cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Starting with Palo Alto Networks - What I wish I had known...

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
Highlighted
Wald
L2 Linker
‎05-11-2017 07:05 AM
‎05-11-2017 07:05 AM

I wish I had known how hard it is to import a firewall into Panorama. You buy your first firewall or two as you are not sure if the product is going to perform as promised. Then when it does perform as promised and you start to buy more you think "I should get Panorama and manage all of these in one location." So you buy Panorama and start working on importing them and boy what a task! I would LOVE it if the Panorama admins would create an import wizard. That would simply be amazing!

Reply
Highlighted
carnould
L4 Transporter
‎05-11-2017 10:33 AM
‎05-11-2017 10:33 AM

Hi @gefuchs, is the case you mention in your comment current?  I could not find anything in the system but want to ensure if it is, we get to the bottom of it.

 

Christine

0 Likes
Reply
Highlighted
gefuchs
L2 Linker
‎05-11-2017 10:40 AM
‎05-11-2017 10:40 AM

Case 00662008

 

My opinion is that they are also adept at working the ticketing system.  The SLA is that they will "respond" in 4 hours, so they put a comment in that meets that requirement. Followed by making other comments  after my stated hours, such as "when can we call you?"  , also resetting the reponse clock.

 

 Update:  Two more days in the life of case 662008. Nothing other than yet another "Will call tomorrow" update on Thursday, thus resetting the response clock.  Brings to mind parts of songs.  "The sound of silence", or to paraphrase Anne "I'll call you tomorrow".  Thinking of starting a new thread titled "Tell us about your favorite support case".

 

Update 5/16 Two more days  in the life of case 662008 with no response.

0 Likes
Reply
Highlighted
TranceforLife
L6 Presenter
‎05-11-2017 10:42 AM
‎05-11-2017 10:42 AM

What is the issue you having?  Can the community help you do you think?

Reply
Highlighted
jdelio
Community Team Member
‎05-11-2017 10:49 AM
‎05-11-2017 10:49 AM

@Wald, Do you know about the Migration Tool? 

https://live.paloaltonetworks.com/t5/Migration-Tool/ct-p/migration_tool

 

The Migration tool can be used to move configurations between Firewalls, from Firewall to Panorama and from other vendors to Palo Alto.  There are dicsussions, articles and blogs about the Migration tool. 

 

I hope this helps!

Stay Secure,
Joe
End of line
Reply
Highlighted
ccscott
L1 Bithead
‎05-11-2017 07:15 PM
‎05-11-2017 07:15 PM

Honestly I would say Palo TAC has taken a big nosedive recently. Seems like all the frontline employees either just stall or are purely gatekeepers. I don't use support often, just when something isn't behaving as documented, but more often than not recently I've been ver disappointed. 

Reply
ccscott
L1 Bithead
‎05-11-2017 07:20 PM
‎05-11-2017 07:20 PM

I've always been afraid of this product and honestly trust my own scripts more. Why? Because the docs for it are too high level and don't give me enough detail on how configs are merged, replaced, overwritten, etc. I need to know exactly what will be pushed but its all so cryptic, especially for those of us that didn't start off managing our firewalls with this tool. All I want is shared object management for the most part. 

 

I would use Panorama if it had a juniper-style | compare instead of what Palo has in the GUI and if there was a commit-confirm rollback. 

0 Likes
Reply
Highlighted
Willian
L4 Transporter
‎05-12-2017 07:50 AM
‎05-12-2017 07:50 AM

I wish I knew there were so many free resources / tools online to work with and to learn from.

 

Palo Alto Networks – Learning Center

https://paloaltonetworks.csod.com/LMS/catalog/Welcome.aspx?tab_page_id=-67&tab_id=20000157

 

Palo Alto Networks – FREE ACE7 Accreditation training and exam

https://www.paloaltonetworks.com/services/education/ace

  • Recommended FREE Trainings:
    • Firewall 7.1: Install, Configure, and Manage (EDU-101)
    • Firewall 7.1: Configure Extended Features (EDU-105)
    • Panorama 7.1: Manage Multiple Firewalls (EDU-121)
    • Firewall Install, Configure, and Manage (EDU-101) Lab Guide
    • Firewall Install, Configure, and Manage (EDU-105) Lab Guide

PAN Cybersecurity Skills Practice Lab: https://www.paloaltonetworks.com/services/education/cybersecurity-skills-practice-lab and https://www.netdevgroup.com/online/content/paloalto/ 

 

Palo Alto Networks – PCNSE7 Exam

https://www.paloaltonetworks.com/services/education/pcnse

Palo Alto Networks – Live Community Portal

https://live.paloaltonetworks.com/

Palo Alto Networks – YouTube Live Community

https://www.youtube.com/channel/UCPRouchFt58TZnjoI65aelA

 

Palo Alto Networks – Technical Documentation

https://www.paloaltonetworks.com/documentation.html

 

Palo Alto Ignite 2017 Security Conference

https://ignite.paloaltonetworks.com/

 

Fuel User Group Chapter

https://www.fuelusergroup.org/l/li/?redir=p%2Fus%2Fin

 

Palo Alto Networks Tools:

Support Website: https://support.paloaltonetworks.com/SupportAccount/MyAccounts

WildFire Portal: https://wildfire.paloaltonetworks.com/wildfire/dashboard

App-ID Library: https://applipedia.paloaltonetworks.com/

URL Filtering Test Categories: https://urlfiltering.paloaltonetworks.com/TestASite.jsp

URL Filtering Category List (Outdated): https://urlfiltering.paloaltonetworks.com/CategoryList.jsp

URL Filtering Category List: (Newer): https://live.paloaltonetworks.com/t5/Management-Articles/Complete-List-of-PAN-DB-URL-Filtering-Categ...

Threat Database: https://threatvault.paloaltonetworks.com/

Security Advisories: https://securityadvisories.paloaltonetworks.com/

Technical Documentations: https://www.paloaltonetworks.com/documentation

Unit 42: https://www.paloaltonetworks.com/threat-research

Compatibility Matrix: https://www.paloaltonetworks.com/documentation/global/compatibility-matrix

Cyberpedia: https://www.paloaltonetworks.com/cyberpedia

Applipedia Mobile App: https://itunes.apple.com/app/applipedia/id324026420?mt=8

Cyber Canon: https://cybercanon.paloaltonetworks.com/

PAN Chat on Gitter: https://gitter.im/PaloAltoNetworks/pandevice

PAN Device Framework Overview: http://paloaltonetworks.github.io/pandevice/#/start

PAN Device Framework Documentation: http://pandevice.readthedocs.io/en/latest/

 

Reply
Highlighted
gefuchs
L2 Linker
‎05-12-2017 08:50 AM
‎05-12-2017 08:50 AM

@ccscott wrote:

Honestly I would say Palo TAC has taken a big nosedive recently. Seems like all the frontline employees either just stall or are purely gatekeepers. I don't use support often, just when something isn't behaving as documented, but more often than not recently I've been ver disappointed. 

The frontline support appears very low end to me.

I don't even want to start on the issue of their lack of language comprehension.

Doing the normal remote session it's is appearant that someone in the background is helping them.

They pretty much just throw darts at the issue hoping to hit something.

0 Likes
Reply
Highlighted
fjwcash
L4 Transporter
‎05-12-2017 12:49 PM
‎05-12-2017 12:49 PM

@jjb3k wrote:

If I knew then what I know now.....

 

1. Use Panorama for (almost) everything. Building all objects, profiles, zones, and policies in Panorama has numerous manageability/scalability benefits. Other than network interfaces, virtual routers, and IPSec tunnels, build everything else in Panorama and push it to the firewalls.

2. Use nested device groups in Panorama to create a hierarchy for shared security policies. This allows a single rule, created once, to be applied to multiple firewalls. 

3. Template grouping should be based on device model do to zone limitations. Device grouping should be based on function or purpose.

4. Using tags, and corresponding colors, in your security rules helps with visual grouping the rules, and can also help with searching and filtering.

This is something we're struggling with.  How do you write Security Policies and NAT Policies in Panorama when each firewall uses different IPs for NAT and the Security Policies include the IPs in them?

 

On our FreeBSD firewalls, this was easy.  We just used generic variables in our rules scripts such that the rules were the same across all the firewalls, with a separate/unique config file on each firewall that was read into the scripts (to populate the generic variables).

 

I have not found any way to do this in Panorama.  Any pointers to documentation on best practises for this kind of setup would be nice.  Having to touch 50 separate firewalls in order to add a new Security Policy is a bit of a pain.  :)

 

Thanks,

Freddie

Reply
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!

Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2020 - Palo Alto Networks