topic Re: security policy in monitor mode only in General Topics

security policy in monitor mode only

ismailsh — Thu, 08 Jun 2023 13:40:34 GMT

Hi,

This is a new Palo Alto deployment. We used to have Cisco FTD as IPS and now we are replacing with Palo Alto. We have 3 devices (router and SDWAN) that we configured using vwire so all traffic to the DC would pass through the Palo Alto inspection as IPS.

I would like to deploy the security profiles/group (vulnerability/antivirus/spyware) as monitor mode only, so I can see what traffic would have been blocked by PA and then correct all the false positives. In Cisco FMC we have the option of the policy rule action as monitor to achieve this. I cannot find something similar in Palo Alto. Please can someone help with how to set the security policy to monitor only (not take the drop or reset-action) but I want to know the traffic that it would have dropped.

Re: security policy in monitor mode only

OtakarKlier — Thu, 08 Jun 2023 15:27:34 GMT

Hello,

The simple answer is use an 'allow' policy. Deploying the firewall there are two options:

Place it inline in vwire with an Any Any policy as the last policy, then you can build policies above it so see which ones get 'hit'.
Migrate the config from the previous device to the Palo Alto using the 'Expedition' tool to migrate the policies etc.
- https://live.paloaltonetworks.com/t5/expedition/ct-p/migration_tool

Here is a guide for Best Practice to deployment:

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/getting-started/best-practices-for-completing-the-firewall-deployment

What I did since it was a Cisco appliance I was migrating from, was to create the policies as layer 3/4 as with the standard Cisco ASA would. Then once deployed, I would create stricter policies with applications instead of 'services'(ports). I then created my own day one policy that had a lot of the config already built in both best practices and DISA STIG's etc. Its not fully complete due to differences in network and designed etc. but its a great start if your truly brave. The config does not allow for much to pass so treat it as DENY ALL allow by Exception, so you have to put in the allow policies.

https://live.paloaltonetworks.com/t5/general-articles/secure-day-one-configuration-not-for-the-faint-of-heart/ta-p/435501

Cheers!

Re: security policy in monitor mode only

BPry — Thu, 08 Jun 2023 21:17:07 GMT

@ismailsh,

To explicitly answer your profile questions, you'd want to create new profiles and ensure that you have all actions set to alert. The one thing that I'll mention here is that some of the profiles you'll have to think a little bit about when you actually enforce them. For example, if you setup an Anti-Spyware profile and have all severities set to alert that doesn't show you everything that the firewall would actually take an action on if you set the action back to default.

That will at least get you to the point where you're gathering as much data as possible so you have it when changing the action and actually enforcing standards however.

Re: security policy in monitor mode only

ismailsh — Tue, 13 Jun 2023 00:40:13 GMT

Thank you OtakarKlier and BPry for the replies.