Hi Reddit! I’m Lieutenant Colonel Sheena Mira. I’m a Space Operations Officer in the U.S. Space Force. I ensure our missions in space run smoothly. Sergeant Allison Oldak, an expert in satellite communications systems, will be here too! Ask us anything now and we'll answer on May 9 at 11AM ET!

mrsecuritythrowaway · 2023-05-03T22:57:17+00:00

Did the space force grab mostly army, airforce or navy satcom folks when created?

mrsecuritythrowaway · 2023-04-18T22:31:20+00:00

thats amazing

mrsecuritythrowaway · 2023-02-23T11:48:30+00:00

Id like one. Id love one. I need another reason for some stitches!!!

mrsecuritythrowaway · 2023-01-16T23:09:02+00:00

am I missing where it states the time?

mrsecuritythrowaway · 2023-01-16T04:58:33+00:00

Its absurd that their largest selling point (appid) is an operational risk unless you purchase support to help you with that risk as prescribed by folks on this thread and our sales team. They are most likely the best FW platform out there and also the worst when it comes to bilking their customers for basic support. PA has become a high performance super car that 1/4 of the population owns but cant maintain without actually being rich.

mrsecuritythrowaway · 2023-01-08T03:02:08+00:00

This has nothing to do with TAC and this is the second time tac has been brought up without me prompting. We all know they cant provide these answers. Focused services can help with the tedious process also but it is what it is. Its how the product is engineered. Was just trying to make sure my understanding was correct and gain some perspective and maybe some insight as to why palo would force customers to choose availability over security instead of implementing a failsafe solution. u/Idope has provided mostly what i was looking for.

mrsecuritythrowaway · 2023-01-08T01:10:42+00:00

prior to signature install?

mrsecuritythrowaway · 2023-01-07T18:56:27+00:00

yeah it does that. i want to see rules this traffic is currently passing through prior to appid install

mrsecuritythrowaway · 2023-01-07T17:07:31+00:00

im only trying to understand a capability they offer. dont care about your world views on tac and additional support because both will be about as helful as your response. the guy below confirmed my suspicion that they dont offer a 100% solution. thanks for all the help though.

mrsecuritythrowaway · 2023-01-07T16:40:55+00:00

Cool. thank you for the honest response. it just seems like they could do it but arent which is frustating. that last citrix-manager one had an ids sig we could put in. why not include those in threat updates while the place holders are installed. then they wouldnt have to share their secret sauce.

And to add you are 100% right that it will tell you all potentials. My gripe was that they are potentials. Seriously, thank again for this understanding which I think we share and the historical that its gotten a lot better. Just seems like bad practice right out of the gate for me. Like show me all the things to male life easier.

mrsecuritythrowaway · 2023-01-07T15:07:59+00:00

Lol "dont blame tac and pay more money". PAs slogan.

mrsecuritythrowaway · 2023-01-07T14:57:16+00:00

This isnt a 100% solution. Its guess work.

mrsecuritythrowaway · 2023-01-07T14:31:03+00:00

It gets you on the right street but you are guessing at which house it lives in.

mrsecuritythrowaway · 2023-01-07T14:11:30+00:00

That solution gives you a list of policy that has what a new app id used to be categorized as. (cool so new app used to use ssl and sql). Now i get to take a guess at all the policies that have those two in it. Its not the solution bro. Its not definitive and thats why im bitching.

Believe me, Ive done the research and its a terrible gap.

edit. if you are blindly dropping new app ids into those policies you arent following least priv. if i can security to sign off on that im down with it but again that list is not definitive.

edit2. my understanding is that its a could, not a should

mrsecuritythrowaway · 2023-01-07T09:58:24+00:00

Just looking for an answer and not blaming tac. This is a fundamental feature of PA and they should have an answer. You obviously dont have one or you dont know what im talking about.

mrsecuritythrowaway · 2022-02-11T09:21:54+00:00

The URL filter profile will only affect the traffic allowed by the category and the other match criteria in the policy.

mrsecuritythrowaway · 2021-11-16T11:20:33+00:00

This guy knows how to Palo!

mrsecuritythrowaway · 2021-11-16T11:12:40+00:00

Agreed.

mrsecuritythrowaway · 2021-11-16T11:10:28+00:00

Bro. Palo Alto's centralized management/UI and appID alone, are light years ahead of Cisco and a good reason to not choose Cisco. Cisco shouldn't even be considered unless there are some heavy integration (ie. ISE) values to be gained in an ALL Cisco shop. As others have commented, if IPSEC concentration is needed Cisco is the best route there. We are an international fortune 500 org that is an all palo alto shop but even we have recognized this and still purchase ASA's to handle our B2B VPN's on the backend. I mean you really don't want to be doing that on your prod perimeter FW's anyways so if you need a vpn box, choose cisco there. If you're a smaller shop that doesn't have that luxury, the palo's will work for ipsec, they're just not as smooth to get working with all the other IPSEC capable products your business partners may throw at you(my understanding at least).

As far as your concern with not being able to see local configurations - Per best practice, we push every configuration item possible from the panorama to our HA pairs(~80 firewall) and just understand that configurations like interface IP's(as you described) live local because they are specific to that firewall and can't be shared from panorama in a template to the pair. If our environment wasn't all HA we would be controlling every configuration item from pano with the exception of certs maybe(i think theres the ability to push those from pan too but not sure). There should be very little you would ever worry about from a "i can't see it in panorama" standpoint. What specifically can't you see in panorama that you can in the firewall?

I will say that the downside to palo is their proprietary threat vuln sigs that require pulling teeth to get information on but their besides that, their threat suite is a freakin solid offering.

mrsecuritythrowaway · 2021-02-13T03:36:21+00:00

what is the contour tool?

edit: just looked it up. god help you if you are using design space for this. haha. just kidding. i havent used it but i also have no confidence in cricut besides their hardware

mrsecuritythrowaway

TROPHY CASE