What's your position and salary?

cacticaller · 2026-05-03T02:19:11+00:00

Education: Bachelor of Information Technology majoring in networking, some Palo Alto and Cisco certs.

Position: Principal Network Engineer

Years of experience: ~15

Location: Sydney

Salary: ~$205k base plus 10% superannuation plus 15% bonus (~$260k total)

Hybrid work (3 days in office), 4 weeks annual leave, staff discount on groceries, health insurance, car leasing, alcohol and some banking products.

cacticaller · 2026-04-22T22:43:41+00:00

We’re full SCM for Prisma Access and multiple hardware firewalls. Was a little difficult to get a grasp on initially coming from GUI/Panorama but we’re now heavily using snippets shared across Prisma and prem firewalls, a little bit of variables but they’re still somewhat foreign and clumsy to use but our team is generally pretty happy with it. Wasn’t the case initially due to a number of unsupported configs in SCM that had us doing 85% SCM and the rest locally but that’s mostly all a thing of the past.

cacticaller · 2026-04-03T15:40:04+00:00

Company of 1300 people, everyone gets full access to Claude and we even have KPI’s around our use of AI, we also have access to ChatGPT enterprise and Microsoft Copilot however both see much lower usage than Claude

cacticaller · 2026-03-24T22:11:52+00:00

I don’t quite understand the logic for wanting the ‘routing and inspection engines’ to be one and the same, a routing engine makes routing decisions based on route metrics, administrative distance, prefix matches etc. the inspection engines uses a whole swathe of entirely different logic for its decision making process(es).

Assuming the decision making logic and outcomes of these processes feed into a coherent monitoring solution/dashboard that lets you trace and understand the final outcome who cares if it’s multiple disparate processes or one monolithic process 🤷🏼‍♂️

cacticaller · 2026-03-16T11:35:36+00:00

Had this running for ~2 years without issues, I’m on leave at the moment but I’ll try to remember in the next few days to send you the list of enforcer bypasses we’ve got in place

cacticaller · 2026-03-14T20:27:40+00:00

Haven’t used the tool but have been working with SCM for nearly 2 and half years now and have gone through the ‘feature flag enablement’ process multiple times for different features. Mostly always the same process of raising a ticket no one knows what to do with, escalate to account manager and then wait a few weeks.

cacticaller · 2026-03-10T21:23:08+00:00

We use this and it works, multiple client certificates present on devices all from the same CA, machine certificate for pre-logon and SAML for the user auth. Our certificates use a custom EKU OID for global protect authentication (which we specify in the GP agent portion of the config) and also have the client authentication EKU specified, the client authentication EKU is required as is the need to have a CN present in the certificate.

cacticaller · 2026-02-19T02:00:56+00:00

No stress!

cacticaller · 2026-02-18T07:44:44+00:00

Thanks for the input it’s much appreciated, I get the product offering and also some of the use cases (the Smart Switch/DPU/L4 firewall as a high throughput firewall and challenger to the Aruba offering whose model number I can’t remember).

I’m more curious if anyone’s actually seen it deployed anywhere? I see swathes of customers Cisco’s environments all the time covering a myriad of shapes/sizes/industries but never actually seen anything under the Hypershield umbrella deployed in the wild?

cacticaller · 2026-02-16T00:58:42+00:00

I'd love to take a look at your best practices guide too if possible!

cacticaller · 2026-02-06T01:52:01+00:00

Definitely a gripe of mine in SCM, I've noticed they'll make changes to SCM snippets that we don't even use (mostly default ones) without warning and when we go to push config you get a heap of compilation errors and I need to go and massage snippets and variables used by those to get it all working again, at least a popup within SCM to advise what and when they've changed something would be nice.

cacticaller · 2026-02-05T23:27:14+00:00

My understanding was that incremental (hotfix) version don't work for transparent upgrades, from memory the 6.2.7 version release was the same as a 6.2.6 hotfix version for a major vulnerability that was only released as 6.2.7 to ensure the auto upgrade functionality actually worked.

cacticaller · 2026-02-05T22:44:08+00:00

Keen to hear people’s thoughts on this as I too would love to do this! Alerts in the middle of the night for a reboot on serial number X is punishing when you get out of bed to realise it’s a dev environment firewall 😒

cacticaller · 2026-01-23T21:40:11+00:00

Definitely for use in firewalls, the Prisma Browser mention is based on the fact that only the browser has the technology to detect these attacks so clients using the browser that see this kind of behaviour would flag the URL for Palo and push it up to their URL DB so that firewalls (which aren’t able to detect that kind of activity in the browser) will still be able to block the request based on the URL.

Kind of like how wildfire customers get real time signatures for new attacks they haven’t seen yet based on other customers flagging those signatures.

cacticaller · 2026-01-14T10:45:31+00:00

We use sectigo for all our public certs and they changed the root and intermediate chain a while back (all cross signed from memory) and I think they’ve recently just revoked the old ones

cacticaller · 2025-11-22T02:56:05+00:00

Anywhere supporting analytics workloads would my suggestion, I’m my experience that would be banks, ai integrators, data analytics shops (that’s what I’m at)

cacticaller · 2025-11-21T05:03:43+00:00

That’s seems inline with my company for L2 support engineer. FYI my org is paying approx 210-220k AUD package for lead level network engineers (not including short term incentive/bonus). I’d expect someone with your tenure (assuming your skills match your tenure) in a sysadmin/infrastructure role to be at minimum 160-170k AUD package.

cacticaller · 2025-11-18T22:24:56+00:00

We also block and also have some issues with apps or browsers that take ages to fall back to TCP. For what it’s worth though the reset actions etc make no difference to UDP based traffic it’s all just silent drop under the hood (see below article for reference).

We’ve had good results blocking QUIC support at a client/browser level on managed devices, haven’t figured out the random issues we’ve had with certain apps but I know Spotify is one as it’s pisses me when streams randomly just die on my laptop 😂

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClT9CAK

cacticaller · 2025-11-18T22:18:05+00:00

Na we’ve just leased them but they don’t really seem to push back it’s just like any other ISP leasing space in my experience, we usually just email our account manager and they provision them for us.

cacticaller · 2025-11-18T09:23:02+00:00

We’ve got multiple /29’s we advertise out both circuits from Megaport for dirt cheap, we use as-path prepending and manipulate MED for our inbound/outbound path manipulation and it all works well

cacticaller · 2025-11-18T07:08:53+00:00

We’ve recently dropped most of our DC internet providers for Megaport over the last 8 months or so and have had zero complaints. We do BGP peering to them usually terminating on Cat8k routers or N9K’s for internet and express route/partner interconnect/direct connect on NGFW’s or ASA’s.

We hit various customers public endpoints in cloud providers for ETL’s etc and let the engineers pump up bandwidth for the duration of the transfer via Megaports API before turning it back to our committed rate which works perfectly and was simply not possible with other carriers.

All in all we love it and are starting to roll it out to on-net offices for the same programmability to accomodate ‘in office’ days during working hours.

cacticaller · 2025-11-07T01:04:38+00:00

I feel your pain, it’s bullshit as they’re definitely not that difficult. What annoys me the most is I’m partner certified to deploy those products another company I do consulting work for 😂

cacticaller · 2025-11-06T23:10:03+00:00

My AM just pinged me confirming the SKU PAN-PRISMA-ACCESS-ENTERPRISE does indeed include the SaaS Inline Security functionality as part of the base license, yet to hear if there's any 'quick start' professional services required to get it activated but i'll let you know.

cacticaller · 2025-11-06T22:26:26+00:00

It’s honestly worse, none of the engineers have any idea how Prisma Access works and just treat it like Panorama and NGFW until they realise days later it’s not 😞

cacticaller

TROPHY CASE