The Palo Alto Networks Skillet Story

L3 Networker

First there was IronSkillet

The skillet story starts with IronSkillet. The goal was to answer a simple question: how can a new NGFW user get to a recommended day one configuration without hours to days of reading through configuration guides while stepping through 1000's of GUI clicks?

 

The answer required two sets of expertise: (1) security subject matter experts to define a best practice configuration and (2) automation experts to help define how to make the configuration consumable across a broad set of applications. The former expertise was provided with a mix of inputs from Pro Services, the Best Practice Assessment team, Consulting Engineers, Technical Marketing Engineers, and Support engineers. The latter expertise, and the genesis of the skillet concept, was based on a design model from automation experts.

 

IronSkillet (aka 'a hardened PAN') provides a structured model for an xml-based configuration template including the ability to allow for user input variables and simple logic based on configuration options such as a DHCP or statically addressed interfaces. This configuration file is packaged with associated metadata so it can be shared and played back with any supporting application.

 

Skillets and Records

Played back...like a record? Yep. This lead to the concept that the skillet is like a record and the supporting applications the record players. And borrowing from the IronSkillet name we now have these record-like skillets.

 

Now that there is a structured way to capture and share configuration information, our records, the skillet story extended beyond IronSkillet to any configuration use case. Whether the need for highly repeatable configurations such as MSSP or branch deployments or Just-in-Time needs like demos, training, or quick deployments the same model can be used. Now instead of the IronSkillet security-centric team any SME can readily share their experiences.

 

Moving Beyond NGFW and Panorama Configuration

With the metadata model used, skillets could extend beyond the playback of xml configuration files. The second generation of skillets now included:

 

  • simple text rendering: the ability to add variables to set command file or any text content that can be shared and requires variables specific to each user
  • python: simplify sharing of python code with an included python virtual environment, variables, and a web UI through the use of tools like panHandler
  • rest: rest calls and data capture for any rest-based API requirement even extending beyond Palo Alto Networks
  • terraform: support a UI, variable inputs, and instantiations by integrating with terraform templates
  • workflow: the ability to chain together a set of skillets into a simple workflow 

More than Configuration and Instantiation: Validation

 

The current generation of skillets also allow for the analysis of configuration information as validation skillets. This skillet has a set of test rules to look for specific configuration elements, licensing information, and content update status. This creates a more dynamic environment to better understand the device state.

 

 

181 Views
Ask Questions Get Answers Join the Live Community
Labels
Polls
What do you LOVE about LIVEcommunity?

LOVEcommunity #SecuretheLove