topic Re: Is there a need for a book on PAN-OS "Policy as Code" subject? in General Topics

Is there a need for a book on PAN-OS "Policy as Code" subject?

Nikolay_M — Tue, 21 Nov 2023 22:25:22 GMT

Dear All,

I am looking to determine if there is a demand in the market for a guide to PAN-OS security policy automation ("policy as code").

There is plenty of reference information (https://pan.dev is always a good starting point) but there is no resource/book that would take one of the available automation frameworks and demonstrate how to leverage it to build a comprehensive "real-world" firewall security policy based on business requirements. From personal experience, I also know that those who only start their careers with firewalls (and NGFWs in particular) usually have no clue how to implement a new policy with zero impact on end-users. The proposed guide would address both of these gaps.

If you feel our Palo community would benefit from such a guide, please drop a short comment or a Like under this post. Below you can find a more detailed description of the contents.

TLDR summary is at the bottom of the post.

== book description ==

This book will demonstrate how to leverage simple Python programming and firewall API to build a comprehensive security policy for a typical scenario where Palo Alto Networks firewalls serve as web-filtering Internet gateways in a multi-site enterprise environment. Our main goals and drivers will be a risk-based approach to security, consistency, high manageability, and low administrative overhead.

All aspects of policy design and implementation will be covered. Our solution will be suitable for companies of all sizes—from small and medium businesses comprised of a handful of offices with standalone firewalls to international corporations with hundreds of offices with firewalls managed by Panorama appliances.

We will start by defining functional requirements and discussing the relevant software features of PAN-OS, as well as the specifics of packet processing in Next-Generation Firewalls. This will be followed by identifying necessary policy elements and structuring them to meet the defined requirements and adhere to security best practices. We will ensure the policy is risk-centric, user- and administrator-friendly, and integrates well with the company’s IT Help Desk system.

Then, we will select a suitable automation framework and proceed to turn our ideas into software code. We will rely on object-oriented Python with elements of classic procedural programming and fill gaps with the help of ChatGPT.

The testing and implementation section will conclude the book. We will discuss necessary policy testing and develop a methodology that will allow us to transition our firm’s sites to the new policy with zero impact on end-users. Another piece of code will be required to achieve this crucial part of our work.

After reading this book and following along, you will be able to bid farewell to all infamous “any-any” policy rules and the poorly structured and inconsistent firewall policies your organization may have accumulated over the years, which cause endless trouble for your department.

Equally, this book will provide you with a pocket “Swiss Army knife” of ready-made network security solutions for greenfield firewall deployments.

=======

TLDR version:

Intro, Business context, Business requirements, NGFW basics
Security Policy Design (how to put together all security features)
Firewall Automation and Management Choices
How to set up a Dev Environment
Coding (transformation of the designed policy into Python code)
QA and Testing of all policy features
Deployment

Thank you in advance.

Re: Is there a need for a book on PAN-OS "Policy as Code" subject?

JayGolf — Tue, 14 Nov 2023 00:04:50 GMT

This sounds like a brilliant idea!

Re: Is there a need for a book on PAN-OS "Policy as Code" subject?

Nikolay_M — Tue, 14 Nov 2023 13:00:46 GMT

Thank you! Let's see if anyone else thinks the same 🙂

Re: Is there a need for a book on PAN-OS "Policy as Code" subject?

gbarnhart — Tue, 21 Nov 2023 14:45:37 GMT

Nikolay, documenting the practical experience would be very helpful. I for one would purchase it. Having the knowledge and understanding of what tighter security should look like combined with the automation as the vehicle to get it done quickly and at scale would be the holy grail. Too many times either the resources do not exist to get it done or there is concern over operational impact due to a lack of knowledge.

Re: Is there a need for a book on PAN-OS "Policy as Code" subject?

chmotley — Tue, 21 Nov 2023 21:57:52 GMT

Sounds like you're putting onto paper something that a lot of folks are trying to do but unable to cobble together. Appreciate the work you've already put into this, Nikolay!

Re: Is there a need for a book on PAN-OS "Policy as Code" subject?

JimmyHolland — Wed, 22 Nov 2023 17:56:30 GMT

There's plenty of material on Python, Ansible, Terraform out there and how to operationalise them.
There's lots of vendor documentation for PAN-OS out there too.
There is not much content, by comparison, where those two circles overlap on a Venn diagram. PAN-OS specific guidance on using and operationalising automation would be worthy of a book IMO.

Re: Is there a need for a book on PAN-OS "Policy as Code" subject?

xhoms — Wed, 22 Nov 2023 21:06:53 GMT

I think such a book would enable many FW administrators to give policy automation a try.

If I may, I would suggest a section about drift handling. Both from "detection and revert" (to the code source of truth) and from the "detection and integrate" (changes done manually becoming part of the code) points of view.

Re: Is there a need for a book on PAN-OS "Policy as Code" subject?

Nikolay_M — Wed, 22 Nov 2023 22:58:03 GMT

It's a good point, thank you. I will see how I can cover this.

Re: Is there a need for a book on PAN-OS "Policy as Code" subject?

kiwi — Thu, 23 Nov 2023 07:49:55 GMT

I'm on the same page as the other users who commented. A guide like that would be super handy for a bunch of people and would really fill a content gap.

Re: Is there a need for a book on PAN-OS "Policy as Code" subject?

Nikolay_M — Thu, 11 Sep 2025 16:24:51 GMT

The book has now been published. I am not sure if the forum's policies allow posting links to online bookstores (probably not :)), but you can use Google to search for "Palo Alto Networks from Policy to Code" to find it on Amazon and in a variety of other online stores.