RealWorldPANOS

Real-world PAN-OS field notes from production environments.
Practical lessons, patterns, and defensive techniques—written by a working firewall engineer.

Available for consulting on PAN-OS, Panorama at scale, and secure K-12 network enforcement.

Overview

What you’ll find here

Start here

Posts

From Log to Block: Auto-Blocking External Threat Sources with PAN-OS

Log forwarding filter → built-in tagging action → Dynamic Address Group → high-priority block rule.

Maintaining Web Filtering on Take-Home Chromebooks (At Scale)

PAC + pass-through Squid proxies + enforced user auth to keep policies working off-network.

Connectivity Beyond the Campus

Secure cellular connectivity extended to buses, public locations, and school sites without decentralizing policy enforcement.

Beating Student Proxy Sites Without Playing Whack-a-Mole (Custom App-ID)

Stop chasing domains. Detect the shared proxy framework “engine” (Scramjet, Ultraviolet, Rammerhead, etc.) and break it.

More posts coming: proxy-evasion indicators, Panorama structure patterns, and decryption “gotchas”.

About

About

I’m Ben McCall, a senior PAN-OS firewall engineer working in large-scale production networks, primarily in K-12 environments where bypass attempts are constant and creative. I’ve been hands-on with Palo Alto since January 2013 (PA-5050 era).
This site documents what works, what fails, and why—so other engineers can move faster.

Disclaimer

Disclaimer

All views are my own and do not represent my employer.
Content is shared for educational purposes; apply changes responsibly and test in your environment.

Consulting

Work with me

If you’re dealing with student proxy bypass, Panorama sprawl, decryption breakage, or off-campus enforcement, I can help design a practical approach that fits production realities. Short engagements are fine.

Email: benmccall1976@gmail.com

Contact

Contact / Links

benmccall1976@gmail.com
LinkedIn