topic Re: Best practice for setting up address groups in General Topics

Best practice for setting up address groups

Alex_Samad — Tue, 09 May 2017 05:21:26 GMT

Newbie to PA.

I want to create a address group dynamic (think that might be best. made up from a group of network addresses in each DC.

So for example if I have 3 DC

dc1 - 10.1.0.0/16

dc2 - 10.2.0.0/16

dc3 - 10.3.0.0/16

I could tag them with "dc_network"

Looking at dc3 I could make that a dynamic group

say

10.3.1.0/24

10.3.10.0/24

10.3.100.0/24

10.3.110.0/24

with tag say dc1_networks.

This is where i was going to leave it but then I thought why not enter into the address object each server for example

10.3.1.50

10.3.10.50

10.3.100.50

10.3.110.50

and I could tag it as dc1_servers.

should I be doing it this way

server -> network -> dc -> company network

or should I stick just to network level ?

Re: Best practice for setting up address groups

BPry — Tue, 09 May 2017 12:50:15 GMT

@Alex_Samad,

Personally I don't see a big advantage of user an actual address entry for a whole network. Generally you are going to know that anything within 10.1.0.0/16 is dc1 and when you start to create rules you'll inadvertably enter that in a few times without actually clicking on the address object or address group. Then you have a mixture of statically defined addresses, and then other policies that actually mention the address object. Maybe some instances have you updating whole subnets for different things but I've found these to be highly static and you'll likely never change dc1 from 10.1.0.0/16 unless you go all ipv6.

The dc1_servers dynamic address group is really where I would create things like this because it makes it generally easier to manage. So if you limit the objects in this group for anything tagged dc1_servers when you decomission or add a server you simply need to worry about create the address object and tagging it correctly instead of updating all of the security policies. This also comes in handy for things like printers and things like that.

Really this is all going to depend on how you actually build out your rules. I would imagine that you'll have more rules destined to secure your servers then you will with your actuall entire network address for dc1 or so on. Generally speaking though I will manually type in the network addresses instead of using my set address groups for entire networks; but when it comes to things like servers or printers I'll always use dynamic address groups simply due to the fact that they change pretty often in all of my enviroments.

Re: Best practice for setting up address groups

Alex_Samad — Wed, 10 May 2017 05:10:35 GMT

For now I think I am going to do both ... doing a trial..

Trying to figure out best approach to building profiles

I have multi env prod , sim , uat , test, demo, dev ... all with similiar security set, I was going to use tags which would sets which would define port/protocols, so app1 can talk to app2 but only for the same environment.

Re: Best practice for setting up address groups

pulukas — Sat, 13 May 2017 12:36:39 GMT

Your organization model and tagging can work. But you will need to be very careful in how you construct the actual security policy order of rules. Since you are going to have address objects at three levels each more specific than the previous, you will need to insure that any rules are in your policy from most specific address tags to the least specific.

Otherwise the more specific rules will never get used and unanticipated permits or denies will occur.