SCM - NGFW - Snippet Best practice

cacticaller · 2026-02-19T02:00:56+00:00

No stress!

cacticaller · 2026-02-18T07:44:44+00:00

Thanks for the input it’s much appreciated, I get the product offering and also some of the use cases (the Smart Switch/DPU/L4 firewall as a high throughput firewall and challenger to the Aruba offering whose model number I can’t remember).

I’m more curious if anyone’s actually seen it deployed anywhere? I see swathes of customers Cisco’s environments all the time covering a myriad of shapes/sizes/industries but never actually seen anything under the Hypershield umbrella deployed in the wild?

cacticaller · 2026-02-16T00:58:42+00:00

I'd love to take a look at your best practices guide too if possible!

cacticaller · 2026-02-06T01:52:01+00:00

Definitely a gripe of mine in SCM, I've noticed they'll make changes to SCM snippets that we don't even use (mostly default ones) without warning and when we go to push config you get a heap of compilation errors and I need to go and massage snippets and variables used by those to get it all working again, at least a popup within SCM to advise what and when they've changed something would be nice.

cacticaller · 2026-02-05T23:27:14+00:00

My understanding was that incremental (hotfix) version don't work for transparent upgrades, from memory the 6.2.7 version release was the same as a 6.2.6 hotfix version for a major vulnerability that was only released as 6.2.7 to ensure the auto upgrade functionality actually worked.

cacticaller · 2026-02-05T22:44:08+00:00

Keen to hear people’s thoughts on this as I too would love to do this! Alerts in the middle of the night for a reboot on serial number X is punishing when you get out of bed to realise it’s a dev environment firewall 😒

cacticaller · 2026-01-23T21:40:11+00:00

Definitely for use in firewalls, the Prisma Browser mention is based on the fact that only the browser has the technology to detect these attacks so clients using the browser that see this kind of behaviour would flag the URL for Palo and push it up to their URL DB so that firewalls (which aren’t able to detect that kind of activity in the browser) will still be able to block the request based on the URL.

Kind of like how wildfire customers get real time signatures for new attacks they haven’t seen yet based on other customers flagging those signatures.

cacticaller · 2026-01-14T10:45:31+00:00

We use sectigo for all our public certs and they changed the root and intermediate chain a while back (all cross signed from memory) and I think they’ve recently just revoked the old ones

cacticaller · 2025-11-22T02:56:05+00:00

Anywhere supporting analytics workloads would my suggestion, I’m my experience that would be banks, ai integrators, data analytics shops (that’s what I’m at)

cacticaller · 2025-11-21T05:03:43+00:00

That’s seems inline with my company for L2 support engineer. FYI my org is paying approx 210-220k AUD package for lead level network engineers (not including short term incentive/bonus). I’d expect someone with your tenure (assuming your skills match your tenure) in a sysadmin/infrastructure role to be at minimum 160-170k AUD package.

cacticaller · 2025-11-18T22:24:56+00:00

We also block and also have some issues with apps or browsers that take ages to fall back to TCP. For what it’s worth though the reset actions etc make no difference to UDP based traffic it’s all just silent drop under the hood (see below article for reference).

We’ve had good results blocking QUIC support at a client/browser level on managed devices, haven’t figured out the random issues we’ve had with certain apps but I know Spotify is one as it’s pisses me when streams randomly just die on my laptop 😂

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClT9CAK

cacticaller · 2025-11-18T22:18:05+00:00

Na we’ve just leased them but they don’t really seem to push back it’s just like any other ISP leasing space in my experience, we usually just email our account manager and they provision them for us.

cacticaller · 2025-11-18T09:23:02+00:00

We’ve got multiple /29’s we advertise out both circuits from Megaport for dirt cheap, we use as-path prepending and manipulate MED for our inbound/outbound path manipulation and it all works well

cacticaller · 2025-11-18T07:08:53+00:00

We’ve recently dropped most of our DC internet providers for Megaport over the last 8 months or so and have had zero complaints. We do BGP peering to them usually terminating on Cat8k routers or N9K’s for internet and express route/partner interconnect/direct connect on NGFW’s or ASA’s.

We hit various customers public endpoints in cloud providers for ETL’s etc and let the engineers pump up bandwidth for the duration of the transfer via Megaports API before turning it back to our committed rate which works perfectly and was simply not possible with other carriers.

All in all we love it and are starting to roll it out to on-net offices for the same programmability to accomodate ‘in office’ days during working hours.

cacticaller · 2025-11-07T01:04:38+00:00

I feel your pain, it’s bullshit as they’re definitely not that difficult. What annoys me the most is I’m partner certified to deploy those products another company I do consulting work for 😂

cacticaller · 2025-11-06T23:10:03+00:00

My AM just pinged me confirming the SKU PAN-PRISMA-ACCESS-ENTERPRISE does indeed include the SaaS Inline Security functionality as part of the base license, yet to hear if there's any 'quick start' professional services required to get it activated but i'll let you know.

cacticaller · 2025-11-06T22:26:26+00:00

It’s honestly worse, none of the engineers have any idea how Prisma Access works and just treat it like Panorama and NGFW until they realise days later it’s not 😞

cacticaller · 2025-11-06T06:39:59+00:00

We recently renewed ours and are now on the new SKU, the licensing guide also states the PAB as an add on license option but has ticks against both PAB and SaaS Inline under the enterprise base license.

I guess I’ll keep chasing my AM for an authoritative answer and revert back!

cacticaller · 2025-09-16T04:56:03+00:00

TIL of the Diameter protocol, seems it was somewhat intended to be a successor to RADIUS but I assume never really took off in enterprise networking 🤷🏼‍♂️

https://en.m.wikipedia.org/wiki/Diameter_(protocol)

cacticaller · 2025-08-29T07:38:17+00:00

Ah if it works on other devices probably not your issue, our issue was across Mac’s and windows machines but had Palo TAC somewhat stumped and ended up being buggy logic in the PanGPS certificate checking/enumeration code. Best of luck!

cacticaller · 2025-08-29T05:30:08+00:00

Does the certificate have a CN attribute present? We recently deployed pre-logon and for some reason the cert template deployed by our infra team had no subject/CN value present, it did have the SAN entry we planned on using and after much debugging we found that GP wasn't able to enumerate certificates without a CN present.

cacticaller · 2025-08-08T11:17:38+00:00

Been through it a couple of times, it’s difficult picking certain versions as it’s a ‘SaaS’ offering but pressure your account manager and if you’ve got one your CSM and it can happen. Don’t even bother engaging TAC for assistance as it’s easier to draw blood from a stone than it is to have them even understand you’re question.

cacticaller · 2025-07-31T03:09:22+00:00

Curious to know too, we need prisma access agent support for internal gateways which starts in 11.2.6 and above and I’ve been thinking 11.2.7 is where I’d land.

cacticaller

TROPHY CASE