topic Re: Palo Alto Security Profiles Suggestions in General Topics

Palo Alto Security Profiles Suggestions

Khanna075 — Thu, 29 Aug 2024 02:01:33 GMT

I am seeing that we have different Palo Alto provided Security Profiles that we can map to the security policy. What would best strategy to test it first in lower environments before rolling onto prod ?

We just want to make sure it should not create any problems to existing traffic.

Right now, we are not using for each security policy. But we want to use.

any kind of help would be greatly appreciated.

Re: Palo Alto Security Profiles Suggestions

Khanna075 — Thu, 29 Aug 2024 16:37:17 GMT

Can someone please suggest me any inputs on this ?

Re: Palo Alto Security Profiles Suggestions

PavelK — Mon, 02 Sep 2024 04:22:23 GMT

Hello @Khanna075

thanks for posting question.

We had a similar situation in the past. We used AD group of IT / Security Department as a source user to limit the policies with strict security profile for testing before rolling this out to rest of the policies. Alternatively you can use source IP address (Source subnet if this is possible in your case) to limit policies with strict security profile.

Kind Regards

Pavel

Re: Palo Alto Security Profiles Suggestions

TomYoung — Mon, 02 Sep 2024 11:20:12 GMT

Hi @Khanna075 ,

When I do a migration from a another vendor firewall to Palo Alto, I used to test the security profiles 1st. Here was my process:

Use security profile groups which make changing the profiles per security policy rule a LOT easier.
Use the Day 1 Configuration which has built in security profile groups such as Alert-Only, Inbound, Outbound, Internal, etc.
Assign the desired groups Inbound, Outbound, Internal, etc. to your security policy rules.
Change the security profiles in those groups to Alert-Only.
After the traffic has been cut over to the Palo Alto, review the Monitor logs to confirm if there are any false positives.
Configure exceptions for the false positives, and change the security profiles in the groups to the recommended settings.

To be honest, it has been a while since I have done that. I found very little false positives as I did many migrations. There were some. Today, I enable all the security profiles; have the customer perform their test plan; and troubleshoot the false positives the night of the cut-over or the next day.

It is important to run a BPA on the new NGFW before the cutover because the BPA recommends additional security profile settings that the Day 1 Configuration does not have.

Thanks,

Tom

Re: Palo Alto Security Profiles Suggestions

Khanna075 — Thu, 05 Sep 2024 11:34:11 GMT

Thanks Pavel for your inputs.

It is helpful to plan my requirement.

Re: Palo Alto Security Profiles Suggestions

Khanna075 — Thu, 05 Sep 2024 11:35:13 GMT

Thank you much Tom for taking out time and sharing your inputs. This actually covers everything that I need to consider my planning.

Really appreciate the help!