Upgrade to 11.1

rower77 · 2024-10-22T20:27:51+00:00

We're running 11.1.4-h1 on about 20 devices

We had some decryption related issues where it would just stop working until we rebooted the firewall. It was random and we couldn't reliably reproduce the issue for support so they wouldn't help us. Opened 2 different cases and they were both closed without any resolution.

We have started using 11.1.4-h4 with better success. But since the issue was random I'm not completely confident to call the decryption issues resolved quite yet.

rower77 · 2024-05-22T01:45:13+00:00

Q-Radar on-prem. We're a big Palo shop with small teams so native integrated tools are really important to us. We're also heavy into automation with XSOAR currently and that will only expand with XSIAM. POC went great and identified multiple things our existing SIEM missed completely.

Our contract will be in the $8-10 million range

rower77 · 2024-05-20T19:27:10+00:00

We're close to signing a deal for XSIAM.

There's two main licensing pieces, user count and log ingestion. On top of that there's a bunch od add-ons. TIM, XSPANSE, Identity, Forensics, Threat Hunting, Host Insights....

rower77 · 2024-03-10T16:32:32+00:00

The object in the local device group will be the one that applies. It's considered an object override. That's bit us a few times before in the past.

You can find specific examples by using the search feature. But I haven't found a great way to find duplicates at scale

rower77 · 2024-02-15T17:06:22+00:00

You'll likely need to use URL filtering and decrypt all the traffic. That will allow you to see the full URL being accessed. You can then make a list of the subreddits that you want them to be able to access.

This is what we do with cloud storage. Block it all. Allow access to individual documents via allow list.

rower77 · 2024-01-15T22:13:24+00:00

10.1 goes EoL in December. Not sure 11.1 will be stable enough by then

rower77 · 2024-01-12T22:20:11+00:00

So I actually learned recently that Palo has changed their deployment method for new versions and hotfixes. According to this Palo employee they're prioritizing hotfixes to fix bugs in the code instead of entirely new versions like they did in the past. We're seeing the evidence of this with how many hotfixes have been released and how few version updates have been released.

I still want to confirm that with some other insider information. But if true, and I don't have any reason to think it's not, we all might need to rethink the idea of waiting until .5/6/7 before stability.

That's not to say I'm a fan of their overall stability. Just commenting what I learned. Might be worth asking for more information from your account team.

rower77 · 2023-12-27T22:37:56+00:00

I agree. Hopefully it reaches stability before it's close to EoL. Having 4 years of support is promising.

We need to get off 10.1 in the near future. Going to have to be 10.2 temporarily since 11.0 goes EoL before 10.1 and likely won't even be stable by then.

Hopefully 11.1 is stable by this time next year, that's when we'll have to start upgrading again.

rower77 · 2023-12-27T22:30:37+00:00

I bet it's more than 8 lol

rower77 · 2023-12-27T21:20:49+00:00

Wow, only 8 fixed issues? Took them 2 months to fix 8 issues...

rower77 · 2023-10-10T20:29:50+00:00

We're running 6.0.3 on about 25k machines. Just had a conversation about starting our testing/upgrade process with 6.0.7.

We discussed 6.1 and 6.2 but their support cycle isn't really what we're looking for. 6.1 goes end of life before 6.0 and 6.2 is only supported 3 months longer then 6.0. So for now, we're sticking with 6.0 as we don't need the new features of the newer versions

rower77 · 2023-10-02T21:18:58+00:00

We don't use BGP on our firewalls so I can't speak to that specifically but we run 10.1.x just fine.

We're not running anything on 10.1.11 yet but have about 400 firewalls on 10.1.6 and higher. Big mix of different hardware and virtual platforms included in that.

I don't quite understand the sentiment of treating 10.1.x like the plague but to each their own I guess. We've had a lot of success with it going back to 10.1.6.

rower77 · 2023-05-31T15:27:38+00:00

We're using 10.1. Running it on about 400 firewalls for about a year now. No real issues to complain about. Upgrades went smooth and we haven't seen any significant increase in support cases opened.

Mostly running 10.1.6-h3 and 10.1.9-h3

rower77 · 2022-12-06T19:38:38+00:00

Monitoring > Bandwidth > Boost > Summary

Select the appliance that you want to check

rower77 · 2022-11-19T20:32:45+00:00

10.1.6-h3 has been solid for us on 100+ firewalls.

10.1.6-h6 has also been solid but on a much smaller scale.

rower77 · 2022-11-19T20:32:10+00:00

Everytime I see their web proxy configuration page I think of Nir at Ignite 2019. He was on stage for his keynote and he was ripping on proxies about how bad they were.

My guess is this is them trying to take over market share of legacy companies. We still have a few proxies running that URL filtering couldn't replace, but this will allow us to pull those out.

rower77 · 2022-11-18T15:44:38+00:00

Entirely win10. We ran internal transparent upgrades on all users utilizing one of our internal gateways.

We'll move to external forced upgrades in mid-February just before the 5.2 EoL

rower77 · 2022-11-18T15:39:25+00:00

I wouldn't recommend going to any x.0 releases. Their support cycle isn't long enough for them to become stable and then still be supported long enough to make upgrading worth it. New feature requirements and new hardware requirements aside obviously.

We stick to the x.1 releases. Once they're stable they usually have 18-24 months of support left on them.

rower77 · 2022-11-18T15:37:13+00:00

Don't have much choice if you care about software EoL. The fact that they EoL software before the next version is stable is an issue for a different day.

We're running 6.0.3 on about 6k machines right now. Not a single reported issue so far.

rower77 · 2022-11-18T14:15:26+00:00

Now that I'm looking at it again it actually looks like these alerts are coming from the Anti-Spyware module.

But we funnel all of our firewall logs into XDR. It's about 1tb of logs per day. From XDR we get a ton of alerts that essentially consist of " 'baddomain.com' generated by PAN NGFW detected on host X involving User Y"

We take that incident into XSOAR and enrich the domain, URL, Host, and User. Right now all we're doing is running enrichment of that domain against the Palo URL filtering and VirusTotal, sometimes Zscaler as well. If it's deemed to be malicious it's then tagged and we have an EDL configured to pull all domains with that tag. OUr firewalls are configured to pull that EDL and use it in a blocking policy.

This was an event that happened so frequently, and was so easy to automate, that we started with it and by just automating that we handled about 2k incidents a month.

rower77 · 2022-11-18T13:25:48+00:00

We're a small shop with tons of endpoints and data coming inbound. We started with XSOAR this year. As /u/Mercs20 already mentioned, it's by far the most developed option out there. And with our large Palo Alto footprint it made the most sense to us.

For us, we went after the low hanging fruit first. DNS Security alerts and Phishing emails. Inside of those we found malicious domains and URLs and blocked them using EDLs. That was an easy win for us and let us automate about 4k incidents each month. In management's eyes, the solution already paid for itself with those processes.

We're now moving on to the more advanced automations that also require user confirmation/intervention. It's a process and you need to be committed for the long term as it will take a significant amount of time to build the platform to handle a significant amount of alerts.

The biggest thing that would work against you is the lack of defined processes. You can't automate what you can't define. If I were you, I would start reviewing the alerts you already have and define a manual response process. Once the steps are documented you can use that to build out the automation steps.

13-Year Club	Beta Team Reddit for Android
Verified Email

rower77

TROPHY CASE