Palo Alto Security Profiles Suggestions

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Palo Alto Security Profiles Suggestions

L2 Linker

I am seeing that we have different Palo Alto provided Security Profiles that we can map to the security policy. What would best strategy to test it first in lower environments before rolling onto prod ?

 

We just want to make sure it should not create any problems to existing traffic.

 

Right now, we are not using for each security policy. But we want to use.

 

any kind of help would be greatly appreciated.

 

ty

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hi @Khanna075 ,

 

When I do a migration from a another vendor firewall to Palo Alto, I used to test the security profiles 1st.  Here was my process:

 

  1. Use security profile groups which make changing the profiles per security policy rule a LOT easier.
  2. Use the Day 1 Configuration which has built in security profile groups such as Alert-Only, Inbound, Outbound, Internal, etc.
  3. Assign the desired groups Inbound, Outbound, Internal, etc. to your security policy rules.
  4. Change the security profiles in those groups to Alert-Only.
  5. After the traffic has been cut over to the Palo Alto, review the Monitor logs to confirm if there are any false positives.
  6. Configure exceptions for the false positives, and change the security profiles in the groups to the recommended settings.

To be honest, it has been a while since I have done that.  I found very little false positives as I did many migrations.  There were some.  Today, I enable all the security profiles; have the customer perform their test plan; and troubleshoot the false positives the night of the cut-over or the next day.

 

It is important to run a BPA on the new NGFW before the cutover because the BPA recommends additional security profile settings that the Day 1 Configuration does not have.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

View solution in original post

5 REPLIES 5

L2 Linker

Can someone please suggest me any inputs on this ?

Cyber Elite
Cyber Elite

Hello @Khanna075

 

thanks for posting question.

 

We had a similar situation in the past. We used AD group of IT / Security Department as a source user to limit the policies with strict security profile for testing before rolling this out to rest of the policies. Alternatively you can use source IP address (Source subnet if this is possible in your case) to limit policies with strict security profile.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Cyber Elite
Cyber Elite

Hi @Khanna075 ,

 

When I do a migration from a another vendor firewall to Palo Alto, I used to test the security profiles 1st.  Here was my process:

 

  1. Use security profile groups which make changing the profiles per security policy rule a LOT easier.
  2. Use the Day 1 Configuration which has built in security profile groups such as Alert-Only, Inbound, Outbound, Internal, etc.
  3. Assign the desired groups Inbound, Outbound, Internal, etc. to your security policy rules.
  4. Change the security profiles in those groups to Alert-Only.
  5. After the traffic has been cut over to the Palo Alto, review the Monitor logs to confirm if there are any false positives.
  6. Configure exceptions for the false positives, and change the security profiles in the groups to the recommended settings.

To be honest, it has been a while since I have done that.  I found very little false positives as I did many migrations.  There were some.  Today, I enable all the security profiles; have the customer perform their test plan; and troubleshoot the false positives the night of the cut-over or the next day.

 

It is important to run a BPA on the new NGFW before the cutover because the BPA recommends additional security profile settings that the Day 1 Configuration does not have.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Thanks Pavel for your inputs.

It is helpful to plan my requirement.

Thank you much Tom for taking out time and sharing your inputs. This actually covers everything that I need to consider my planning.

 

Really appreciate the help!

  • 1 accepted solution
  • 812 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!