PALO ALTO NETWORKSExpedition

Albert Estevez

Day 1 Configurations – Iron-Skillet + Expedition

2 | © 2018, Palo Alto Networks. All Rights Reserved.

• Customers need a Palo Alto Networks base configuration file to use in new deployments.

• We want to allow customers to customize some parameters before the config is generated.

• We want to ensure they get a configuration where some of the platform features are enabled and configured automatically.

• Iron-Skillet provides a preconfigured configuration for Palo Alto Networks devices and allows customers to modify some parameters to adapt that configuration to their needs.

• With the integration in Expedition those parameters can be changed from a nice GUI

Demonstration of Iron-Skillet Integration

3 | © 2018, Palo Alto Networks. All Rights Reserved.

1. Login to Expedition2. Go to Projects3. Add a new one by cliking on the plus button4. Assign a name to the Project: Ironskillet5. Click on Create Project6. Double click on the Project IronSkillet7. Go to Import8. Select IRON-SKILLET tab9. We can choose if we want a Panorama or Firewall config and the Panos versión10.Change the desired parameters11.Click on GENERATE CONFIG and IMPORT

Screenshots

4 | © 2018, Palo Alto Networks. All Rights Reserved.

We can do more … Integration with BPA

5 | © 2018, Palo Alto Networks. All Rights Reserved.

• Now we have a config customized and enabled with some of the best practices already• Expedition comes with BPA integrated to we can analyze it to see more ways to improve

it

1. Click on Best Practices2. Click on Start Analysis3. You will see there is a score of 59% and potentially can be improved with the auto-

remediation implemented in Expedition to 68%4. Select the Analisys Tab5. From the tree select “Device”6. The checks with the darkgray bag can be auto-remediated bby selecting them and

clicking on the bottom bar on the Remediate Green button7. You can select all the checks by selecting the first and then with shift-click in the last then

remediate8. You can export the report to Excel too

Screenshots

6 | © 2018, Palo Alto Networks. All Rights Reserved.

Screenshots

7 | © 2018, Palo Alto Networks. All Rights Reserved.

Screenshots. Failed Checks which can be Remediated

8 | © 2018, Palo Alto Networks. All Rights Reserved.

Screenshots. Failed Checks which can be Remediated

9 | © 2018, Palo Alto Networks. All Rights Reserved.

Screenshots. Select All and click Remediate

10 | © 2018, Palo Alto Networks. All Rights Reserved.

Showing the Outcome

11 | © 2018, Palo Alto Networks. All Rights Reserved.

• After all the checks have been remediated go back to the BestPracticesDashboard to see how the score has been increased

Exporting the “Golden” Configuration

12 | © 2018, Palo Alto Networks. All Rights Reserved.

We can export the config as XML or via XML-APIIn this example we will use XML since we dont have any device to send the API calls

1. Click on EXPORT2. Click on Generate XML & Set Output3. A new window will popup once the process is finished

4. Show API calls5. Click on Api Output Manager Tab6. By default “Atomic” is selected. Click on [step 1] Generate Api Requests7. Show them.8. From here if we were integrating Expedition with our firewall or Panorama we be

able to send the apis to it.

Screenshots. Generate XML and download it.

13 | © 2018, Palo Alto Networks. All Rights Reserved.

Screenshots. Geneate API calls if you want to push them to the device.

14 | © 2018, Palo Alto Networks. All Rights Reserved.

Take aways

15 | © 2018, Palo Alto Networks. All Rights Reserved.

• Integration between IronSkillet and Best Practices Assesment Tool is key to help our customers to start walking the platform way in much faster fashion

• They get the benefit of the Platform from day 1

• Expedition is already available to all of our customers for free and under a besteffort support from the live community on live.paloaltonetworks.com/migrate