topic Re: Flowcharting rules in General Topics

Flowcharting rules

BobW — Sat, 09 Mar 2013 16:04:10 GMT

It sounds as if my situation is a bit different than most as from what I gather most people do not use the scheduling feature of the firewall. I am at a pre-K-12 boarding school with dorm students, dorm parents, etc. which means I use the scheduling piece in almost every rule! As part of this I am struggling a bit of following the logic of my rule set (I pity the person who takes this it over of I leave!).

I am curious if anyone has been using some sort of third party mind mapping/flow charting software to draw out the logic of their rules? I am not a big fan of Visio.

Do people use the PA on it's own and just keep adding to it without mapping it out?

Thanks

Bob

Re: Flowcharting rules

BCH — Sat, 09 Mar 2013 18:44:37 GMT

PA on its own with rule comments, or a "simple" Excel spreadsheet with a couple macros and bonus fields :smileysilly:

Re: Flowcharting rules

craymond — Mon, 11 Mar 2013 15:09:45 GMT

That is one area that the PAs are really lacking. There are no visualization tools like Cisco ASAs and Netscalers, and no grouping of rules based on zones or policy type like the MS ISA. It also does not even have a numbering column, which is very strange! It would be nice to see some of these introduced. We use the TAG field and the description field to try to keep track of things. There is also an API to export all of the rules to an excel spreadsheet which might be a help.

Re: Flowcharting rules

craymond — Mon, 11 Mar 2013 16:02:15 GMT

Here is the link to the user DOC on importing to Excel:

Here is the DOC on using the REST API for more info: -

Re: Flowcharting rules

mharding — Tue, 12 Mar 2013 22:27:35 GMT

For my sanity, I group the rules by zone. But, that was back when you could sort the rules by zone easily back in PAN-OS 2.0. :smileysilly: I'm starting to use the tags as we've grown to 500+ rules.

Re: Flowcharting rules

craymond — Wed, 13 Mar 2013 20:56:15 GMT

Wow - and I thought our 240+ policies were bad! Glad to see someone else white-lists more than we do. PA should do more to help organize rules.

Re: Flowcharting rules

gafrol — Thu, 14 Mar 2013 07:00:21 GMT

Absolutely, I remember to have requested such a feature about two years ago in order to organise large rulebases. I am coming from Check Point Firewalls and I really liked their management and still do.

They have a section feature in the rulebase where it allows you to divide the rulebase into different sections with section titles and also to collapse/expand sections.

I constantly get complains by customers regarding the rulebase becoming a mess. I believe a proper firewall management is key to success and here it has a lot to be done by PAN.

Re: Flowcharting rules

craymond — Thu, 14 Mar 2013 13:13:51 GMT

This has been a feature request for a long time supposedly from many people.I talked to several people with PA and they have said that it is supposed to be included in a "future release". This was over a year ago!

Re: Flowcharting rules

gafrol — Thu, 14 Mar 2013 13:21:17 GMT

To me this seems a rather easy addition since it only affects the WebUI and does not need any FW engine related changes.

At the same time this improvement would really help a lot of people.

Maybe someone from PAN could share some input here...?

Re: Flowcharting rules

craymond — Thu, 14 Mar 2013 13:42:42 GMT

If someone is "friends" with a Palo rep. that has an account, they can share this thread with them using the share button. That might get a quicker response!

Re: Flowcharting rules

gafrol — Thu, 14 Mar 2013 13:46:04 GMT

done.