
Introduction
This document outlines key points for efficiently managing firewalls with large migrated configurations and optimizing these rule sets for a smooth onboarding process.
Potential Issues Arising from Large Migrated Configurations
When Firewall configurations are migrated from other security vendors to PAN-OS, they are most likely to be very large and unoptimized. This can lead to multiple issues in the long run, especially when they are onboarded as a managed firewall on
Panorama
. These issues include, but are not limited to:
- Configuration Management Challenges: Complex and bloated configurations are harder to manage, troubleshoot, and update.
- Increased Risk of Errors: The larger the configuration, the higher the chance of introducing errors during migration or subsequent changes.
- Compliance and Audit Difficulties: Maintaining compliance and passing audits can be more challenging with large, unoptimized configurations.
Unoptimized and unorganized config leads to inefficient utilization of resources on Panorama and forfeits the purpose of efficient centralized management.
Key Points to Consider While Importing Large Migrated Configurations
Before Onboarding
- Leverage the Device Group Hierarchy and the Template Stack layering capabilities to define a consistent security posture of all the firewalls that will be managed using Panorama.
- Device Groups and Templates can be empty to begin with and can be filled up as an ongoing process of onboarding.
- This will enable the sharing of common configurations across multiple firewalls once they have been onboarded.
During Onboarding
For firewalls with configurations that exceed Panorama's capacity, temporary local management is still an option. These firewalls can be onboarded into Panorama without associating them with a device group or template stack. This allows for continued local management of the security configuration directly on the firewall using Panorama's Context Switch feature. While the security policy is managed locally, Panorama can still be leveraged for orchestrating other device management functions, including software and content updates, centralized logging, reporting and device health monitoring.
The configuration can be imported into Panorama at a later date.
After Onboarding
Local Configuration Cleanup
- Leverage Policy Optimizer to identify unused and shadow rules and chalk out a plan to phase them out.
- Policies are the biggest contributors to Config Size and optimizing them will help improve the security posture. For example, 1000 policies ~= 2MB.
- Leverage AIOPs and Config Cleanup on Strata Cloud Manager to identify unused objects and zero-hit objects and policies for config optimization.
- This requires SCM Pro license and logging to SLS.
- Identify and remove redundant pieces of configuration.
- Excessively long descriptions: Expedition is known to add long descriptions during config migrations which add to the config size. Remember, 1 character = 1 byte. So, 1000 characters per object for 30000 objects becomes 30MB.
- Static route summarization: Sometimes, static routes defined in Virtual Router configuration can run into hundreds. They can sometimes be summarized to reduce redundant routes.
- Review and merge similar rules: The number of rules can sometimes be reduced by merging them together. For example there could be hundreds of rules with the same destination IP and port, but different sources. Merging all these sources into a single rule will help reduce the configuration size.
Identify common configuration
- Identify Shareable Configurations: As you work on your security configuration, identify configuration sets (especially Policies and Objects) that can be applied to multiple firewalls.
- Move Configurations to Panorama: Transfer these common configurations to the appropriate Device Groups and Templates on the Panorama management platform.
- Remove Local Configurations: Delete these configurations from the individual firewalls where they were originally stored.
- Associate Firewalls with Panorama: Connect the firewalls to the relevant Device Groups and Template Stacks on Panorama to inherit the shared configurations.
Conclusion
By implementing these key points, organizations can effectively onboard and manage firewalls with large, migrated configurations on Panorama. This will lead to improved network performance, reduced management complexity, and enhanced security posture. Remember that regular maintenance and optimization of firewall configurations are crucial for maintaining a robust and agile network defense.