topic Automate policy and object tightening in General Topics

Automate policy and object tightening

Greghayza — Thu, 24 Feb 2022 19:35:09 GMT

Firewalls need to be able to improve their own status automatically by adjusting rules, policies and objects automatically to be more secure by using usage date. An example, system a talks to system b on a selection of ports all configured on the firewall. All designed and planned on human logic. After a month some ports have no traffic between the systems. The firewall should detect this and remove the unused ports from the configuration so that the rule is more secure. The same for source and destination ip addresses. If ip's or ranges show no usage after an extended period, firewall should tighten access to used ip addresses. Obviously allow an override where it's needed. Imaging installing a firewall, that gets more secure over time by removing unused ports, rules and ip's.

Re: Automate policy and object tightening

BPry — Fri, 25 Feb 2022 02:30:24 GMT

@Greghayza,

I think you just described policy optimizer recommendations almost to a T, just that it's not automated 😀

Personally I don't think I would ever want my firewall automatically changing policies and removed "unused" app-ids or rulebase entries. There's plenty of rules and app-ids that I have across various clients that only get hit during quarterly or even yearly business practices. Policy Optimizer routinely tells me the rules are unused, even though the schedule assigned isn't active and I don't expect it to be hit for months to follow. I wouldn't want to suddenly find my firewall removed an app that was needed or a security rulebase entry that was needed.

Re: Automate policy and object tightening

LAYER_8 — Tue, 08 Mar 2022 19:03:14 GMT

Same with expedition. Run our migration tool on a linux box, forward it some logs, give it your palo config, and it will recommend enhancements. See more here.

Or we are coming out with a similar solution for $, AIOps. See more here.