About dhshah

Availability of the Service: EDL Hosting Service is a cloud native service with the feeds being hosted on a cloud based CDN for widespread availability.  Availability status or updates to the “EDL Hosting Service” are posted on  status.paloaltonetworks.com . Customers can subscribe for update notifications.   Security: The EDL Hosting service is hosted in secure public cloud infrastructure and ensures that there is no external access possible to the service itself. The publicly available feeds are hosted on a cloud based CDN - there is no proprietary information carried in these feeds, and we ensure that these feeds cannot be compromised by external entities.    We recommend users to leverage server authentication support within PAN-OS to ensure the feeds are sourced from the authenticated service.   To ensure the sanity of the feeds itself we have some extra checks implemented: Any anomalies detected from the source data triggers a manual approval process wherein the change gets validated and approved before being propagated to the feeds. This will ensure there is no accidental (or intentional) adulteration of the feeds. We have mechanisms in place to allow for a quick reversal in case of any identified issue with updated feeds. Any known bugs will be promptly resolved with no extra action needed of the users. ... View more

Many SaaS Applications, Microsoft 365 being one great example, publish a list of endpoints that firewall rules must allow connectivity to in order for the services to function properly.     As part of our security best practices, we have always recommended that a security policy should not only restrict access based on App-ID (for example, ms-office365), but also by the application’s destination endpoints (ip/domains).   However, the endpoint list in some cases is dynamic ( Microsoft updates its M365 endpoints on a periodic basis).  Keeping up with the changes and updating your policies in accordance with that becomes challenging. And that often leads to administrators configuring the policy with a destination of “any” and loosening up the access.   Additionally, there might be  cases where you want to preferentially treat traffic going to certain endpoints. Examples would be bypassing SSL decryption for Optimized endpoints as Microsoft recommends here or providing QoS priority to ‘OneDrive’ endpoints. Again, the challenge to keep up with the changing endpoint list remains.    External Dynamic Lists PAN-OS has always had support for External Dynamic Lists (EDLs) which are tailor-made for such use cases. EDLs are configurable objects on PAN-OS that can be referenced within policies to represent a list of IPs (or URLs). The list membership is dynamic and PAN-OS will, based on a configurable frequency, check for updates to the list from the specified source to keep the object updated.    Now all we need is a “source” from which endpoint lists can be consumed.   Introducing the EDL Hosting Service   EDL Hosting Service is a globally available Palo Alto Networks-managed service that hosts  curated lists which can be consumed by any Palo Alto Networks NGFW (including Prisma Access) in the form of EDLs. An admin only has to configure the EDL and point it to a source URL the EDL Hosting Service provides for the feed of interest. This is a one-time setup.   With the current release, the service provides hosting for All Microsoft 365 endpoints organized into categories you can easily scan and choose from based on what’s relevant to you. EDLs also provide support for adding your custom exceptions to these lists and give you full control.   The service keeps up with all updates from Microsoft and categorizes the feeds into multiple lists based on either the: Region : Worldwide, Germany, 21 Vianet (China), US Gov DoD, US Gov GCC-High Service Areas : Exchange Online, Sharepoint and OneDrive, Skype and Teams, Any (includes all service areas) Category : Optimize, Allow, Default, All (includes all three categories) Type : IPv4, IPv6, URL   The EDLs automatically stay updated from the hosted feeds,and policies do not have to be touched once configured.   You can refer to the documentation here for more details on how to leverage this service in helping you safely enable Microsoft 365.  ... View more

Encrypted traffic is the norm and users spend most of their time on encrypted websites and applications. The risks of not monitoring and inspecting encrypted traffic are well understood, however enabling SSL decryption is not always straightforward.    Prisma Access Cloud Management helps make managing and enabling SSL Decryption easy.   Centralized Settings All SSL Decryption related settings can be managed from a single page on Cloud Management. This includes managing the:   SSL Decryption policies Prisma Access supports decryption as a policy-based decision to enable you to specify traffic to decrypt by destination, source, service, or URL category. Admins have to determine which traffic they can decrypt and what cannot be decrypted due to privacy and legal concerns.     SSL Decryption profiles Decryption profiles get associated with decryption policies. The profile defines controls for SSL protocols, certificate verification, and failure checks to help prevent traffic that uses weak algorithms or unsupported modes.       Decryption Settings (Certificates) The firewall uses certificates and keys to decrypt traffic and enforces App-ID and security settings. There are essentially two types of certificates that we recommend.        A forward trust certificate is what is used to sign the proxy session (firewall to client) when the server is a trusted source (as validated by its certificate issuing authority). The Forward Trust CA certificate should be stored into the trusted certificate store on user endpoints.   You can use the default certificates we provide OR choose to use your enterprise PKI (recommended), in which case you will have to import the CA certificates and designate them as Forward trust certificates.   Note: You can also use Globalprotect to distribute these certificates to your endpoints.    A forward untrust certificate is used to sign the proxy session (firewall to client) when the server is an untrusted source. This helps differentiate between the two and leverage the browser’s controls over distinguishing between a trusted and untrusted site.   If using enterprise PKI, ensure that the forward untrust certificate is NOT signed by your Enterprise CA certificate as it needs to be “untrusted”.  Decryption Exclusions Certain sites make use of pinned-certificates or mutual authentication - either of which makes SSL decryption by a proxy impossible. In order to ensure smooth functioning of the well-known sites that employ these techniques, we maintain a global exclusion list of sites to be excluded from SSL Decryption.       You have full control over this list which can be viewed and edited to comply with your policies.    Ready to Use Prisma Access Cloud Management provides default decryption policies along with default profiles and certificates which can be made use of to easily enable SSL decryption by simply enabling a couple of available policies.    A default best-practice decryption policy is provided with a list of URL categories that will be decrypted in accordance with Palo Alto Networks best practices. This list is editable to meet your company policies.        A default best-practice “no-decrypt” policy is provided with a list of URL categories that are typically not decrypted for privacy and legal reasons. This list is editable to meet your company policies.    Encouraging Best Practices   The default policies and configuration provided with Prisma Access Cloud Management is in accordance with recommended best practices. You can make use of these policies as-is.   In addition to this, continuous and inline best practice assessment helps identify any configuration that is not aligned with the recommended best practices with clear instructions to help mitigate the highlighted issues.       ... View more

Configuration changes are always necessary in a network, whether they are for adding new applications, allowing access to users or to create exceptions in security profiles. Prisma Access Cloud Management provides the ability for administrators to make sure that the configuration is always aligned to Palo Alto Networks recommended best practices.   The best practice assessments are available across Security policies, all security profiles and decryption policies and profiles with other ones being added often. The best practice checks are updated every 3 minutes.  Security Policies and Rulebase Checks Best practices checks on the security policies are of two basic types: checks on individual Policy Rules themselves and checks against the rulebase. Also available is a summary page of all of the counts of policies against various types of failures and mapping those checks into CSC Controls .   Every security policy created is checked against a multitude of checks for operational, security and auditing purposes. These checks typically cover mundane things such as adding a description to a rule, and making sure any/any/allow policies are not written.   Each new tenant instantiated after March has new policies automatically created to address the rulebase checks. Customers can choose to disable or remove them, but our recommendation is to keep them, in order to have a better security posture. Security Profiles  Best practices are available across all security profiles. They cover best practice checks on the profiles themselves, use of failing profiles in policies and in general association of profiles to policies. CSC controls are also available for security profiles. Decryption Policies and Profiles From a best practices perspective, enabling decryption is a must. As you know, the entire decryption settings are on a single page in Prisma Access Cloud Management. It already has two decryption policies, disabled by default, one for decrypting traffic and one to bypass decryption. Once you provide the forward trust and forward untrust certificates, enable the policies and push the configuration to Prisma Access, you will have enabled decryption on your network. Checks for best practices including ones for policies having decryption profiles and policies not in use. CSC Controls Prisma Access Cloud Management provides checks that map into CSC controls across security policies, profiles and decryption checks. CSC controls are important from an audit and compliance standpoint. They map into other standards such as NIST-OLIR and ISO 27001. Default Configuration Prisma Access Cloud Management has best practices-aligned default configuration located throughout the product. It is recommended that you use that configuration in your network. However, if you need to customize the configuration, the configuration will undergo best-practices checks. ... View more

Answer: PAN-OS devices can update their own clocks (as clients passively consuming the time, not servers giving out the time) using NTPv4. Outside of time syncing PAN-OS also supports autokey and symmetric key (introduced in PAN-OS v6.1 as part of the Authenticated NTP feature). ... View more