users activity reports
# URL Filtering
# File Blocking

And more....
Just in one rule I can define and use all of this features.

#allow source user ( User-ID) to access a specific destination IP using a specific applications (App-ID) over some (Services or URL Category) and allow him only for downloading a specific file (File Blocking) like (zip, msi, exe etc..) for a period of time (Schedule ) and keeps the user activity logs at start or end and forward logs to my SIEM solution.
Fawaz El-Diasti
PCNSE 7, ACE PAN-OS 6.1, 7.0, 8.0

L2 Linker

I like the URL filtering category even though it has caused me some issues every now and then. The threat and wildfire submissions helped us track down some problematic packets a few times as well. I'd really live to dive more into the decryption and QoS features but haven't had time to learn how to properly implement them yet.

L3 Networker

Hi There, 

 

For troubleshooting the Palo's features are second to none. 

4 stages of the pcaps, flow basic and counters produces indisputable logs for an issue being a palo's fault or an upstream device. More often than not its the later 🙂 

The techncial support file for a recap of what happened after an event is very useful for explaining why something occcurred. 

 

Cheers

 

Rob 

L2 Linker

A few ones:

#Credential Detection

#Unified Log view

#Tunnel Inspection 

L1 Bithead

The OFF button!

 

Twenty five years in the firewall and network game and I've never had so much frustruation and exasperation with any piece of kit as I have with these Palo Altos. I've used Fortigates, Watchguards, Sidewinders and even been known to roll me own using iptables and none of them have been as confusing and illogical as these boxes.

 

Three years experience with Palo Altos and I still don't grok them! Nothing more pleasing than to switch them off;-)

L4 Transporter

The USB port, so that I can charge my phone when working overtime fixing stuff....

@BPry

for me there is a fear factor involving DoS/Zone Protection, I envisions choosing too low a session number and slamming the door on all traffic. But I am going to put it in soon

@jdprovine,

If implemented correctly there is actually little worry that you would sever traffic, as you can work with the alert value until you feel confortable enough to actually implement an Activate and Max connection rate. 

L1 Bithead

It's hard to pick just one!

 

I love the grainualarity of the security policies - I can filter for individual IP's, users, applications, zones, times ... to allow just what I want to allow, to whom I want to allow it, where I want to allow it, and at the time I want to allow it. 

 

The geofilter is nice and does massive amounts of "heavy lifting" filtering out nonsense. 

 

The packet capture feature is a bit (a bit?) rough around the edges but functions well enough to be one of my favorite features. 

 

The filtering in the logs is wonderful ... not so much in the session viewer but functional none the less. 

L0 Member

Sounds basic but cloning is by far one of my favorite features.  Prior to pulling all of our firewalls into Panorama it was limited to similiar rules to get started but once we were under the Panorama umbrella, Wow!  How cool it was to define a block of rules then clone them across multiple firewalls.  A few rule name clean-up and zone changes and your all set.

 

My next favorite feature is the ablitity to use the PAN Configurator.  Again with the help of Panorama it's been amazing to be able to update a rule set across multiple firewalls with a few one liners on the PAN Configurator command prompt.  Even grabbing a rule set across all my firewalls at once to view in an easy to read spreadsheet is huge.

L1 Bithead

I like the ability to disable/enable VPN Phase I and II.

  • 15140 Views
  • 25 replies
  • 3 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!