Palo Alto access

[Marlon Yu]

To those who have already been migrated to PAN firewalls, just curious what kind of access you have to policies and reporting?

 

Do you still have to go through the N4L portal? Do you have access to Panorama and if not, what kind of reporting do you have access to? Do you still retain (limited) access to the firewall for troubleshooting (e.g. looking at logs)?

 

Marlon

 

[Rafal Janaszkiewicz]

Hi Marlon,

We are scheduled for the holidays.

From what I understand, read only access to the firewall is not standard as we had requested it to ensure we had it day one. It's called Strata Cloud Manager (read only access) which I would recommend you request.

N4L provides very little information about the actual service which is very frustrating for school ICT engineers. Here's a list of questions we had and responses from N4L. 

Question - With the PA-1410 can we expect dual power supplies? As this is an option we are unsure which option has been selected.

N4L Answer - The 1410 has 2 power supply slots, we provide 1 power supply and power cable. 

Question - Can you advise which version of PAN-OS will be installed?

N4L - We are currently deploying 11.2.6 PAN-OS which is required to support the current features

Question - What are the hardware SLAs? If we have a fault with the firewall what can we expect in terms of support or replacement if required?

N4L Answer - For hardware fault/RMA, our target SLA is 8 support hours (8am-5pm Mon-Fri). We have spares housed in 8 locations across New Zealand, including Wellington, and on call field services support to deliver and install replacement hardware. 

Question - What level of access will we have to the new firewall? Can we still make changes and will we still have full read access?

N4L Answer - Initially, read only access via Strata Cloud Manager can be provided, which gives full visibility of config and logs. At a future date we plan to enable restricted write access. This is more complex as there are global management considerations, security implications and intricacies with the way the PA firewall config is structured (more granular in nature) so will need thorough testing and sign off by our Security team.  

Question - How do we make changes to web filtering? 

N4L Answer - Every school has their own web filtering rules to meet the needs of their internet use and safety policies. These settings are translated across to PA filtering Our team will make sure your current settings are transferred to the new firewall. Once your school has the new N4L firewall installed, changes to web filtering can be made by contacting our Customer Support team on 0800 532 764.

Question - What monitoring and reporting can we expect? Will we have SSH & SNMP access?

N4L Answer - SSH access to the firewall is blocked and Firewalls are managed from Strata Cloud Manager, with the access to Strata, all visibility is available.

Question - Most firewalls offer a range of licensed security features. Which security features can we expect? Are any excluded?

N4L Answer - As part of the package, we have configured Cloud Delivered Security services (CDSS). This includes: Adv Threat Protection, URL Filtering, DNS , IOT, Wildfire , Global Protect for VPN and Identity, however we are not including Endpoint Protection

Regards,

Rafal Janaszkiewicz

ICT Manager

Wellington High School

E-mail: Rafal.Jan...@whs.school.nz

DDI: 028 2550 8784

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/SY8PR01MB8997D40EBE72C8F9FEC84458B800A%40SY8PR01MB8997.ausprd01.prod.outlook.com.

[Adeel Soomro]

Hi all,

Thank you for your feedback. Regarding Palo Alto firewall access for self service: 

At the moment, we are piloting limited read-only access to the strata cloud which provides rich visibility.  We are working through releasing an improved secure login experience across our services including strata cloud. This is underway. Once the new authentication platform is in place, we will be in a position to make read-only access available at a wider scale. We are in the process of building capability to make self-service filtering changes via MyN4L, which is expected to be available early/mid 2026. We now have significantly more access to bring visibility and control for technical staff.

Regards,

Adeel Soomro

To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/CACNkvO3T21Z3tNvkLgF0Bac-ZAHCbOdKjQTkYjsr_FsgaBELDg%40mail.gmail.com.

This email, including attachments, may contain information which is confidential or privileged material. If you are not the intended recipient, please notify us immediately and then delete this email from your system. Email communications are not secure and are not guaranteed by The Network for Learning to be free of unauthorised interference, error or virus. Anyone who communicates with us by email is taken to accept this risk. Anything in this email which does not relate to the official business of The Network for Learning is neither given nor endorsed by The Network for Learning.

[Rafal Janaszkiewicz]

Hi Adeel,

This is the type of information which should have been available to all from the start.

Currently there is a huge lack of information about a key bit of infrastructure N4L is replacing in schools. Due to the lack of information everyone is asking questions through this group. 

Can you advise where we find this type of information? Or if there are any plans to provide more of this type of information so we aren't going into a major project blind. 

Regards,

Rafal Janaszkiewicz

ICT Manager

Wellington High School

E-mail: Rafal.Jan...@whs.school.nz

DDI: 028 2550 8784

To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/CAOLfa0nfEqqPikNAoqMDmdcjskaiuJtxuZaKeNnKk%3DC9m8g5UA%40mail.gmail.com.

[Jonathan Churton]

"We now have significantly more access to bring visibility and control for technical staff."

I hate to be nitpicky, but I would like it be noted that we have almost full direct read-only access to our Fortigate VDOM (even if the internet goes down due to a bad config change) and write-access to 90% of our firewall related tasks via the Forti-Portal.

At this stage, Palo Alto is a regression until the additional access is available.

Regards,

Jonathan.

To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/CACNkvO0jSZMLVbKj85%2B3Cg0TNNXSUTyqx1Eofv0iu2W7fg21Rw%40mail.gmail.com.

--

Jonathan Churton

Senior ICT Systems Engineer

Lighting and Sound Engineer

Wellington High School

Work: 02825508921 or Ext 887

[Adeel Soomro]

Thanks Rafal and Jonathan.

Constructive feedback, thanks - we could have done better in providing more visibility around the access. Some of the aspects around self-service were unknown to us initially, as we were working through the discovery and design phase with our partners. As new product information is confirmed during the project, we are adding this to our FAQs available on Support Hub.

Presently, our product team is running a small read-only pilot and interviewing school IT Leads to get better insights around the use cases for read-write access. Filtering changes are obviously the biggest and most frequent request. The intent is to enable real time filtering for schools via the MyN4L Portal late around Term 2 in 2026. As we gather inputs around the other types of edit access, we will complete a careful assessment on the feasibility of providing restricted write access within the Strata Cloud Manager.

Our aim is to provide users with the most appropriate access so day-to-day changes can be self-served, whilst ensuring a standard configuration is kept intact in most cases. We are using the pilot to help inform the design and build of this process and functionality, which does take some time.


Regards
Adeel

To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/CAJQKwAXTyE%2BgbR4y5SUOo0KbpD6GF8VZ_p%2BDT87V62rUSPrwag%40mail.gmail.com.