Hi, Beginning are always clumsy, but one of the first things I was impressed - community and knowledge base articles. I cannot stress enough how many times articles around here have helped me to get around some issues or simply get to know some feature. Anyway, when I got into PA firewalling, it all looked nice and shiny and overall easy to deal with, so it felt good, but some things I've learned over time: Subscribe for Security Advisories, Software Update & Content Update e-mails - that way you will always know when new feature release comes and will not miss more severe notifications about vulnerabilities - in such a cases every minute counts. Use packet capture - that has proven my point countless times - if, for any reason, you do not believe logs - getting the capture in such a cases is easy & fast way to see what really happens from a different directions. Learn some basic CLI - they WILL become handy one day and when that happens - it may be already stressful enough as you will not go there unless there is a really good reason. Know how to deal with HA from CLI, log structure, running debug packet diag, flow basic (https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Flow-Basic/ta-p/72556), etc. Superb feature I learned about after a while - https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Test-Which-Security-Policy-Applies-to-a-Traffic-Flow/ta-p/53693. Testing policy match from the CLI - that really helps to understand if the traffic will pass without bothering the end-user. P.S. TCP - IP protocol 6, UDP - 17. Good to know when testing. 🙂 Features that are synchronized in HA - https://live.paloaltonetworks.com/t5/Tech-Note-Articles/High-Availability-Synchronization/ta-p/61190. Had to deal with the question - why the heck secondary device is not getting the updates from the Internet although the network setup should allow it, but, whooaaah, service routes had to be set for both devices of the HA pair saperately as they are not synced in HA. Although it was not possible in early PA releases - it is possible to log the default security rule traffic - https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-See-Traffic-from-Default-Security-Policies-in-Traffic/ta-p/57393. I've seen some creating custom "catch-all" rule for the traffic just for the logging - not required anymore. I was told it is not possible and it turned to out to be legacy and wrong. ..and there are definitely other things, but as you see all of these are well described in Live community - you still have to find them though. 🙂
... View more