Starting with Palo Alto Networks - What I wish I had known...

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Starting with Palo Alto Networks - What I wish I had known...

L4 Transporter

Beginnings are not always perfect.  Whether you started your Palo Alto Networks journey years ago or just recently, tell us what you learned early on that you wish you had known before. 

 

If there was one thing, or maybe more, Live Community users would love to hear about it.  Share your stories, your tips to help other users along the way.

 

Read a tip you like, make sure to like it or let them know by commenting!  

 

The most popular and helpful stories will get you a cool new Live Community t-shirt!

 

live t-shirt.jpg

 

Looking forward to reading all the great stories!

 

@carnould

39 REPLIES 39

Hi @DPoppleton, Could you check your inbox or spam folder? I sent you an email on 4/7.  If you can't find it, send me an email at carnould@paloaltonetworks.com.  Thanks! Christine

The difference between FUEL Palo Alto User Group, and LIVEcommunity?  

L1 Bithead

I wish I had time to utilize all the CBT training resources available and build a cheap lab.

 

cbt nuggets  - good source of basic training

Udemy has some great training as well and it is cheap and easy to follow. 

 

Access to a long term demo vmware version of PANOS for training would be helpful, I know we can get these through our sales channel but would love to get a good usable free VM to use with all options and limited connectivity. 

 

Also I came from a networking background but hear stories of information security folks who do not and they have problems learning the networking basics. The ACE is decent but needs more teeth and something like network + or CCNA type certs should be required.. 

 

 

L4 Transporter

wow - many things...I  wish I knew then

1 - Sys logs (not packet cap nor widgets) for VPN troubleshooting

2 - when reading Traffic logs - open detailed view then bottom has firewall policy - missed that first 2-3 months

3 - reports are useful - there are many canned reports that i could schedule...

---side note - cant always make the custom report look like the canned report

4 - add widgets for anything you want to have a quick peak

5 - ACC - build custom tabs to monitor tricky scenarios over many days/weeks

6 - VPN to Cisco not as easy as other vendors - fortunatley there is a document for that

7 - newapps - started when we had 1000 or so - they keep coming and if I'm not on top of them and reading the release notes I can easily/accidentally block something ( default action) that we needed

8 - and a biggie - read the notes when a commit fails/or succeeds and there is a bunch words after.... commit succeeded but.......

9 - one i miss - no POLICY hit count - had in other vendors

10 - not an easy way to see ip to user-ID in the GUI

 

just a few off the top of my head - still enjoy working with these boxes tho

 

of 2 more

 

test policyies and other items  from cli - nice

sign up for the security notices from PAn, Fuel, Unit42

 

Wish I had known you could open a medium priorty support case and not get a response for over a week.

I wish I had known how hard it is to import a firewall into Panorama. You buy your first firewall or two as you are not sure if the product is going to perform as promised. Then when it does perform as promised and you start to buy more you think "I should get Panorama and manage all of these in one location." So you buy Panorama and start working on importing them and boy what a task! I would LOVE it if the Panorama admins would create an import wizard. That would simply be amazing!

Hi @gefuchs, is the case you mention in your comment current?  I could not find anything in the system but want to ensure if it is, we get to the bottom of it.

 

Christine

Case 00662008

 

My opinion is that they are also adept at working the ticketing system.  The SLA is that they will "respond" in 4 hours, so they put a comment in that meets that requirement. Followed by making other comments  after my stated hours, such as "when can we call you?"  , also resetting the reponse clock.

 

 Update:  Two more days in the life of case 662008. Nothing other than yet another "Will call tomorrow" update on Thursday, thus resetting the response clock.  Brings to mind parts of songs.  "The sound of silence", or to paraphrase Anne "I'll call you tomorrow".  Thinking of starting a new thread titled "Tell us about your favorite support case".

 

Update 5/16 Two more days  in the life of case 662008 with no response.

What is the issue you having?  Can the community help you do you think?

@Wald, Do you know about the Migration Tool? 

https://live.paloaltonetworks.com/t5/Migration-Tool/ct-p/migration_tool

 

The Migration tool can be used to move configurations between Firewalls, from Firewall to Panorama and from other vendors to Palo Alto.  There are dicsussions, articles and blogs about the Migration tool. 

 

I hope this helps!

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

Honestly I would say Palo TAC has taken a big nosedive recently. Seems like all the frontline employees either just stall or are purely gatekeepers. I don't use support often, just when something isn't behaving as documented, but more often than not recently I've been ver disappointed. 

I've always been afraid of this product and honestly trust my own scripts more. Why? Because the docs for it are too high level and don't give me enough detail on how configs are merged, replaced, overwritten, etc. I need to know exactly what will be pushed but its all so cryptic, especially for those of us that didn't start off managing our firewalls with this tool. All I want is shared object management for the most part. 

 

I would use Panorama if it had a juniper-style | compare instead of what Palo has in the GUI and if there was a commit-confirm rollback. 

I wish I knew there were so many free resources / tools online to work with and to learn from.

 

Palo Alto Networks – Learning Center

https://paloaltonetworks.csod.com/LMS/catalog/Welcome.aspx?tab_page_id=-67&tab_id=20000157

 

Palo Alto Networks – FREE ACE7 Accreditation training and exam

https://www.paloaltonetworks.com/services/education/ace

  • Recommended FREE Trainings:
    • Firewall 7.1: Install, Configure, and Manage (EDU-101)
    • Firewall 7.1: Configure Extended Features (EDU-105)
    • Panorama 7.1: Manage Multiple Firewalls (EDU-121)
    • Firewall Install, Configure, and Manage (EDU-101) Lab Guide
    • Firewall Install, Configure, and Manage (EDU-105) Lab Guide

PAN Cybersecurity Skills Practice Lab: https://www.paloaltonetworks.com/services/education/cybersecurity-skills-practice-lab and https://www.netdevgroup.com/online/content/paloalto/ 

 

Palo Alto Networks – PCNSE7 Exam

https://www.paloaltonetworks.com/services/education/pcnse

Palo Alto Networks – Live Community Portal

https://live.paloaltonetworks.com/

Palo Alto Networks – YouTube Live Community

https://www.youtube.com/channel/UCPRouchFt58TZnjoI65aelA

 

Palo Alto Networks – Technical Documentation

https://www.paloaltonetworks.com/documentation.html

 

Palo Alto Ignite 2017 Security Conference

https://ignite.paloaltonetworks.com/

 

Fuel User Group Chapter

https://www.fuelusergroup.org/l/li/?redir=p%2Fus%2Fin

 

Palo Alto Networks Tools:

Support Website: https://support.paloaltonetworks.com/SupportAccount/MyAccounts

WildFire Portal: https://wildfire.paloaltonetworks.com/wildfire/dashboard

App-ID Library: https://applipedia.paloaltonetworks.com/

URL Filtering Test Categories: https://urlfiltering.paloaltonetworks.com/TestASite.jsp

URL Filtering Category List (Outdated): https://urlfiltering.paloaltonetworks.com/CategoryList.jsp

URL Filtering Category List: (Newer): https://live.paloaltonetworks.com/t5/Management-Articles/Complete-List-of-PAN-DB-URL-Filtering-Categ...

Threat Database: https://threatvault.paloaltonetworks.com/

Security Advisories: https://securityadvisories.paloaltonetworks.com/

Technical Documentations: https://www.paloaltonetworks.com/documentation

Unit 42: https://www.paloaltonetworks.com/threat-research

Compatibility Matrix: https://www.paloaltonetworks.com/documentation/global/compatibility-matrix

Cyberpedia: https://www.paloaltonetworks.com/cyberpedia

Applipedia Mobile App: https://itunes.apple.com/app/applipedia/id324026420?mt=8

Cyber Canon: https://cybercanon.paloaltonetworks.com/

PAN Chat on Gitter: https://gitter.im/PaloAltoNetworks/pandevice

PAN Device Framework Overview: http://paloaltonetworks.github.io/pandevice/#/start

PAN Device Framework Documentation: http://pandevice.readthedocs.io/en/latest/

 


@ccscott wrote:

Honestly I would say Palo TAC has taken a big nosedive recently. Seems like all the frontline employees either just stall or are purely gatekeepers. I don't use support often, just when something isn't behaving as documented, but more often than not recently I've been ver disappointed. 


The frontline support appears very low end to me.

I don't even want to start on the issue of their lack of language comprehension.

Doing the normal remote session it's is appearant that someone in the background is helping them.

They pretty much just throw darts at the issue hoping to hit something.


@jjb3k wrote:

If I knew then what I know now.....

 

1. Use Panorama for (almost) everything. Building all objects, profiles, zones, and policies in Panorama has numerous manageability/scalability benefits. Other than network interfaces, virtual routers, and IPSec tunnels, build everything else in Panorama and push it to the firewalls.

2. Use nested device groups in Panorama to create a hierarchy for shared security policies. This allows a single rule, created once, to be applied to multiple firewalls. 

3. Template grouping should be based on device model do to zone limitations. Device grouping should be based on function or purpose.

4. Using tags, and corresponding colors, in your security rules helps with visual grouping the rules, and can also help with searching and filtering.


This is something we're struggling with.  How do you write Security Policies and NAT Policies in Panorama when each firewall uses different IPs for NAT and the Security Policies include the IPs in them?

 

On our FreeBSD firewalls, this was easy.  We just used generic variables in our rules scripts such that the rules were the same across all the firewalls, with a separate/unique config file on each firewall that was read into the scripts (to populate the generic variables).

 

I have not found any way to do this in Panorama.  Any pointers to documentation on best practises for this kind of setup would be nice.  Having to touch 50 separate firewalls in order to add a new Security Policy is a bit of a pain.  🙂

 

Thanks,

Freddie

  • 23649 Views
  • 39 replies
  • 4 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!