- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
- Panorama
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- CN-Series
- VM-Series:
- Private Cloud
- OCI
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
- Cortex Xpanse
Security Operations
- Resources
- COVID-19 Response Center
Starting with Palo Alto Networks - What I wish I had known...
- LIVEcommunity
- Collaboration
- Discussions
- General Topics
- Re: Starting with Palo Alto Networks - What I wish I had known...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Starting with Palo Alto Networks - What I wish I had known...
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
03-24-2017 01:33 PM - edited 03-24-2017 01:57 PM
Beginnings are not always perfect. Whether you started your Palo Alto Networks journey years ago or just recently, tell us what you learned early on that you wish you had known before.
If there was one thing, or maybe more, Live Community users would love to hear about it. Share your stories, your tips to help other users along the way.
Read a tip you like, make sure to like it or let them know by commenting!
The most popular and helpful stories will get you a cool new Live Community t-shirt!
Looking forward to reading all the great stories!
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
05-11-2017 07:05 AM
I wish I had known how hard it is to import a firewall into Panorama. You buy your first firewall or two as you are not sure if the product is going to perform as promised. Then when it does perform as promised and you start to buy more you think "I should get Panorama and manage all of these in one location." So you buy Panorama and start working on importing them and boy what a task! I would LOVE it if the Panorama admins would create an import wizard. That would simply be amazing!
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
05-11-2017 10:33 AM
Hi @gefuchs, is the case you mention in your comment current? I could not find anything in the system but want to ensure if it is, we get to the bottom of it.
Christine
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
05-11-2017 10:40 AM - edited 05-16-2017 11:46 AM
Case 00662008
My opinion is that they are also adept at working the ticketing system. The SLA is that they will "respond" in 4 hours, so they put a comment in that meets that requirement. Followed by making other comments after my stated hours, such as "when can we call you?" , also resetting the reponse clock.
Update: Two more days in the life of case 662008. Nothing other than yet another "Will call tomorrow" update on Thursday, thus resetting the response clock. Brings to mind parts of songs. "The sound of silence", or to paraphrase Anne "I'll call you tomorrow". Thinking of starting a new thread titled "Tell us about your favorite support case".
Update 5/16 Two more days in the life of case 662008 with no response.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
05-11-2017 10:42 AM
What is the issue you having? Can the community help you do you think?
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
05-11-2017 10:49 AM
@Wald, Do you know about the Migration Tool?
https://live.paloaltonetworks.com/t5/Migration-Tool/ct-p/migration_tool
The Migration tool can be used to move configurations between Firewalls, from Firewall to Panorama and from other vendors to Palo Alto. There are dicsussions, articles and blogs about the Migration tool.
I hope this helps!
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
05-11-2017 07:15 PM
Honestly I would say Palo TAC has taken a big nosedive recently. Seems like all the frontline employees either just stall or are purely gatekeepers. I don't use support often, just when something isn't behaving as documented, but more often than not recently I've been ver disappointed.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
05-11-2017 07:20 PM
I've always been afraid of this product and honestly trust my own scripts more. Why? Because the docs for it are too high level and don't give me enough detail on how configs are merged, replaced, overwritten, etc. I need to know exactly what will be pushed but its all so cryptic, especially for those of us that didn't start off managing our firewalls with this tool. All I want is shared object management for the most part.
I would use Panorama if it had a juniper-style | compare instead of what Palo has in the GUI and if there was a commit-confirm rollback.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
05-12-2017 07:50 AM - edited 06-18-2017 09:58 PM
I wish I knew there were so many free resources / tools online to work with and to learn from.
Palo Alto Networks – Learning Center
https://paloaltonetworks.csod.com/LMS/catalog/Welcome.aspx?tab_page_id=-67&tab_id=20000157
Palo Alto Networks – FREE ACE7 Accreditation training and exam
https://www.paloaltonetworks.com/services/education/ace
- Recommended FREE Trainings:
- Firewall 7.1: Install, Configure, and Manage (EDU-101)
- Firewall 7.1: Configure Extended Features (EDU-105)
- Panorama 7.1: Manage Multiple Firewalls (EDU-121)
- Firewall Install, Configure, and Manage (EDU-101) Lab Guide
- Firewall Install, Configure, and Manage (EDU-105) Lab Guide
PAN Cybersecurity Skills Practice Lab: https://www.paloaltonetworks.com/services/education/cybersecurity-skills-practice-lab and https://www.netdevgroup.com/online/content/paloalto/
Palo Alto Networks – PCNSE7 Exam
https://www.paloaltonetworks.com/services/education/pcnse
- Study Guide: https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/datasheets/education/PCNSE7Guide.p...
Palo Alto Networks – Live Community Portal
https://live.paloaltonetworks.com/
Palo Alto Networks – YouTube Live Community
https://www.youtube.com/channel/UCPRouchFt58TZnjoI65aelA
Palo Alto Networks – Technical Documentation
https://www.paloaltonetworks.com/documentation.html
Palo Alto Ignite 2017 Security Conference
https://ignite.paloaltonetworks.com/
Fuel User Group Chapter
https://www.fuelusergroup.org/l/li/?redir=p%2Fus%2Fin
Palo Alto Networks Tools:
Support Website: https://support.paloaltonetworks.com/SupportAccount/MyAccounts
WildFire Portal: https://wildfire.paloaltonetworks.com/wildfire/dashboard
App-ID Library: https://applipedia.paloaltonetworks.com/
URL Filtering Test Categories: https://urlfiltering.paloaltonetworks.com/TestASite.jsp
URL Filtering Category List (Outdated): https://urlfiltering.paloaltonetworks.com/CategoryList.jsp
URL Filtering Category List: (Newer): https://live.paloaltonetworks.com/t5/Management-Articles/Complete-List-of-PAN-DB-URL-Filtering-Categ...
Threat Database: https://threatvault.paloaltonetworks.com/
Security Advisories: https://securityadvisories.paloaltonetworks.com/
Technical Documentations: https://www.paloaltonetworks.com/documentation
Unit 42: https://www.paloaltonetworks.com/threat-research
Compatibility Matrix: https://www.paloaltonetworks.com/documentation/global/compatibility-matrix
Cyberpedia: https://www.paloaltonetworks.com/cyberpedia
Applipedia Mobile App: https://itunes.apple.com/app/applipedia/id324026420?mt=8
Cyber Canon: https://cybercanon.paloaltonetworks.com/
PAN Chat on Gitter: https://gitter.im/PaloAltoNetworks/pandevice
PAN Device Framework Overview: http://paloaltonetworks.github.io/pandevice/#/start
PAN Device Framework Documentation: http://pandevice.readthedocs.io/en/latest/
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
05-12-2017 08:50 AM
@ccscott wrote:Honestly I would say Palo TAC has taken a big nosedive recently. Seems like all the frontline employees either just stall or are purely gatekeepers. I don't use support often, just when something isn't behaving as documented, but more often than not recently I've been ver disappointed.
The frontline support appears very low end to me.
I don't even want to start on the issue of their lack of language comprehension.
Doing the normal remote session it's is appearant that someone in the background is helping them.
They pretty much just throw darts at the issue hoping to hit something.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
05-12-2017 12:49 PM
@jjb3k wrote:If I knew then what I know now.....
1. Use Panorama for (almost) everything. Building all objects, profiles, zones, and policies in Panorama has numerous manageability/scalability benefits. Other than network interfaces, virtual routers, and IPSec tunnels, build everything else in Panorama and push it to the firewalls.
2. Use nested device groups in Panorama to create a hierarchy for shared security policies. This allows a single rule, created once, to be applied to multiple firewalls.
3. Template grouping should be based on device model do to zone limitations. Device grouping should be based on function or purpose.
4. Using tags, and corresponding colors, in your security rules helps with visual grouping the rules, and can also help with searching and filtering.
This is something we're struggling with. How do you write Security Policies and NAT Policies in Panorama when each firewall uses different IPs for NAT and the Security Policies include the IPs in them?
On our FreeBSD firewalls, this was easy. We just used generic variables in our rules scripts such that the rules were the same across all the firewalls, with a separate/unique config file on each firewall that was read into the scripts (to populate the generic variables).
I have not found any way to do this in Panorama. Any pointers to documentation on best practises for this kind of setup would be nice. Having to touch 50 separate firewalls in order to add a new Security Policy is a bit of a pain. 🙂
Thanks,
Freddie
- Knowledge sharing: Containers (Docker, etc.), Kubernetes, Openshift, Palo Alto CN series container firewalls in General Topics
- Agentless User ID based network administration control using Windows AD server for PAN-OS in General Topics
- dataplane is not up or invalid target-dp | Upgrade from 9.0.15 to version 10.X in General Topics
- vm-series on azure - failing to start in VM-Series in the Public Cloud
- VM-50 SSL decryption in VM-Series in the Private Cloud
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
