03-09-2013 08:04 AM
It sounds as if my situation is a bit different than most as from what I gather most people do not use the scheduling feature of the firewall. I am at a pre-K-12 boarding school with dorm students, dorm parents, etc. which means I use the scheduling piece in almost every rule! As part of this I am struggling a bit of following the logic of my rule set (I pity the person who takes this it over of I leave!).
I am curious if anyone has been using some sort of third party mind mapping/flow charting software to draw out the logic of their rules? I am not a big fan of Visio.
OR
Do people use the PA on it's own and just keep adding to it without mapping it out?
Thanks
Bob
03-11-2013 08:09 AM
That is one area that the PAs are really lacking. There are no visualization tools like Cisco ASAs and Netscalers, and no grouping of rules based on zones or policy type like the MS ISA. It also does not even have a numbering column, which is very strange! It would be nice to see some of these introduced. We use the TAG field and the description field to try to keep track of things. There is also an API to export all of the rules to an excel spreadsheet which might be a help.
03-12-2013 03:27 PM
For my sanity, I group the rules by zone. But, that was back when you could sort the rules by zone easily back in PAN-OS 2.0. :smileysilly: I'm starting to use the tags as we've grown to 500+ rules.
03-13-2013 01:56 PM
Wow - and I thought our 240+ policies were bad! Glad to see someone else white-lists more than we do. PA should do more to help organize rules.
03-14-2013 12:00 AM
Absolutely, I remember to have requested such a feature about two years ago in order to organise large rulebases. I am coming from Check Point Firewalls and I really liked their management and still do.
They have a section feature in the rulebase where it allows you to divide the rulebase into different sections with section titles and also to collapse/expand sections.
I constantly get complains by customers regarding the rulebase becoming a mess. I believe a proper firewall management is key to success and here it has a lot to be done by PAN.
03-14-2013 06:13 AM
This has been a feature request for a long time supposedly from many people.I talked to several people with PA and they have said that it is supposed to be included in a "future release". This was over a year ago!
03-14-2013 06:21 AM
To me this seems a rather easy addition since it only affects the WebUI and does not need any FW engine related changes.
At the same time this improvement would really help a lot of people.
Maybe someone from PAN could share some input here...?
03-14-2013 06:42 AM
If someone is "friends" with a Palo rep. that has an account, they can share this thread with them using the share button. That might get a quicker response!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
