Using validation skillets to assess the NGFW

L3 Networker

We've introduced a new type of skillet that isn't designed to instantiate or config something but instead read and assess. These are validation skillets.

 

Initially focused on xml configuration files for the NGFW and Panorama, they provide a structured way to look at the configuration without the user looking at the configuration. The skillet does the work based on predefined test rules in the skillet. Post analysis the user is presented with a set of pass/fail information including detailed messaging and documentation links for more information or quick remediation.

 

IronSkillet provides a solid introduction to the validation skillets due to its set of recommended practices. The common question I often get is 'how close is my current config to IronSkillet?'. Well, now we have a way to answer that question combined with GUI config steps to align with IronSkillet where gaps are found.

 

Using the panHandler application, the validation skillets are found in the IronSkillet collection as type = PAN Validation.

 

val_collections.png

 

The first tile is a quick check of items added in 9.0. An easy way to see what's changed since IronSkillet was loaded with an 8.x release.

 

The second and where we'll focus is a full assessment of the configuration file against IronSkillet recommendations. More details can be found within the IronSkillet documentation.

 

When I hit 'Go' I'm presented with the option of Online or Offline mode. Online mode is useful when you have API access to the device and want to do a quick grab of the running configuration. Offline mode allows you to paste in the xml configuration file. A great alternative when you don't have API access or have a copy of the config file ready to go.

 

I paste in a firewall config and the output shows me I didn't do so well. This is the first 9 of 49 checks. I failed most of them. Oops.

 

val_results.png

 

Click on the 'Check' column label shows me additional detail

 

val_results_expanded.png

 

Lastly I can click on the documentation links to see where in the GUI to make recommended updates. This maps to the IronSkillet visual guide.

 

I can take a peek at Telemetry and decide to enable it. The guide shows the GUI menu steps and below the image some context about this feature.

 

val_telemetry.png

 

Or maybe I'm not quite sure where to find the SNMP config area. Click the test doc link and here it is under Device > Setup > Operations > SNMP. Its those hard to find areas of the configuration where the IronSkillet validation skillet and visual guide work best together.

 

val_snmp.png

 

I can continue to step through the validation, make changes, and rerun the test to see what has changed or what I've missed. All without deep diving into the xml config file or dancing through every piece of the GUI.

 

The use cases for validation skillets can include 'what did I miss?', 'what do I need?', or 'what will I break?'. IronSkillet gave us a view of the first. Other validation skillets could check for object names such as security or logging profiles and even licensing information where skillets have varying dependencies. The 'what will I break?' can look at existing configuration bits for naming conflicts or look before configuring over existing interfaces.

 

So in tandem with configuration skillets, the validations provided needed visibility and safeguards for a better configuration experience.

135 Views
Ask Questions Get Answers Join the Live Community
Labels
Polls
What do you LOVE about LIVEcommunity?

LOVEcommunity #SecuretheLove