03-24-2017 01:33 PM - edited 03-24-2017 01:57 PM
Beginnings are not always perfect. Whether you started your Palo Alto Networks journey years ago or just recently, tell us what you learned early on that you wish you had known before.
If there was one thing, or maybe more, Live Community users would love to hear about it. Share your stories, your tips to help other users along the way.
Read a tip you like, make sure to like it or let them know by commenting!
The most popular and helpful stories will get you a cool new Live Community t-shirt!
Looking forward to reading all the great stories!
05-11-2017 07:15 PM
Honestly I would say Palo TAC has taken a big nosedive recently. Seems like all the frontline employees either just stall or are purely gatekeepers. I don't use support often, just when something isn't behaving as documented, but more often than not recently I've been ver disappointed.
05-11-2017 07:20 PM
I've always been afraid of this product and honestly trust my own scripts more. Why? Because the docs for it are too high level and don't give me enough detail on how configs are merged, replaced, overwritten, etc. I need to know exactly what will be pushed but its all so cryptic, especially for those of us that didn't start off managing our firewalls with this tool. All I want is shared object management for the most part.
I would use Panorama if it had a juniper-style | compare instead of what Palo has in the GUI and if there was a commit-confirm rollback.
05-12-2017 07:50 AM - edited 06-18-2017 09:58 PM
I wish I knew there were so many free resources / tools online to work with and to learn from.
Palo Alto Networks – Learning Center
https://paloaltonetworks.csod.com/LMS/catalog/Welcome.aspx?tab_page_id=-67&tab_id=20000157
Palo Alto Networks – FREE ACE7 Accreditation training and exam
https://www.paloaltonetworks.com/services/education/ace
PAN Cybersecurity Skills Practice Lab: https://www.paloaltonetworks.com/services/education/cybersecurity-skills-practice-lab and https://www.netdevgroup.com/online/content/paloalto/
Palo Alto Networks – PCNSE7 Exam
https://www.paloaltonetworks.com/services/education/pcnse
Palo Alto Networks – Live Community Portal
https://live.paloaltonetworks.com/
Palo Alto Networks – YouTube Live Community
https://www.youtube.com/channel/UCPRouchFt58TZnjoI65aelA
Palo Alto Networks – Technical Documentation
https://www.paloaltonetworks.com/documentation.html
Palo Alto Ignite 2017 Security Conference
https://ignite.paloaltonetworks.com/
Fuel User Group Chapter
https://www.fuelusergroup.org/l/li/?redir=p%2Fus%2Fin
Palo Alto Networks Tools:
Support Website: https://support.paloaltonetworks.com/SupportAccount/MyAccounts
WildFire Portal: https://wildfire.paloaltonetworks.com/wildfire/dashboard
App-ID Library: https://applipedia.paloaltonetworks.com/
URL Filtering Test Categories: https://urlfiltering.paloaltonetworks.com/TestASite.jsp
URL Filtering Category List (Outdated): https://urlfiltering.paloaltonetworks.com/CategoryList.jsp
URL Filtering Category List: (Newer): https://live.paloaltonetworks.com/t5/Management-Articles/Complete-List-of-PAN-DB-URL-Filtering-Categ...
Threat Database: https://threatvault.paloaltonetworks.com/
Security Advisories: https://securityadvisories.paloaltonetworks.com/
Technical Documentations: https://www.paloaltonetworks.com/documentation
Unit 42: https://www.paloaltonetworks.com/threat-research
Compatibility Matrix: https://www.paloaltonetworks.com/documentation/global/compatibility-matrix
Cyberpedia: https://www.paloaltonetworks.com/cyberpedia
Applipedia Mobile App: https://itunes.apple.com/app/applipedia/id324026420?mt=8
Cyber Canon: https://cybercanon.paloaltonetworks.com/
PAN Chat on Gitter: https://gitter.im/PaloAltoNetworks/pandevice
PAN Device Framework Overview: http://paloaltonetworks.github.io/pandevice/#/start
PAN Device Framework Documentation: http://pandevice.readthedocs.io/en/latest/
05-12-2017 08:50 AM
@ccscott wrote:Honestly I would say Palo TAC has taken a big nosedive recently. Seems like all the frontline employees either just stall or are purely gatekeepers. I don't use support often, just when something isn't behaving as documented, but more often than not recently I've been ver disappointed.
The frontline support appears very low end to me.
I don't even want to start on the issue of their lack of language comprehension.
Doing the normal remote session it's is appearant that someone in the background is helping them.
They pretty much just throw darts at the issue hoping to hit something.
05-12-2017 12:49 PM
@jjb3k wrote:If I knew then what I know now.....
1. Use Panorama for (almost) everything. Building all objects, profiles, zones, and policies in Panorama has numerous manageability/scalability benefits. Other than network interfaces, virtual routers, and IPSec tunnels, build everything else in Panorama and push it to the firewalls.
2. Use nested device groups in Panorama to create a hierarchy for shared security policies. This allows a single rule, created once, to be applied to multiple firewalls.
3. Template grouping should be based on device model do to zone limitations. Device grouping should be based on function or purpose.
4. Using tags, and corresponding colors, in your security rules helps with visual grouping the rules, and can also help with searching and filtering.
This is something we're struggling with. How do you write Security Policies and NAT Policies in Panorama when each firewall uses different IPs for NAT and the Security Policies include the IPs in them?
On our FreeBSD firewalls, this was easy. We just used generic variables in our rules scripts such that the rules were the same across all the firewalls, with a separate/unique config file on each firewall that was read into the scripts (to populate the generic variables).
I have not found any way to do this in Panorama. Any pointers to documentation on best practises for this kind of setup would be nice. Having to touch 50 separate firewalls in order to add a new Security Policy is a bit of a pain. 🙂
Thanks,
Freddie
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!