topic Rule base management best practices in General Topics

Rule base management best practices

arivera_12 — Tue, 15 Jan 2019 16:04:50 GMT

Hi Everyone,

I'm new to the Palo Alto firewall system. My experience is with Checkpoint firewalls. I've been asked by management to look into the best practices for rule base management.

Currently we go through the rule and look at every rule and try to determine if it's still valed. We then disable the rule for 30 days and then delete the rule after that.

If you have a lot of rules this gets tediuos and things can be missed.

SO my question is; is there a best practice guide, whitepaper, suggestions etc to help. Also I'm looking at putting tags on the rules to help identify them and wanted to know if there are any suggestions as to what type of tags/info would be good to identify the rules.

Re: Rule base management best practices

gwesson — Tue, 15 Jan 2019 16:57:13 GMT

PAN-OS 8.1 introduced rule hit counters, so that's probably the easiest way to do what you want. If you're stuck running 8.0 for now, the best you have is the "Highlight Unused Rules" checkbox at the bottom of the rule base that will highlight any rules not hit since the firewall was last restarted.

Re: Rule base management best practices

BPry — Tue, 15 Jan 2019 17:30:18 GMT

@arivera_12,

I think the system you have is pretty good honestly, at the very least you are looking for non-needed rules which is something many people don't.

As @gwesson mentioned the rule-hit counters in 8.1 definately help in determining if the rule is still needed.

I would however really recommend the following:

- Document the ticket number in the description. This ensures you know why the rule was created in the first place.

- Name entries appropriately. I've seen way too many rulebases with entries names "Rule 152" and so on. Build a proper name so you know what the rule is doing.

- Tags can help to group rules, but I've never seen them do a good job at telling you if the rule is still needed.

So you can probably make a better process at the moment. Then when you get upgraded to 8.1 you'll have the Hit Counts to actually see if the rule is being utilized, and then the next major version maybe has even more features to make this easier. If you want to see what that could possibly look like and how things maybe get even better, join the beta group so you get access to the release notes at least.