best practics for automating next generation firewall change processes

BEST PRACTICES FOR AUTOMATING NEXT GENERATION FIREWALL CHANGE PROCESSESEdy Almer, VP Product, AlgoSecMoshe Itah, Product Line Manager, Palo Alto Networks

• Supporting business transformation initiatives such as cloud and SDN

• Lack of visibility into business application connectivity requirements

• Slow, manual and error-prone change management processes

• Costly outages and exposure to risk due to misconfigurations

• Time-consuming audits and reactive compliance verification

2 | Confidential

DO YOU STRUGGLE WITH?

ELIMINATE THE TRADEOFF

3 | Confidential

Security

Business AgilityAvoid misconfiguration and

reduce attack surface

Proactively mitigate risk

Ensure continuous compliance

Enforce Network Segmentation

Provision network changes in minutes, not days

Understand business requirements

and avoid application outagesAlign teams to foster

DevSecOpsFree up time by automating

processes

5 | Confidential

THE ALGOSEC SECURITY POLICY MANAGEMENT SUITE

KEY CAPABILITIESSecure Business Application Connectivity ManagementSecurity Policy Change Management

Continuous Compliance and AuditingFirewall Policy Optimization

Security Policy Risk Mitigation

NGFW and Datacenter MigrationHybrid Cloud Security

18 | Confidential

ALGOSEC INTEGRATION WITH PALO ALTO NETWORKS

APP-ID AND USER-ID SUPPORT• Policy analysis• Automatically and seamlessly replace ports with

applications at layer 7• Zero-touch change management

• Proactive risk analysis• Add/remove/modify traffic and intelligent rule design• Policy push directly to Palo Alto Networks devices

(through Panorama)• Mixed NGFW and non user/application-aware

infrastructure, and cloud (VMware NSX, AWS, Azure) 19 | Confidential

APP-ID AND USER ID CONNECTIVITY MANAGEMENT• Changes include application default, app_id and user

data

20 |

PANORAMA SUPPORT• Automated policy push through Panorama to its

devices, including user-awareness, application awareness

• Support for large estates• Automatically populate firewalls in AlgoSec • Identify and incorporate candidate policies in the analysis

(aggregated changes not yet committed to the devices)• Allow low risk change requests to be automatically

resolved, while security operations must approve or reject only higher risk items

21 | Confidential

PANORAMA SUPPORT

22 | Confidential

PRAGMATIC AUTOMATION• Collate all changes related to a policy• Allow mixed device based work orders and policy based

work orders on the same ticket

Make single change to Panorama instead of hundreds of individual device level changes – while still supporting device based changes for other vendors.

23 |

ACTIVECHANGE THROUGH PANORAMA

24 | Confidential

25 |

• Support assignment of Panorama device groups to organizational groups in AD

• Each group handles and approves changes to “its” devices• Align with organizational structure• Improve inter team synchronization• Reduce errors• Provide full results to requestors

SUPPORT ORGANIZATION STRUCTURE & DEVICE GROUPS

ASSIGN RESPONSIBILITY TO DEVICE GROUP OWNERS

26 | Confidential

Management Featuresin Release 7.1

Moshe Itah

Palo Alto Networks and AlgoSec

Palo Alto Networks and AlgoSec are close partners

Palo Alto Networks and AlgoSec share early alpha/beta releases for feedback and testing product roadmaps technical discussions

The relationship work are at multiple levels Business Development Product Management

29 | ©2016. Palo Alto Networks. Confidential and Proprietary.

Commit Enhancements

30 | ©2016, Palo Alto Networks. Confidential and Proprietary.

Commit Queue

Once a commit is running, no other commit (user or system triggered) is allowed, preventing … Commit to multiple VSYS on same device mapped to different DGs in Panorama Multiple admins from committing to device/Panorama simultaneously Tenants from committing simultaneously to their VSYS User commits when DAG updates, FQDN or EDL refreshes are ongoing

New commits are queued when a commit is in progress All commits are queued in the order they were received On commit failure the next commit is processed

31 | ©2016, Palo Alto Networks. Confidential and Proprietary.

Commit Queue

Full visibility into queue Which commit is being processed? Ability to clear the queue

Queue capacity is platform dependent Queues not synched across HA peers CLI and API support Commits with following changes will fail if the commit queue is not empty

Master key Mode (single to multi-VSYS) URL DB Reverts

32 | ©2016, Palo Alto Networks. Confidential and Proprietary.

How Commit Queue Works

33 | ©2016, Palo Alto Networks. Confidential and Proprietary.

Commit Task QueueCommit Processing

Commit 1by jamie

Commit 1by jamie

Commit 1by jamie

Commit 2by saurabh

Commit 2by saurabh

Commit 3by moshe

Commit 3by moshe

Commit 3by moshe

FQDN Refresh for Commit 1

Commit Description

Commit description can be up to 512 characters

Use cases Describe what changes were pushed down with commit Ticket Numbers, Change Request Numbers, Audit Info etc.

Compare versions based on commit description in config audit Type in description text into config version selector to compare

Commit description searches available in system logs, task manager

34 | ©2016, Palo Alto Networks. Confidential and Proprietary.

Start typing description

Increased Maximum Virtual Disk

Problem – Max size of supported virtual disk is 2TB which leads customers to NFS for more storage NFS is less than ideal for throughput rates and predictability Virtual Disk has better performance, but 2TB is not enough storage for many

customers

Solution – Support up to 8 TB of virtual disk for VM Panorama Must have ESXi 5.5+ Will require a new virtual disk (will be covered in LAB session)

35 | ©2016, Palo Alto Networks. Confidential and Proprietary.

New ACC Widgets

36 | ©2016, Palo Alto Networks. Confidential and Proprietary.

New ACC Widgets

Problem – Customers could not see more than top 10 URL categories or File Types / Data Patterns Currently URL Filtering and Content activity is only shown in the User Activity or IP

Activity widgets at top 10 items

Solution – Create two new widgets for URL filtering and Content Activity Allows admins to view top URL domains and files/patterns in the table with the

ability to maximize for an expanded list The widgets must be added to a tab manually

37 | ©2016, Palo Alto Networks. Confidential and Proprietary.

New ACC Widgets

38 | ©2016, Palo Alto Networks. Confidential and Proprietary.

New ACC Widgets

Problem – Customers wanted visibility into top data transfers and URLs independent of IP or User Currently URL and Content visibility was restricted to the User Activity or IP Activity

widgets at max top 10 items

Solution – Create two new widgets for URL filtering and Content Filtering Allows admins to view URL / Content at the top level and drill into details The widgets must be added to a tab manually

39 | ©2016, Palo Alto Networks. Confidential and Proprietary.

Unified Log Viewer

40 | ©2016, Palo Alto Networks. Confidential and Proprietary.

Unified Log Viewer

Problem – Customers cannot see all events associated with a set of filters across databases Admins can only view the related logs for any single event or re-run the same query

on each log type

Solution – Add a unified log viewer All traffic and threat log types are available Any column that is common will return results from all of the relevant matching logs

41 | ©2016, Palo Alto Networks. Confidential and Proprietary.

Unified Log Viewer Example

42 | ©2016, Palo Alto Networks. Confidential and Proprietary.

Unified Log Viewer: Specific Query

43 | ©2016, Palo Alto Networks. Confidential and Proprietary.

Unified Log Viewer: Specific Query

44 | ©2016, Palo Alto Networks. Confidential and Proprietary.

Unified Log Viewer: DB Selection

45 | ©2016, Palo Alto Networks. Confidential and Proprietary.

THANK YOUFor personal demo: www.algosec.com/Demo

More information: marketing@algosec.com

46 | Confidential