11-13-2023 05:46 AM - edited 11-21-2023 02:25 PM
Dear All,
I am looking to determine if there is a demand in the market for a guide to PAN-OS security policy automation ("policy as code").
There is plenty of reference information (https://pan.dev is always a good starting point) but there is no resource/book that would take one of the available automation frameworks and demonstrate how to leverage it to build a comprehensive "real-world" firewall security policy based on business requirements. From personal experience, I also know that those who only start their careers with firewalls (and NGFWs in particular) usually have no clue how to implement a new policy with zero impact on end-users. The proposed guide would address both of these gaps.
If you feel our Palo community would benefit from such a guide, please drop a short comment or a Like under this post. Below you can find a more detailed description of the contents.
TLDR summary is at the bottom of the post.
== book description ==
This book will demonstrate how to leverage simple Python programming and firewall API to build a comprehensive security policy for a typical scenario where Palo Alto Networks firewalls serve as web-filtering Internet gateways in a multi-site enterprise environment. Our main goals and drivers will be a risk-based approach to security, consistency, high manageability, and low administrative overhead.
All aspects of policy design and implementation will be covered. Our solution will be suitable for companies of all sizes—from small and medium businesses comprised of a handful of offices with standalone firewalls to international corporations with hundreds of offices with firewalls managed by Panorama appliances.
We will start by defining functional requirements and discussing the relevant software features of PAN-OS, as well as the specifics of packet processing in Next-Generation Firewalls. This will be followed by identifying necessary policy elements and structuring them to meet the defined requirements and adhere to security best practices. We will ensure the policy is risk-centric, user- and administrator-friendly, and integrates well with the company’s IT Help Desk system.
Then, we will select a suitable automation framework and proceed to turn our ideas into software code. We will rely on object-oriented Python with elements of classic procedural programming and fill gaps with the help of ChatGPT.
The testing and implementation section will conclude the book. We will discuss necessary policy testing and develop a methodology that will allow us to transition our firm’s sites to the new policy with zero impact on end-users. Another piece of code will be required to achieve this crucial part of our work.
After reading this book and following along, you will be able to bid farewell to all infamous “any-any” policy rules and the poorly structured and inconsistent firewall policies your organization may have accumulated over the years, which cause endless trouble for your department.
Equally, this book will provide you with a pocket “Swiss Army knife” of ready-made network security solutions for greenfield firewall deployments.
=======
TLDR version:
Thank you in advance.
11-13-2023 04:04 PM
This sounds like a brilliant idea!
11-21-2023 06:45 AM
Nikolay, documenting the practical experience would be very helpful. I for one would purchase it. Having the knowledge and understanding of what tighter security should look like combined with the automation as the vehicle to get it done quickly and at scale would be the holy grail. Too many times either the resources do not exist to get it done or there is concern over operational impact due to a lack of knowledge.
11-21-2023 01:57 PM
Sounds like you're putting onto paper something that a lot of folks are trying to do but unable to cobble together. Appreciate the work you've already put into this, Nikolay!
11-22-2023 09:56 AM
There's plenty of material on Python, Ansible, Terraform out there and how to operationalise them.
There's lots of vendor documentation for PAN-OS out there too.
There is not much content, by comparison, where those two circles overlap on a Venn diagram. PAN-OS specific guidance on using and operationalising automation would be worthy of a book IMO.
11-22-2023 01:06 PM - edited 11-22-2023 01:06 PM
I think such a book would enable many FW administrators to give policy automation a try.
If I may, I would suggest a section about drift handling. Both from "detection and revert" (to the code source of truth) and from the "detection and integrate" (changes done manually becoming part of the code) points of view.
11-22-2023 02:58 PM
It's a good point, thank you. I will see how I can cover this.
11-22-2023 11:49 PM
I'm on the same page as the other users who commented. A guide like that would be super handy for a bunch of people and would really fill a content gap.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
