IronSkillet Day One Configuration

Printer Friendly Page

Brief Description

IronSkillet is a day one deployment-agnostic NGFW and Panorama configuration. It is used as an initial baseline including device hardening and security profiles to be used by use-case specific configuration and security policies.

 

Target Audience

Users who want to an immediate day one configuration to build from without extensive research and GUI clicks.

 

Skillet Details

Documentation: https://iron-skillet.readthedocs.io/en/docs_master/

Github Locationhttps://github.com/PaloAltoNetworks/iron-skillet.git

Github Branches: panos_v10.0, panos_v9.1, panos_v9.0, panos_v8.1 (EOE), panos_v8.0 (EOE)

PAN-OS Supported: 9.0, 9.1, 10.0 for the NGFW and Panorama

Type of Skillet: panos (xml/set) and panorama (xml/set)

Collections: IronSkillet, Config, Validations

Purpose: starting point for new NGFW or Panorama deployment

 

Detailed Description

IronSkillet includes a broad set of configuration elements that land in various areas of the configuration as show in the menu items below.

 

IronSkillet MenuIronSkillet Menu

For a detailed walkthrough of the GUI elements used in IronSkillet, use the visual guide: https://iron-skillet.readthedocs.io/en/docs_master/viz_guide_panos.html

 

Skillet focus can broken into a few core areas:

  • Device management hardening: general operations of the NGFW

  • Security traffic hardening: control of traffic flows that impacts device monitoring

  • Logging and alerts: data collection and external notifications

  • Security objects and policies: policy-related config settings and dynamic updates

  • Decryption objects and policies: certification checks and sample no-decrypt policy

 

The repo contains the following skillets and other configuration elements:

 

  • NGFW and Panorama full configuration file as a template and folder with default-based loadable configs

  • NGFW and Panorama xml snippets

  • NGFW and Panorama set command skillets including a spreadsheet version that is tool agnostic

  • NGFW validation skillet mapped to the Visual Guide to compare current configurations to IronSkillet recommendations

  • NGFW validation skillet showing new items added between 8.1 and 9.x to look for gaps during sw upgrades

 

Detailed information specific to using each skillet type is included in the readthedocs.io documentation.

 

Prerequisites

The following should be completed before running IronSkillet:

  • firewall licenses activated including all threat, URL, and Wildfire subscriptions

  • updated with the latest or recommended software release

  • if using PanHandler: updated to 3.0 latest release

 

Additional details specific to each loading stage, variables, and release updates are found at https://iron-skillet.readthedocs.io/en/docs_master/

 

Loading IronSkillet

Various tools and apps have been updated to work with IronSkillet including: