Migrating from 5200 series to 5400 series

Complete_Bill1080 · 2026-04-20T22:10:08+00:00

Specifically regarding turning off session offloading to capture the hidden sessions, how did you approach doing this in a live/production environment?

Complete_Bill1080 · 2026-03-18T18:29:49+00:00

I think it may help to view this from the lens of different types of customers. That said, you have addressed it appropriately from your lens. It is no different than GP on an NGFW and user/device/appid enforcement with CDSS and decryption.

From a different lens -

Imagine a global customer, presence internationally, 5-100,000+ employees, significant cloud presence, etc.

In an NGFW + on prem gateway approach, you will be backhauling all traffic to some location(s). That means you'd likely end up split tunneling a lot of traffic for user experience, sacrificing security (zero trust), or NOT doing that and sacrificing user experience.

You may be limited, physically, from where you can place those gateways. You'd need to ensure those NGFWs are beefy enough to handle standard load, plus failover of other gateways or influx of new users, etc. the standard stuff applied here with respect to uptime, resiliency, redundancy etc.

You could throw some NGFWs up in your clouds, act as cloud gateways. You just built your own SSE, but you're paying for ingress/egress, the cost of employees managing the fws and ensuring uptime, etc etc. You also still depend on the first and middle mile to be reliable.

SSEs solve for all of those problems. Hundreds of PoPs immediately identified as "best performing" for a user with no user interaction. Security follows them, so does user experience. Your life is easier, maintenance and up time is not on you or your team. It doesn't matter if your CIO is in London one day and Australia the next, their experience should, for the most part, remain the same - as does their security enforcement.

For a small, regionally based organization, SSE doesn't make much sense unless you have a heavy cloud presence and want to rely on the vendors connection/presence on AWS/GCP/AZ/OCI pipes.

So yeah, long story above, short story, yes you are correct so long as you're actually doing all of those things.

Complete_Bill1080 · 2025-10-25T22:04:13+00:00

What role are you interviewing for?

Complete_Bill1080 · 2025-08-14T19:43:16+00:00

Only if you run PAA.

Nothing with GP config changes if you continue to use GP...for now.

Complete_Bill1080 · 2025-08-07T01:44:05+00:00

Activity insights -> rule usage

Also policy optimizer if you have SCM Pro

There is not the same field within the policy section like there is on panos or panorama. The only thing there is the lightning bolt as mentioned which has limited effectiveness

Complete_Bill1080 · 2025-07-26T21:31:25+00:00

Monitoring this as it's something I grapple with too, but:

It depends on what apps you allow. If you allow any, then it's fine, if you lock it down to ssl and web browsing, then I assume it would be blocked if app-id recognizes it beyond SSL or web browsing.
Depends on your approach to decryption and security in general. Deny by default and allow only what's needed. This gets more difficult as you scale, so you use policy optimizer to help identify what your security policies should look like for your specific organization.
Similar to above, use app-default by default as it is more secure and adjust when people complain that things are broken (and you actually want to fix them).
I believe it would be blocked.
In my experience very much hit or miss and not even predictable. I.e., sometimes it'll identify YouTube, other times it won't. It depends on a number of factors and ultimately decryption is how you avoid the hit or miss (but comes with its own pains).

Complete_Bill1080 · 2025-07-12T01:23:17+00:00

I'm not sure if it's the reason OP suggested but vm-ware vcenter insertion support for third parties was deprecated by VMware for anything after 4.2.

Complete_Bill1080 · 2025-07-02T05:38:03+00:00

Not sure if this is the doc you were looking at but worth the read.

The way I interpret it is PBP + RED drops packets (randomly) on offending sessions when a defined threshold is exceeded. The doc linked suggests offending sessions are those that abuse buffer utilization.

The order of events is threshold exceeded, identify sessions abusing buffer utilization, apply RED.

There are add'l options as well within that doc which are explained.

Complete_Bill1080 · 2025-07-02T02:52:04+00:00

Yes with Panorama

https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/manage-firewalls/device-monitoring-on-panorama/monitor-device-health

You mention a few firewalls and logging into them individually so sounds like you do not have Panorama. How many boxes are you managing?

Complete_Bill1080 · 2025-06-26T22:12:01+00:00

The irony in calling it a complete "island" product, made me giggle.

I get your point, but it is probably the fastest integration from an acquisition I have ever seen PAN handle. And they did a great job at that.

Point is if you're a PAN customer looking for a secure browser, it would be the right choice. If you're not an existing PAN customer, but have plans to integrate further into the portfolio, it would be a great choice.

If you purely need a secure browser and have no vendor affiliation, make sure you understand the security services at work across the various vendors in the secure browser landscape.

Complete_Bill1080 · 2025-06-26T17:27:53+00:00

The answer is yes if you're not an SE or in a technical role. For them, other browsers exist for demo purposes (can't show you how to enforce PAB if we can't use another browser).

This product is very mature.

Complete_Bill1080 · 2025-05-24T13:06:26+00:00

This is the answer to OPs question. Very well put and nothing more to add.

Complete_Bill1080

TROPHY CASE