Real-world PAN-OS field notes from production environments.
Practical lessons, patterns, and defensive techniques—written by a working firewall engineer.
Available for consulting on PAN-OS, Panorama at scale, and secure K-12 network enforcement.
Log forwarding filter → built-in tagging action → Dynamic Address Group → high-priority block rule.
PAC + pass-through Squid proxies + enforced user auth to keep policies working off-network.
Secure cellular connectivity extended to buses, public locations, and school sites without decentralizing policy enforcement.
Stop chasing domains. Detect the shared proxy framework “engine” (Scramjet, Ultraviolet, Rammerhead, etc.) and break it.
More posts coming: proxy-evasion indicators, Panorama structure patterns, and decryption “gotchas”.
I’m Ben McCall, a senior PAN-OS firewall engineer working in large-scale production networks,
primarily in K-12 environments where bypass attempts are constant and creative.
I’ve been hands-on with Palo Alto since January 2013 (PA-5050 era).
This site documents what works, what fails, and why—so other engineers can move faster.
All views are my own and do not represent my employer.
Content is shared for educational purposes; apply changes responsibly and test in your environment.
If you’re dealing with student proxy bypass, Panorama sprawl, decryption breakage, or off-campus enforcement, I can help design a practical approach that fits production realities. Short engagements are fine.
Email: benmccall1976@gmail.com