security policy in monitor mode only

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

security policy in monitor mode only

L1 Bithead

Hi,

 

This is a new Palo Alto deployment.  We used to have Cisco FTD as IPS and now we are replacing with Palo Alto.  We have 3 devices (router and SDWAN) that we configured using vwire so all traffic to the DC would pass through the Palo Alto inspection as IPS.

 

I would like to deploy the security profiles/group (vulnerability/antivirus/spyware) as monitor mode only, so I can see what traffic would have been blocked by PA and then correct all the false positives.  In Cisco FMC we have the option of the policy rule action as monitor to achieve this.  I cannot find something similar in Palo Alto.  Please can someone help with how to set the security policy to monitor only (not take the drop or reset-action) but I want to know the traffic that it would have dropped.

2 accepted solutions

Accepted Solutions

Cyber Elite
Cyber Elite

Hello,

The simple answer is use an 'allow' policy. Deploying the firewall there are two options:

Here is a guide for Best Practice to deployment:

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/getting-started/best-practices-for-comple...

 

What I did since it was a Cisco appliance I was migrating from, was to create the policies as layer 3/4 as with the standard Cisco ASA would. Then once deployed, I would create stricter policies with applications instead of 'services'(ports). I then created my own day one policy that had a lot of the config already built in both best practices and DISA STIG's etc. Its not fully complete due to differences in network and designed etc. but its a great start if your truly brave. The config does not allow for much to pass so treat it as DENY ALL allow by Exception, so you have to put in the allow policies.

https://live.paloaltonetworks.com/t5/general-articles/secure-day-one-configuration-not-for-the-faint...

 

Cheers!

View solution in original post

Cyber Elite
Cyber Elite

@ismailsh,

To explicitly answer your profile questions, you'd want to create new profiles and ensure that you have all actions set to alert. The one thing that I'll mention here is that some of the profiles you'll have to think a little bit about when you actually enforce them. For example, if you setup an Anti-Spyware profile and have all severities set to alert that doesn't show you everything that the firewall would actually take an action on if you set the action back to default.

 

That will at least get you to the point where you're gathering as much data as possible so you have it when changing the action and actually enforcing standards however. 

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

Hello,

The simple answer is use an 'allow' policy. Deploying the firewall there are two options:

Here is a guide for Best Practice to deployment:

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/getting-started/best-practices-for-comple...

 

What I did since it was a Cisco appliance I was migrating from, was to create the policies as layer 3/4 as with the standard Cisco ASA would. Then once deployed, I would create stricter policies with applications instead of 'services'(ports). I then created my own day one policy that had a lot of the config already built in both best practices and DISA STIG's etc. Its not fully complete due to differences in network and designed etc. but its a great start if your truly brave. The config does not allow for much to pass so treat it as DENY ALL allow by Exception, so you have to put in the allow policies.

https://live.paloaltonetworks.com/t5/general-articles/secure-day-one-configuration-not-for-the-faint...

 

Cheers!

Cyber Elite
Cyber Elite

@ismailsh,

To explicitly answer your profile questions, you'd want to create new profiles and ensure that you have all actions set to alert. The one thing that I'll mention here is that some of the profiles you'll have to think a little bit about when you actually enforce them. For example, if you setup an Anti-Spyware profile and have all severities set to alert that doesn't show you everything that the firewall would actually take an action on if you set the action back to default.

 

That will at least get you to the point where you're gathering as much data as possible so you have it when changing the action and actually enforcing standards however. 

L1 Bithead

Thank you OtakarKlier and BPry for the replies.

  • 2 accepted solutions
  • 2062 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!