K-12 Quickplay

Brief Description

The K-12 Skillet is intended to help enable a safe and secure internet experience. The solution hardens a network by building off of the IronSkillet configuration and by enabling Safe Search features across the institution without having to manually configure and audit devices.

Target Audience

K-12 users or other entities that want to implement Safe Search features.

Solution Details

Documentation: https://github.com/PaloAltoNetworks/K12Skillet/blob/master/README.md

GitHub Location: https://github.com/PaloAltoNetworks/K12Skillet

GitHub Branches: master

PAN-OS Supported: 10.0, 10.1

Type of Skillet: workflow, panos/xml, docker, python3

Collections: Education
Purpose: Enable a safe and secure internet experience for K-12 users

Detailed Description

The K-12 Skillet utilizes Git submodules in order to pull external skillets into this repository for its use. This K-12 solution chains together skillets from the IronSkillet Components, SLED Components, PAN-OS Upgrade/Downgrade, and PAN-OS Config Elements repositories into one chain of execution. Since the submodules specifically point to a commit in the external repository's history, the K-12 solution can stay up-to-date by simply updating the commit references.

This Quickplay solution is meant to be run as a workflow skillet, which groups together multiple skillets. The four sub-skillets that run are as follows: 

1. Load an empty NGFW baseline configuration 
2. Perform a content update 
3. Configure for IronSkillet 
4. Configure for K-12

Baseline Skillet

The baseline python3 skillet (from the PAN-OS Config Elements repo) loads an empty, 'out-of-the-box' baseline configuration to the firewall while saving existing admin credentials and management interface configurations.  

Content Update Skillet

The content update docker skillet (from the PAN-OS Upgrade/Downgrade repo) runs an Ansible playbook that downloads and installs the latest content/threat and anti-virus updates to ensure the firewall is fully armed with the latest signatures.

IronSkillet Configuration

The IronSkillet panos playlist skillet, which includes snippets from the IronSkillet Components repo, configures an initial baseline for the firewall, including device hardening and security profiles to be used by use-case specific configuration and security policies. For more information about IronSkillet, see the documentation.

K-12 Configuration

The K-12 panos skillet configures the following elements: 

• Dynamic configuration based on the desired Safe Search deployment:
  • Transparent - SSL inspection with NGFW enforced Safe Search
  • DNS-Proxy - NGFW responds to Google and Bing search engine requests with Safe Search only server IPs
  • Local DNS CNAME - Limits outbound DNS requests to sanctioned internal DNS servers with Google and Bing Safe Search configurations
• Optional country block: Only allows IPs from US, Mexico, Canada, and cloud providers (based on EDL)
• K-12 Reports
• Targeted decryption policies to help enable SSL Decryption adoption and limit risk
• Chromebook and SAML no-decrypt decryption policies

Additional Safe Search information can be found at: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/url-filtering/safe-search-enforcement.html

Prerequisites

The following should be completed before running the K-12 Solution Workflow:

• Deploy a PAN-OS 10.X NGFW
• License NGFW with the Threat, URL, and WildFire subscriptions
• Install PanHandler (Version 4.5+) or other skillet-supported applications, such as SLI

How to Use

1. Import this repository into PanHandler
2. In your K-12 Repository Details page, click on the K-12 Educational Deployment Full Workflow workflow skillet
3. Input your NGFW IP, admin credentials, and PAN-OS software version
4. Input the sub-skillets you need configured, more information about the workflow menu options below
5. Click Submit to start the workflow execution. You will need to input additional information for the IronSkillet and K-12 Configuration Skillets.