Community Blog

Announcements
Customer Notice: Panorama Certificate Expiration on June 16 2017.  Read More >

A Wicked Cool Palo Alto Networks Feature That Not Everyone Knows About

by EmmaF on ‎05-13-2015 12:30 PM (4,262 Views)

By: Matt Keil

One of my roles in the company is to participate in our regular new hire training, and in our last session, I was asked a question that I had never been asked before. The question was, “What is the coolest feature in your product that not everyone knows about?” While there are many, many very cool features in our product, without hesitation I told them that it is actually a combination of three features that allow customers to collect external data and use it to automate firewall deployment and policy updates.

Let me explain.

To be specific, the three cool features I am referring to are the XML API, Dynamic Address Groups (DAG) and Virtual Machine Monitoring (VM-Monitoring). They are standard PAN-OS features and are supported in both our virtualized and appliance-based form factor firewalls. I believe the reason users don’t know about them is that they see these three features as being primarily applicable to managing the dynamic nature of virtualized environments, ensuring that security keeps pace with business.

But the best-kept secret around these features is that they are equally valuable when used with our appliance form-factor firewalls. Just think about the external data sources that you may refer to regularly and then use (manually) to manage your network security. Now imagine if there was a way to automate those tedious, day-to-day tasks. You understand the value these features might provide.

It's true that they are invaluable in a virtualized environment because they facilitate two forms of automation:

  1. They help automate the provisioning of a VM-Series firewall so that when new virtual machines are created, our next-generation firewall can be deployed simultaneously.
  2. They bring a sense of order to policy chaos by updating policies dynamically as virtualized and hardware form-factor workloads are added, changed or removed.

In a virtualized environment, change is common and happens rapidly. But often security, as part of a set of best practices, follows a more rigid change control process that may mean delays. Therefore, the value of these three features is they allow security to keep pace with the speed of change in virtualized environments. You can preserve the flexibility of a virtualized environment and ensure important security updates get made just as rapidly.

Here are two other examples of how these features solve a variety of challenges using our appliances:

  • Automating the deployment of hundreds of physical firewalls:Imagine the challenge of deploying our firewall appliance to hundreds of remote locations, quickly, consistently and cost-effectively. The solution for this customer was a strict adherence to IP addressing on the networking side that they mapped to named objects in PAN-OS such as “External_IP”, “Wireless_network”, and “Wired_workstations”. The objects are then used in Panorama Templates and the IP addresses are dynamically provisioned, greatly simplifying firewall deployment. One of our firewalls is sent to the remote location, they are connected to the network and Panorama is used to deliver the configuration via a Template. Device Groups are then used to complete the setup.
  • Enabling policy creation that accompanies IT asset allocation: In another example of how these three features can enable dynamic policy updates, a customer is integrating our firewall with their IT ticketing solution (ServiceNow) as a means of generating policy updates as new IT assets are deployed. In this scenario, the new asset (PC, Workstation, Laptop) IP address is harvested and pulled into the firewall as part of the policy update.

Most security professionals have too many things to do in a single day. The ability use the XMP API, DAG and VM-Monitoring to tie our enterprise security platform, both virtualized or physical form-factor, into external data sources as a means of automating what are normally manual and time consuming tasks is a wickedly cool feature.

Got a cool example of how you use any of these features? Comment and let us know.

Comments
by Gun-Slinger
on ‎06-03-2015 10:27 AM

The Dynamic Address Group resource and the API is by far two of my favorites. These services reduced are overhead considerably in multiple areas, however one stands out the most.

Our team was receiving 5-10 requests per day from our incident response team to have IP's or ranges blocked for various reasons.

We leveraged the API and DAG by creating a web UI that leverages the Pan API which allows authorized personnel the ability to submit the IP(s) and automatically populates a DAG on a drop/block rule. The change takes almost immediate effect and my team is no longer burdened with the responsibility of facilitating multiple requests a day.

by Richard_Bergen
on ‎11-09-2015 10:12 AM

I've also done similar things with requests from a security team at a previous company using dynamic block lists.

 

Created an internal authenticated page which the SOC could access and update the TXT file the firewall was retrieving using a PHP page.

Ask Questions Get Answers Join the Live Community
Announcements
Customer Notice: Panorama Certificate Expiration on June 16 2017.  Read More >