Fuel recently presented "Traffic Visibility & Attack Surface Reduction,” hosted by Kate Taylor of Palo Alto Networks. Here, Kate discusses how Palo Alto Networks’ implementation best practices tips and tricks for the NGFW’s App-ID, User-ID, and SSL decryption technology can help you accomplish your goals.
Do you have a list of and recommended practice for apps that break or misbehave in conjunction with SSL-decrypt, e.g. Apple iCloud/Store?
Absolutely! That list can be found here.
What is the best approach for migration to Stateful Firewalls, such as Cisco FWSM?
The approach you use for migrating from a Stateful Firewall like Cisco FWSM wholly depends on how much time you have to do so and how much impact to existing policies you’re willing to accept. Either approach — migrating existing rules or starting from scratch — can work well for you, depending on your current situation.
Here are some FWSM migration troubleshooting forums from our Live site that can help you with the migration.
How are usernames identified in the logs? Is there a plugin for Radius or TACACS?
User-ID does work with Radius.
Here are some configuration and troubleshooting forums that may help you set this up on your Palo Alto Networks NGFW.
If we do not have a URL Filtering subscription, is SSL decryption all or nothing?
No, you can choose to decrypt by application using App-ID. We do have a number of App-IDs for web-based applications — this is a more granular approach and will not allow you encompass entire URL categories within your decryption policies.
If SSL encryption is enabled, will it not increase the CPU usage of the firewall and degrade performance?
Yes, enabling SSL decryption does use more of the CPU and taxes your NGFW performance, but our Single-Pass scanning architecture is more efficient with CPU resources and so there is less additional performance degradation than seen in NGFWs that do not use this type of scanning engine.
Any best practices on DLP?
We do have plans to publish best practices for securing data, including how Palo Alto Networks can help prevent data loss, in the next few quarters. You can subscribe to the Fuel website and get notified when new best practices are published’ to ‘If you sign up for a complimentary Fuel User Group Membership, you’ll be notified when new best practices are published.