What Firewall Change Management software is working with a PAN ?

Reply
L3 Networker

What Firewall Change Management software is working with a PAN ?

Hi,

Is there anyone that can tell me which Firewall Change Management ( Skybox, Tufin, Algosec,.... ) is REALLY working with a PAN ?

Most of them claim they can do it, until you test it... nothing works...

Some of them announce PAN support for next year.

I would like to get in touch with someone who has really done this kind of integration and who is using this in a live production environment.

Anyone at all ?

Thanks

Bart.

Tags (1)
L3 Networker

To be honest, as technical guy we don't need this.

But this is a requirement in most large organisations from the security/compliance department....

In my opinion these vendors can simply not keep up with recent evolution of a nextgen firewall.

Anyway, if somebody has this working, I'll be happy to hear about it.

L5 Sessionator

Have you looked at Firemon?  They are a PAN technology partner.

FireMon for Palo Alto devices. (datasheet)

http://www.firemon.com/downloads/?id=23767d63-5003-4615-81fd-f386ae5702a4

L4 Transporter

Hi,

Tufin is also our partner. As I know they can support it now and will have more roadmap to make it more robust. Recommend you to request a demo and roadmap update with them.

Regards,

Jones

L2 Linker

According to my experience, Tufin works at TCP/UDP layer and does not understand applications; e.g. I had a rule allowing only dns application, without filtering TCP/UDP port number, and Tufin SecureTrack reported it as dangerous because such rule would have allowed telnet, MS services, etc.

I asked Tufin Support and sounds like application firewalling is in their road-map; I would say they are mainly focused on Checkpoint and Cisco.

Regards,

Bucche

L4 Transporter

Hello,

We are Skybox partner.

From my own experience, Skybox integrates correctly BUT not fully support Palo Alto.

Fully supported partners are: Cisco, Checkpoint, Fortinet and Juniper.

Working features

------------------------

- collecting rulebase,

- detecting overlap/hidden rule in the rule base,

- collecting routing table (except routes from tunnel interface, see below),

- support rules with application (so even if port 23 is open but in the rulebase but Telnet application is blocked, skybox understand that Telnet is blocked by the rulebase),

- understand NAT and authentication rule,

Missing Features

-------------------------

- support of tunnel interface,

- compliancy check (NIST or PCI) of the rulebase,

- rulebase usage (object statistics, etc) REM : should be available soon

I had the opportunity to test Firemon, it's very far away from what Skybox can do....

Regards,

HA

L1 Bithead

Wondering if anyone has an update to this thread regarding Palo Alto <> SkyBox integration. My client is trying to implement SkyBox, however they are frustrated with not being able to see values on the firewalls that are comitted by Panorama template. Is SkyBox "Template Aware" and can corelate those values to the Panorama managed devices?

 

I have zero experience with SkyBox, and of course expected to be the expert. 

L0 Member

I have been using Firemon . I believe you must evaluate Firemon once .

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!