This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Palo Alto Security Profiles Suggestions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Palo Alto Security Profiles Suggestions

Go to solution
Khanna075
L2 Linker

‎08-28-2024 07:01 PM

I am seeing that we have different Palo Alto provided Security Profiles that we can map to the security policy. What would best strategy to test it first in lower environments before rolling onto prod ?

 

We just want to make sure it should not create any problems to existing traffic.

 

Right now, we are not using for each security policy. But we want to use.

 

any kind of help would be greatly appreciated.

 

ty

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
TomYoung
Cyber Elite
Cyber Elite

‎09-02-2024 04:20 AM

Hi @Khanna075 ,

 

When I do a migration from a another vendor firewall to Palo Alto, I used to test the security profiles 1st.  Here was my process:

 

  1. Use security profile groups which make changing the profiles per security policy rule a LOT easier.
  2. Use the Day 1 Configuration which has built in security profile groups such as Alert-Only, Inbound, Outbound, Internal, etc.
  3. Assign the desired groups Inbound, Outbound, Internal, etc. to your security policy rules.
  4. Change the security profiles in those groups to Alert-Only.
  5. After the traffic has been cut over to the Palo Alto, review the Monitor logs to confirm if there are any false positives.
  6. Configure exceptions for the false positives, and change the security profiles in the groups to the recommended settings.

To be honest, it has been a while since I have done that.  I found very little false positives as I did many migrations.  There were some.  Today, I enable all the security profiles; have the customer perform their test plan; and troubleshoot the false positives the night of the cut-over or the next day.

 

It is important to run a BPA on the new NGFW before the cutover because the BPA recommends additional security profile settings that the Day 1 Configuration does not have.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

View solution in original post

0 Likes Likes
5 REPLIES 5

Go to solution
Khanna075
L2 Linker

‎08-29-2024 09:37 AM

Can someone please suggest me any inputs on this ?

0 Likes Likes

Go to solution
PavelK
Cyber Elite
Cyber Elite

‎09-01-2024 09:22 PM

Hello @Khanna075

 

thanks for posting question.

 

We had a similar situation in the past. We used AD group of IT / Security Department as a source user to limit the policies with strict security profile for testing before rolling this out to rest of the policies. Alternatively you can use source IP address (Source subnet if this is possible in your case) to limit policies with strict security profile.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Go to solution
TomYoung
Cyber Elite
Cyber Elite

‎09-02-2024 04:20 AM

Hi @Khanna075 ,

 

When I do a migration from a another vendor firewall to Palo Alto, I used to test the security profiles 1st.  Here was my process:

 

  1. Use security profile groups which make changing the profiles per security policy rule a LOT easier.
  2. Use the Day 1 Configuration which has built in security profile groups such as Alert-Only, Inbound, Outbound, Internal, etc.
  3. Assign the desired groups Inbound, Outbound, Internal, etc. to your security policy rules.
  4. Change the security profiles in those groups to Alert-Only.
  5. After the traffic has been cut over to the Palo Alto, review the Monitor logs to confirm if there are any false positives.
  6. Configure exceptions for the false positives, and change the security profiles in the groups to the recommended settings.

To be honest, it has been a while since I have done that.  I found very little false positives as I did many migrations.  There were some.  Today, I enable all the security profiles; have the customer perform their test plan; and troubleshoot the false positives the night of the cut-over or the next day.

 

It is important to run a BPA on the new NGFW before the cutover because the BPA recommends additional security profile settings that the Day 1 Configuration does not have.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Go to solution
Khanna075
L2 Linker
In response to PavelK

‎09-05-2024 04:34 AM

Thanks Pavel for your inputs.

It is helpful to plan my requirement.

0 Likes Likes

Go to solution
Khanna075
L2 Linker
In response to TomYoung

‎09-05-2024 04:35 AM

Thank you much Tom for taking out time and sharing your inputs. This actually covers everything that I need to consider my planning.

 

Really appreciate the help!

0 Likes Likes
  • 1 accepted solution
  • 357 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks