11-13-2023 05:46 AM - edited 11-21-2023 02:25 PM
Dear All,
I am looking to determine if there is a demand in the market for a guide to PAN-OS security policy automation ("policy as code").
There is plenty of reference information (https://pan.dev is always a good starting point) but there is no resource/book that would take one of the available automation frameworks and demonstrate how to leverage it to build a comprehensive "real-world" firewall security policy based on business requirements. From personal experience, I also know that those who only start their careers with firewalls (and NGFWs in particular) usually have no clue how to implement a new policy with zero impact on end-users. The proposed guide would address both of these gaps.
If you feel our Palo community would benefit from such a guide, please drop a short comment or a Like under this post. Below you can find a more detailed description of the contents.
TLDR summary is at the bottom of the post.
== book description ==
This book will demonstrate how to leverage simple Python programming and firewall API to build a comprehensive security policy for a typical scenario where Palo Alto Networks firewalls serve as web-filtering Internet gateways in a multi-site enterprise environment. Our main goals and drivers will be a risk-based approach to security, consistency, high manageability, and low administrative overhead.
All aspects of policy design and implementation will be covered. Our solution will be suitable for companies of all sizes—from small and medium businesses comprised of a handful of offices with standalone firewalls to international corporations with hundreds of offices with firewalls managed by Panorama appliances.
We will start by defining functional requirements and discussing the relevant software features of PAN-OS, as well as the specifics of packet processing in Next-Generation Firewalls. This will be followed by identifying necessary policy elements and structuring them to meet the defined requirements and adhere to security best practices. We will ensure the policy is risk-centric, user- and administrator-friendly, and integrates well with the company’s IT Help Desk system.
Then, we will select a suitable automation framework and proceed to turn our ideas into software code. We will rely on object-oriented Python with elements of classic procedural programming and fill gaps with the help of ChatGPT.
The testing and implementation section will conclude the book. We will discuss necessary policy testing and develop a methodology that will allow us to transition our firm’s sites to the new policy with zero impact on end-users. Another piece of code will be required to achieve this crucial part of our work.
After reading this book and following along, you will be able to bid farewell to all infamous “any-any” policy rules and the poorly structured and inconsistent firewall policies your organization may have accumulated over the years, which cause endless trouble for your department.
Equally, this book will provide you with a pocket “Swiss Army knife” of ready-made network security solutions for greenfield firewall deployments.
=======
TLDR version:
Thank you in advance.
