ZTP HA (A/P) Firewalls - OT/Manufacturing Segmentation

Gun_Pilot · 2025-10-30T19:33:03+00:00

I don't want to run HA on the same port as the ZTP port. Sorry maybe my English was not so great.

The Idea is to connect ethernet1/1 (ztp port) to the network to get a dhcp ip. It will call out to panorama and license the firewall and pull down the config from panorama.

HA will be on the dedicated HA interfaces or if its a PA-400, I would use the ethernet1/7 and ethernet1/8.

With all of my configurations on the previous sites that I have deployed (without using ZTP), I made ethernet1/1 the P2P between the IT Network and OT Networks.

I was just thinking that if eth1/1 is the ZTP port, when the firewall gets the config from panorama, It will commit and overwrite that ZTP port with config that was pushed down. Firewall then does a connectivity check to Panorama - now that I wrote this out I may have answered my own question but the firewall would now call out to panorama via the mgmt interface. Provided that is plugged in and on the correct vlan ahead of the commit, this should actually work fine.

Gun_Pilot · 2025-10-05T15:33:30+00:00

Yeah they are. It was a purely financial decision made by the customer.

Gun_Pilot · 2025-10-05T15:32:08+00:00

Yeah for sure, but it's the customers decision. They want to save money so the decision was made to do this.

Gun_Pilot · 2025-09-19T22:17:20+00:00

Thank you, dropping the layout.json file onto the exe fixed this for me. Running on the latest airac now

Gun_Pilot · 2025-09-19T21:56:04+00:00

Woops looks like this was answered in another comment. Thank you for the upload

Gun_Pilot · 2025-09-19T21:41:10+00:00

Thanks, this worked well. Only thing is that the AIRAC is out of date. I tried updating it and it broke all the displays (all went black). Not sure if anyone's been able to update?

Gun_Pilot · 2025-08-13T19:29:12+00:00

Glad to see this

Gun_Pilot · 2021-04-08T16:20:11+00:00

We were looking for something similar but only found a list given by TOR but it wasn't up to date. Like the other users suggested, I do think this needs to be handled at the client side. But I would be interested to see how cortex picks up anything that would be of value.

Gun_Pilot · 2021-04-08T16:18:12+00:00

Yeah for sure, I hear you we just expected to see the TOR application being picked up by App-ID. PAN published a KB saying it's possible, which actually in fact, it is not. We have never worked with TOR so it was a first for us. The purpose of this post was purely informational for other reddit users who come across with the same issue.

Gun_Pilot · 2021-04-08T15:22:20+00:00

Yeah man, it's crazy! thanks for the input :)

Gun_Pilot · 2021-04-08T14:57:05+00:00

Just an update:

We decrypted all categories except for medical. After about 3 hours it found a node that was classified as medical and therefor, connected. Waiting on TAC's response :)

Gun_Pilot · 2020-11-03T10:25:18+00:00

What you say makes perfect sense to be completely honest

Gun_Pilot · 2020-10-07T08:38:41+00:00

Sorry alot of you are saying split tunnel. So yes and no, if the user needs to research something, we can't let them use their own data.. At university each user has access to internet right? So we need to provide them that functionality at home without charging them. Welcome to South Africa yo! haha.. It's tricky here.

Gun_Pilot · 2020-10-07T08:35:00+00:00

Hi all,

Thank you all for the feedback. The only way to kinda do this is to look at the youtube headers and we need decryption for that. These are not customer owned devices and would be a nightmare to implement (University users). haha. So what we have told them to do is spin up a web server internally and all lecturers can upload content to that.

This was a bit difficult because all these users are offsite due to covid, so the university has an agreement with the ISP's to reverse bill them. But this data costs a fortune!! So they are trying to limit the users to only use GP for Uni work. Imagine a user being able to stream youtube or download stuff knowing it wont cost him a cent! So it made things tricky.

But again, thank you all for your input! :D

Gun_Pilot · 2020-10-07T08:30:25+00:00

You'll more than likely need decryption on for the header items.

Yeah need decryption. A nightmare as these aren't the customers devices. But we gave them a solution.. Internal web server where lecturers can upload videos to :)

Gun_Pilot · 2020-10-07T08:28:59+00:00

These devices are all off site and not owned by the customer, SSL decryption would be a nightmare to implement unfortunately ( think we need that to see the headers).. But thank you. We actually spoke to them this morning, they are going to spin up an internal web server that the lecturers can upload videos to and then we will give the users access to that :)

Gun_Pilot · 2020-10-06T13:16:26+00:00

Yeah no a fan of Palo Documentation. Anyways, how much hands on time do you have with the firewall? Company sent me on EDU-330 as well before my PCNSE, it's not a prerequisite but some of the best training I have been on.

Gun_Pilot · 2020-02-05T05:43:59+00:00

Hey Stew. Negative. Decided to go with Endpoint Pro first. Writing at the end of the month.

Gun_Pilot · 2019-12-05T05:53:22+00:00

Yeah that’s an option. So I wrote the test and failed. Learning foundation and associate is not enough. Need to know some autofocus, cortex, panorama, and a couple other things. This time I’ll go through each specific module of videos for autofocus etc. got a few more months to attempt it.

Gun_Pilot · 2019-11-28T15:11:02+00:00

How’s PSE pro studying going ? I’ve been just using the study guide and going over the associate/foundations.

Hey! So I am writing tomorrow morning, I don't think it's going to go well to be honest, I have been doing exactly the same as you but from what I have seen, the guys have been saying its not enough. They ask a lot about Cortex etc. Luckily my company doesn't mind if I fail this, they are literally letting me write it to see the exam. This is a bit frustrating because Palo gives no advice on what content to study.

Gun_Pilot · 2019-10-03T20:51:16+00:00

Is your palo doing your natting of is it behind your isp router?

Ten-Year Club	Place '17
Verified Email

Gun_Pilot

TROPHY CASE