This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

Starting with Palo Alto Networks - What I wish I had known...

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Starting with Palo Alto Networks - What I wish I had known...

carnould
L4 Transporter

‎03-24-2017 01:33 PM - edited ‎03-24-2017 01:57 PM

Beginnings are not always perfect.  Whether you started your Palo Alto Networks journey years ago or just recently, tell us what you learned early on that you wish you had known before. 

 

If there was one thing, or maybe more, Live Community users would love to hear about it.  Share your stories, your tips to help other users along the way.

 

Read a tip you like, make sure to like it or let them know by commenting!  

 

The most popular and helpful stories will get you a cool new Live Community t-shirt!

 

live t-shirt.jpg

 

Looking forward to reading all the great stories!

 

@carnould

2 people had this problem.
37 REPLIES 37

ccscott
L2 Linker
In response to BPry

‎05-11-2017 07:15 PM

Honestly I would say Palo TAC has taken a big nosedive recently. Seems like all the frontline employees either just stall or are purely gatekeepers. I don't use support often, just when something isn't behaving as documented, but more often than not recently I've been ver disappointed. 

ccscott
L2 Linker
In response to oscaringosv

‎05-11-2017 07:20 PM

I've always been afraid of this product and honestly trust my own scripts more. Why? Because the docs for it are too high level and don't give me enough detail on how configs are merged, replaced, overwritten, etc. I need to know exactly what will be pushed but its all so cryptic, especially for those of us that didn't start off managing our firewalls with this tool. All I want is shared object management for the most part. 

 

I would use Panorama if it had a juniper-style | compare instead of what Palo has in the GUI and if there was a commit-confirm rollback. 

0 Likes Likes

acc6d0b3610eec313831f7900fdbd235
L4 Transporter

‎05-12-2017 07:50 AM - edited ‎06-18-2017 09:58 PM

I wish I knew there were so many free resources / tools online to work with and to learn from.

 

Palo Alto Networks – Learning Center

https://paloaltonetworks.csod.com/LMS/catalog/Welcome.aspx?tab_page_id=-67&tab_id=20000157

 

Palo Alto Networks – FREE ACE7 Accreditation training and exam

https://www.paloaltonetworks.com/services/education/ace

  • Recommended FREE Trainings:
    • Firewall 7.1: Install, Configure, and Manage (EDU-101)
    • Firewall 7.1: Configure Extended Features (EDU-105)
    • Panorama 7.1: Manage Multiple Firewalls (EDU-121)
    • Firewall Install, Configure, and Manage (EDU-101) Lab Guide
    • Firewall Install, Configure, and Manage (EDU-105) Lab Guide

PAN Cybersecurity Skills Practice Lab: https://www.paloaltonetworks.com/services/education/cybersecurity-skills-practice-lab and https://www.netdevgroup.com/online/content/paloalto/ 

 

Palo Alto Networks – PCNSE7 Exam

https://www.paloaltonetworks.com/services/education/pcnse

Palo Alto Networks – Live Community Portal

https://live.paloaltonetworks.com/

Palo Alto Networks – YouTube Live Community

https://www.youtube.com/channel/UCPRouchFt58TZnjoI65aelA

 

Palo Alto Networks – Technical Documentation

https://www.paloaltonetworks.com/documentation.html

 

Palo Alto Ignite 2017 Security Conference

https://ignite.paloaltonetworks.com/

 

Fuel User Group Chapter

https://www.fuelusergroup.org/l/li/?redir=p%2Fus%2Fin

 

Palo Alto Networks Tools:

Support Website: https://support.paloaltonetworks.com/SupportAccount/MyAccounts

WildFire Portal: https://wildfire.paloaltonetworks.com/wildfire/dashboard

App-ID Library: https://applipedia.paloaltonetworks.com/

URL Filtering Test Categories: https://urlfiltering.paloaltonetworks.com/TestASite.jsp

URL Filtering Category List (Outdated): https://urlfiltering.paloaltonetworks.com/CategoryList.jsp

URL Filtering Category List: (Newer): https://live.paloaltonetworks.com/t5/Management-Articles/Complete-List-of-PAN-DB-URL-Filtering-Categ...

Threat Database: https://threatvault.paloaltonetworks.com/

Security Advisories: https://securityadvisories.paloaltonetworks.com/

Technical Documentations: https://www.paloaltonetworks.com/documentation

Unit 42: https://www.paloaltonetworks.com/threat-research

Compatibility Matrix: https://www.paloaltonetworks.com/documentation/global/compatibility-matrix

Cyberpedia: https://www.paloaltonetworks.com/cyberpedia

Applipedia Mobile App: https://itunes.apple.com/app/applipedia/id324026420?mt=8

Cyber Canon: https://cybercanon.paloaltonetworks.com/

PAN Chat on Gitter: https://gitter.im/PaloAltoNetworks/pandevice

PAN Device Framework Overview: http://paloaltonetworks.github.io/pandevice/#/start

PAN Device Framework Documentation: http://pandevice.readthedocs.io/en/latest/

 

gefuchs
L2 Linker
In response to ccscott

‎05-12-2017 08:50 AM

@ccscott wrote:

Honestly I would say Palo TAC has taken a big nosedive recently. Seems like all the frontline employees either just stall or are purely gatekeepers. I don't use support often, just when something isn't behaving as documented, but more often than not recently I've been ver disappointed. 

The frontline support appears very low end to me.

I don't even want to start on the issue of their lack of language comprehension.

Doing the normal remote session it's is appearant that someone in the background is helping them.

They pretty much just throw darts at the issue hoping to hit something.

0 Likes Likes

fjwcash
L4 Transporter
In response to jjb3k

‎05-12-2017 12:49 PM

@jjb3k wrote:

If I knew then what I know now.....

 

1. Use Panorama for (almost) everything. Building all objects, profiles, zones, and policies in Panorama has numerous manageability/scalability benefits. Other than network interfaces, virtual routers, and IPSec tunnels, build everything else in Panorama and push it to the firewalls.

2. Use nested device groups in Panorama to create a hierarchy for shared security policies. This allows a single rule, created once, to be applied to multiple firewalls. 

3. Template grouping should be based on device model do to zone limitations. Device grouping should be based on function or purpose.

4. Using tags, and corresponding colors, in your security rules helps with visual grouping the rules, and can also help with searching and filtering.

This is something we're struggling with.  How do you write Security Policies and NAT Policies in Panorama when each firewall uses different IPs for NAT and the Security Policies include the IPs in them?

 

On our FreeBSD firewalls, this was easy.  We just used generic variables in our rules scripts such that the rules were the same across all the firewalls, with a separate/unique config file on each firewall that was read into the scripts (to populate the generic variables).

 

I have not found any way to do this in Panorama.  Any pointers to documentation on best practises for this kind of setup would be nice.  Having to touch 50 separate firewalls in order to add a new Security Policy is a bit of a pain.  🙂

 

Thanks,

Freddie

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks