07-20-2016 06:48 PM
Hi all,
I'd be interested to here is anyone has come up with interesting naming schemes for AD groups used within Palo Alto firewall policies.
I'm looking for inspiration as I'm looking to come up with a logical scheme on our end.
Cheers.
07-21-2016 12:38 AM
Can you elaborate your request
07-21-2016 05:45 AM
I'm interested to learn how people name their groups within Active Directory that are used within the Palo Alto Firewall Policies.
Are they named randomly or does the name of the group identify what the policy does within the firewall.
I'm looking to come up with a naming scheme for myself that makes sense, is easy to manage and has relevance when identifying the policy within the firewall so I'd like to learn if others have come up with a scheme or system that they use that I could draw inspiration on for my requirements.
For example, if a policy is giving RDP access to a bunch of servers on floor 3 of office 1 is the rule named 'Off_1_Flr_3_RDP_allow' or is it called 'access to rdp for developers'.
07-21-2016 12:01 PM - edited 07-21-2016 12:03 PM
Do you mean just the security rule names / nomenclature?
If you're actually talking about security groups in AD that are used in policy on the firewall...Well in most environments the guys that control the firewall have no input on the naming standard of AD security groups.
07-21-2016 05:22 PM
Yeah, I'm talking about the nomenclature of the AD security groups themselves.
I guess I'm in a different position where I have the input in naming both.
07-23-2016 05:49 AM
Naming conventions that I've found most helpful over various employers are ones that are both brief and meaningful. This usually entails determining first the major categories and then sub-groups that have logical meaning for the organization. Then developing a short 3-4 letter abreviation for them to encode into the name.
You can further simplify the AD setup by creating security groups that simply contain other groups.
For example:
List of job roles that contain actual users
List of resources needing access security that contain job role groups only
The security policy then can be nuanced to either the resource or the role depending on the details of the rule.
And names are recognizable abbreviations of the resource or the role.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
