I work at a large company that has a hybrid workload split between AWS and our datacenters, with dedicated connectivity between AWS and on-prem resources. We use NGFW's on the datacenter end with a default-deny policy for everything. Our firewall change process includes a weekly change management meeting with a whole bunch of approvals, and change windows twice a week. This simply can't keep up with all of the new applications being deployed in AWS; especially since so many of the rule change requests are more or less identical, like allowing new services in AWS to access port 80 on a specific IP in our datacenter.
I was wondering if anyone has, or knows of, information they can point me to about how others have solved problems like this? I figured that this was the best category for such a question, but I can handle the actual code and API side of it fine. The thing I'm looking for help with are success stories from other companies that have done this, that I can use to help convince leadership and the change management folks that we can automate many typical firewall changes (or even make them self-service) the same way we do that for other infrastructure tasks.
Thanks in advance for any input/advice/links/etc.
Palo Alto Networks has released integrations with two of the main automation tools when it comes to managing NGFWs in the cloud (and on prem): Ansible and Terraform. Both work more or less the same: you have some sort of config file that details the changes you want to make, then you run the config file. Integration with Ansible is more mature and has more features right now, as the Terraform integration was just released a month ago.
* https://live.paloaltonetworks.com/t5/Ansible/ct-p/Ansible (some good blog posts here)
Hope this helps!
Thanks so much, but I'm already aware of both of those. We're fine on the technical side - we're very comfortable with Terraform and somewhat with Ansible, and would be fine using pandevice as well.
The problem we're having is convincing people who are tied to our current change control process, and think that waiting 2-4 weeks for a firewall change is not only a good thing, but the only way to function. We're having a lot of people who are involved in the current process make arguments that essentially boil down to fear that "automation" will result in horrible instability or loss of security.
My main question is whether anyone has either public examples of success stories with automating (or maybe even provinding self-service) rule changes, or else can speak to test processes that they use for vetting changes before automation takes over, and how that's helped.
I've worked with a number of global financial, manufacturing, and retail customers that have built entirely homegrown automation and orchestration frameworks to meet the specific needs of their respective organizations. Each one used API-based workflows to provision, configure, and orchestrate services and infrastructure including compute, storage, networking, and security. In every case they've touted some pretty remarkable benefits such as cost savings, shortened delivery timeframes, and a significant reduction in misconfigurations.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!