IronSkillet is a day one deployment-agnostic NGFW and Panorama configuration. It is used as an initial baseline including device hardening and security profiles to be used by use-case specific configuration and security policies.
Users who want to an immediate day one configuration to build from without extensive research and GUI clicks.
Github Location: https://github.com/PaloAltoNetworks/iron-skillet.git
Github Branches: panos_v10.2, panos_v10.1, panos_v10.0
PAN-OS Supported: 10.2, 10.1, 10.0 for the NGFW and Panorama
Type of Skillet: panos (xml/set) and panorama (xml/set)
Collections: IronSkillet, Config, Validations
Purpose: starting point for new NGFW or Panorama deployment
IronSkillet includes a broad set of configuration elements that land in various areas of the configuration as show in the menu items below.
For a detailed walkthrough of the GUI elements used in IronSkillet, use the visual guide: https://iron-skillet.readthedocs.io/en/docs_master/viz_guide_panos.html
Skillet focus can broken into a few core areas:
Device management hardening: general operations of the NGFW
Security traffic hardening: control of traffic flows that impacts device monitoring
Logging and alerts: data collection and external notifications
Security objects and policies: policy-related config settings and dynamic updates
Decryption objects and policies: certification checks and sample no-decrypt policy
The repo contains the following skillets and other configuration elements:
NGFW and Panorama full configuration file as a template and folder with default-based loadable configs
NGFW and Panorama xml snippets
NGFW and Panorama set command skillets including a spreadsheet version that is tool agnostic
NGFW validation skillet mapped to the Visual Guide to compare current configurations to IronSkillet recommendations
NGFW validation skillet showing new items added between 8.1 and 9.x to look for gaps during sw upgrades
Detailed information specific to using each skillet type is included in the readthedocs.io documentation.
The following should be completed before running IronSkillet:
firewall licenses activated including all threat, URL, and Wildfire subscriptions
updated with the latest or recommended software release
if using PanHandler: updated to 3.0 latest release
Additional details specific to each loading stage, variables, and release updates are found at https://iron-skillet.readthedocs.io/en/docs_master/
Various tools and apps have been updated to work with IronSkillet including:
Palo Alto Networks Customer Support Portal as the Day 1 Configuration; option when registering new devices or under the Tools menu
PanHandler skillet application; https://panhandler.readthedocs.io/en/master/