Is there a need for a book on PAN-OS "Policy as Code" subject?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Is there a need for a book on PAN-OS "Policy as Code" subject?

L1 Bithead

 

Dear All,

 

I am looking to determine if there is a demand in the market for a guide to PAN-OS security policy automation ("policy as code").

 

There is plenty of reference information (https://pan.dev is always a good starting point) but there is no resource/book that would take one of the available automation frameworks and demonstrate how to leverage it to build a comprehensive "real-world" firewall security policy based on business requirements. From personal experience, I also know that those who only start their careers with firewalls (and NGFWs in particular) usually have no clue how to implement a new policy with zero impact on end-users. The proposed guide would address both of these gaps.

 

If you feel our Palo community would benefit from such a guide, please drop a short comment or a Like under this post. Below you can find a more detailed description of the contents.

TLDR summary is at the bottom of the post.

== book description ==

 

This book will demonstrate how to leverage simple Python programming and firewall API to build a comprehensive security policy for a typical scenario where Palo Alto Networks firewalls serve as web-filtering Internet gateways in a multi-site enterprise environment. Our main goals and drivers will be a risk-based approach to security, consistency, high manageability, and low administrative overhead.


All aspects of policy design and implementation will be covered. Our solution will be suitable for companies of all sizes—from small and medium businesses comprised of a handful of offices with standalone firewalls to international corporations with hundreds of offices with firewalls managed by Panorama appliances.

 

We will start by defining functional requirements and discussing the relevant software features of PAN-OS, as well as the specifics of packet processing in Next-Generation Firewalls. This will be followed by identifying necessary policy elements and structuring them to meet the defined requirements and adhere to security best practices. We will ensure the policy is risk-centric, user- and administrator-friendly, and integrates well with the company’s IT Help Desk system.

 

Then, we will select a suitable automation framework and proceed to turn our ideas into software code. We will rely on object-oriented Python with elements of classic procedural programming and fill gaps with the help of ChatGPT.

 

The testing and implementation section will conclude the book. We will discuss necessary policy testing and develop a methodology that will allow us to transition our firm’s sites to the new policy with zero impact on end-users. Another piece of code will be required to achieve this crucial part of our work.

 

After reading this book and following along, you will be able to bid farewell to all infamous “any-any” policy rules and the poorly structured and inconsistent firewall policies your organization may have accumulated over the years, which cause endless trouble for your department.

 

Equally, this book will provide you with a pocket “Swiss Army knife” of ready-made network security solutions for greenfield firewall deployments.

 

=======

 

TLDR version:

 

  • Intro, Business context, Business requirements, NGFW basics
  • Security Policy Design (how to put together all security features)
  • Firewall Automation and Management Choices
  • How to set up a Dev Environment
  • Coding (transformation of the designed policy into Python code)
  • QA and Testing of all policy features
  • Deployment

Thank you in advance.



Panorama NGFW 

8 REPLIES 8

Community Team Member

This sounds like a brilliant idea! 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L1 Bithead

Thank you! Let's see if anyone else thinks the same 🙂

L0 Member

Nikolay, documenting the practical experience would be very helpful.  I for one would purchase it.  Having the knowledge and understanding of what tighter security should look like combined with the automation as the vehicle to get it done quickly and at scale would be the holy grail.  Too many times either the resources do not exist to get it done or there is concern over operational impact due to a lack of knowledge.

L2 Linker

Sounds like you're putting onto paper something that a lot of folks are trying to do but unable to cobble together. Appreciate the work you've already put into this, Nikolay!

L5 Sessionator

There's plenty of material on Python, Ansible, Terraform out there and how to operationalise them.
There's lots of vendor documentation for PAN-OS out there too.
There is not much content, by comparison, where those two circles overlap on a Venn diagram. PAN-OS specific guidance on using and operationalising automation would be worthy of a book IMO.

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

L5 Sessionator

I think such a book would enable many FW administrators to give policy automation a try.

 

If I may, I would suggest a section about drift handling. Both from "detection and revert" (to the code source of truth) and from the "detection and integrate" (changes done manually becoming part of the code) points of view.

It's a good point, thank you. I will see how I can cover this.

Community Team Member

I'm on the same page as the other users who commented. A guide like that would be super handy for a bunch of people and would really fill a content gap.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
  • 4467 Views
  • 8 replies
  • 7 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!