best practics for automating next generation firewall change processes
TRANSCRIPT
BEST PRACTICES FOR AUTOMATING NEXT GENERATION FIREWALL CHANGE PROCESSESEdy Almer, VP Product, AlgoSecMoshe Itah, Product Line Manager, Palo Alto Networks
• Supporting business transformation initiatives such as cloud and SDN
• Lack of visibility into business application connectivity requirements
• Slow, manual and error-prone change management processes
• Costly outages and exposure to risk due to misconfigurations
• Time-consuming audits and reactive compliance verification
2 | Confidential
DO YOU STRUGGLE WITH?
ELIMINATE THE TRADEOFF
3 | Confidential
Security
Business AgilityAvoid misconfiguration and
reduce attack surface
Proactively mitigate risk
Ensure continuous compliance
Enforce Network Segmentation
Provision network changes in minutes, not days
Understand business requirements
and avoid application outagesAlign teams to foster
DevSecOpsFree up time by automating
processes
5 | Confidential
THE ALGOSEC SECURITY POLICY MANAGEMENT SUITE
KEY CAPABILITIESSecure Business Application Connectivity ManagementSecurity Policy Change Management
Continuous Compliance and AuditingFirewall Policy Optimization
Security Policy Risk Mitigation
NGFW and Datacenter MigrationHybrid Cloud Security
18 | Confidential
ALGOSEC INTEGRATION WITH PALO ALTO NETWORKS
APP-ID AND USER-ID SUPPORT• Policy analysis• Automatically and seamlessly replace ports with
applications at layer 7• Zero-touch change management
• Proactive risk analysis• Add/remove/modify traffic and intelligent rule design• Policy push directly to Palo Alto Networks devices
(through Panorama)• Mixed NGFW and non user/application-aware
infrastructure, and cloud (VMware NSX, AWS, Azure) 19 | Confidential
APP-ID AND USER ID CONNECTIVITY MANAGEMENT• Changes include application default, app_id and user
data
20 |
PANORAMA SUPPORT• Automated policy push through Panorama to its
devices, including user-awareness, application awareness
• Support for large estates• Automatically populate firewalls in AlgoSec • Identify and incorporate candidate policies in the analysis
(aggregated changes not yet committed to the devices)• Allow low risk change requests to be automatically
resolved, while security operations must approve or reject only higher risk items
21 | Confidential
PANORAMA SUPPORT
22 | Confidential
PRAGMATIC AUTOMATION• Collate all changes related to a policy• Allow mixed device based work orders and policy based
work orders on the same ticket
Make single change to Panorama instead of hundreds of individual device level changes – while still supporting device based changes for other vendors.
23 |
ACTIVECHANGE THROUGH PANORAMA
24 | Confidential
25 |
• Support assignment of Panorama device groups to organizational groups in AD
• Each group handles and approves changes to “its” devices• Align with organizational structure• Improve inter team synchronization• Reduce errors• Provide full results to requestors
SUPPORT ORGANIZATION STRUCTURE & DEVICE GROUPS
ASSIGN RESPONSIBILITY TO DEVICE GROUP OWNERS
26 | Confidential
Management Featuresin Release 7.1
Moshe Itah
Palo Alto Networks and AlgoSec
Palo Alto Networks and AlgoSec are close partners
Palo Alto Networks and AlgoSec share early alpha/beta releases for feedback and testing product roadmaps technical discussions
The relationship work are at multiple levels Business Development Product Management
29 | ©2016. Palo Alto Networks. Confidential and Proprietary.
Commit Enhancements
30 | ©2016, Palo Alto Networks. Confidential and Proprietary.
Commit Queue
Once a commit is running, no other commit (user or system triggered) is allowed, preventing … Commit to multiple VSYS on same device mapped to different DGs in Panorama Multiple admins from committing to device/Panorama simultaneously Tenants from committing simultaneously to their VSYS User commits when DAG updates, FQDN or EDL refreshes are ongoing
New commits are queued when a commit is in progress All commits are queued in the order they were received On commit failure the next commit is processed
31 | ©2016, Palo Alto Networks. Confidential and Proprietary.
Commit Queue
Full visibility into queue Which commit is being processed? Ability to clear the queue
Queue capacity is platform dependent Queues not synched across HA peers CLI and API support Commits with following changes will fail if the commit queue is not empty
Master key Mode (single to multi-VSYS) URL DB Reverts
32 | ©2016, Palo Alto Networks. Confidential and Proprietary.
How Commit Queue Works
33 | ©2016, Palo Alto Networks. Confidential and Proprietary.
Commit Task QueueCommit Processing
Commit 1by jamie
Commit 1by jamie
Commit 1by jamie
Commit 2by saurabh
Commit 2by saurabh
Commit 3by moshe
Commit 3by moshe
Commit 3by moshe
FQDN Refresh for Commit 1
Commit Description
Commit description can be up to 512 characters
Use cases Describe what changes were pushed down with commit Ticket Numbers, Change Request Numbers, Audit Info etc.
Compare versions based on commit description in config audit Type in description text into config version selector to compare
Commit description searches available in system logs, task manager
34 | ©2016, Palo Alto Networks. Confidential and Proprietary.
Start typing description
Increased Maximum Virtual Disk
Problem – Max size of supported virtual disk is 2TB which leads customers to NFS for more storage NFS is less than ideal for throughput rates and predictability Virtual Disk has better performance, but 2TB is not enough storage for many
customers
Solution – Support up to 8 TB of virtual disk for VM Panorama Must have ESXi 5.5+ Will require a new virtual disk (will be covered in LAB session)
35 | ©2016, Palo Alto Networks. Confidential and Proprietary.
New ACC Widgets
36 | ©2016, Palo Alto Networks. Confidential and Proprietary.
New ACC Widgets
Problem – Customers could not see more than top 10 URL categories or File Types / Data Patterns Currently URL Filtering and Content activity is only shown in the User Activity or IP
Activity widgets at top 10 items
Solution – Create two new widgets for URL filtering and Content Activity Allows admins to view top URL domains and files/patterns in the table with the
ability to maximize for an expanded list The widgets must be added to a tab manually
37 | ©2016, Palo Alto Networks. Confidential and Proprietary.
New ACC Widgets
38 | ©2016, Palo Alto Networks. Confidential and Proprietary.
New ACC Widgets
Problem – Customers wanted visibility into top data transfers and URLs independent of IP or User Currently URL and Content visibility was restricted to the User Activity or IP Activity
widgets at max top 10 items
Solution – Create two new widgets for URL filtering and Content Filtering Allows admins to view URL / Content at the top level and drill into details The widgets must be added to a tab manually
39 | ©2016, Palo Alto Networks. Confidential and Proprietary.
Unified Log Viewer
40 | ©2016, Palo Alto Networks. Confidential and Proprietary.
Unified Log Viewer
Problem – Customers cannot see all events associated with a set of filters across databases Admins can only view the related logs for any single event or re-run the same query
on each log type
Solution – Add a unified log viewer All traffic and threat log types are available Any column that is common will return results from all of the relevant matching logs
41 | ©2016, Palo Alto Networks. Confidential and Proprietary.
Unified Log Viewer Example
42 | ©2016, Palo Alto Networks. Confidential and Proprietary.
Unified Log Viewer: Specific Query
43 | ©2016, Palo Alto Networks. Confidential and Proprietary.
Unified Log Viewer: Specific Query
44 | ©2016, Palo Alto Networks. Confidential and Proprietary.
Unified Log Viewer: DB Selection
45 | ©2016, Palo Alto Networks. Confidential and Proprietary.
THANK YOUFor personal demo: www.algosec.com/Demo
More information: [email protected]
46 | Confidential