The cost of complexity is rising as a result of additional devices on the network, more traffic, and increased use of cloud technologies. According to AlgoSec, around 25% of all security network outages are caused by human error.
If you have more than two firewalls, you're spending time making configuration changes, adding or editing rules, and pulling logs. Between your multiple firewalls, several of those configurations and rules are probably similar, if not exactly the same. What's more, the view of your entire network is separated by different user interfaces that you must log in to individually. Each segment's traffic logs are separated into their respective firewall UI silos, making it difficult and time-consuming to correlate events across firewalls.
A 360-degree view of your network through a single pane of glass is important not only because it increases your visibility but also because it improves operational efficiency by providing you with access to all firewall traffic and threat logs, pushing global rules – entered once – to all applicable firewalls. The likelihood for human error is introduced each time you manually enter something. Why create and push identical rules to multiple firewalls when you could do this once and eliminate user error? This complete visibility, unfettered by separate UIs can make correlating IOCs across threat logs throughout the entire network much easier, highlighting the trail of each attempted attack, immediately pinpointing any resulting infection, and making clear any areas of weakness in your cyber defenses where you may need to refine policy or further segment your network.
A network security management system that provides you with the tools to easily organize, manage and discern important events across your organization can decrease your administrative workload, as well as prepare your organization for growth; so that when you need to deploy another firewall, you're already prepared to efficiently manage it.
Panorama™ network security management enables you to manage your distributed network of Palo Alto Networks® firewalls from one central location by empowering you to view all your firewall traffic, manage all aspects of device configuration, push global policies, and generate reports of traffic patterns or security incidents from a single console.
Whether you've just implemented Palo Alto Networks products or have been administering them for years, make sure that you're maximizing their full value by reviewing our best practices for managing multiple firewalls.
Just like with any technology, there is usually a gradual approach to a complete implementation, consisting of carefully planned deployment phases meant to make the transition as smooth as possible, with minimal impact to your end users. With this approach in mind, we've recommended our management best practices in three phases, each building on the prior recommendations. The ultimate goal for your Panorama implementation should be to efficiently distribute policies and expand visibility of your network traffic to 360 degrees so that you can reduce risk and realize operational savings.
Understanding your current network setup, and planning your management structure accordingly, is vital to implementing Panorama to effectively scale firewall deployments — especially those that may be more complex — and decrease the gaps in security stemming from misconfigurations, as well as the day-to-day operational resources required to manage the network.
There are three basic approaches to implementing a management system with Panorama:
The first and second approaches are more common, as budgets for tools usually only become available when problems become more obvious and operational costs become more quantifiable. However, these scenarios require some heavy lifting with regard to migrating current management policy and configuration and potentially reorganizing groups of firewalls in a more functional, admin-friendly way.
The third approach requires significant planning, both from a projected company-growth and budgetary standpoint, but results in a more organized and labor-saving firewall deployment.
Figure 1: How Panorama works
For any of these implementation scenarios, it's always best to proactively plan redundancy into your Panorama deployment by installing Panorama devices as HA pairs with an active device in one geographical location and a passive device in another.
Using the device groups and templates within Panorama allows you to arrange your network so that rule sets and configurations can be applied to firewalls efficiently in ways that make the most sense for your organization. These two features within Panorama also make it easy to deploy additional firewalls, making your company's growth much less painful where IT and security are concerned, by allowing you to implement rules and configurations common to other firewalls. You'll only need to create rules for the new firewall that are specific to that firewall and not shared with another firewall under management.
Once you've determined how your network security will be organized and managed by Panorama, migrate all existing firewall policies and configurations to Panorama by adding each firewall as a managed device. When firewall policies have been migrated and when new rules are created, use tags to label them so that you can easily search for all rules that apply to a specific zone, initiative, region, etc.
Firewalls managed by Panorama can be organized using both Templates for network and device configurations and Device Groups for policies and objects within the Panorama UI. Each has a hierarchical structure to help you efficiently group items common to all or sets of firewalls and match organizational structures.
Panorama must be running the most recent version of PAN-OS® that is also running on its managed firewalls for all version features to pair with Panorama and work properly. For instance, if Panorama is running an earlier version of PAN-OS than the firewalls it has under management, it will not be able to connect to those firewalls on later PAN-OS versions.
Figure 2: Geographical organization
Figure 3: Functional organizaton
Tag rule sets specific to regions, initiatives, user group, etc., using the tagging structure within Panorama's Objects tab to help you identify, at a high level, the rule set with which it's associated. You can apply multiple tags to individual rules and use color-coding to distinguish between them, making them easy to search as well as visually easy to differentiate. Rules can be associated with multiple tags too, making rule tagging more flexible than traditional folder-based groupings.
You'll need to identify your firewall admins and global admins and secure their access to both the Panorama UI and their respective firewalls under management. Giving each admin a unique login to Panorama will ensure both that they have granular access privileges to functionality appropriate for their job role and that audit logs are accurate and provide the detail needed for audits.
Think about how you want your administrators to access the firewalls for which they're responsible, and configure that access plan accordingly. Factor in events like internal or required third-party audits and adding and removing admin access as IT personnel enter or exit your organization. Panorama provides you with granular options and controls for administrative access, such as read and write access, for nearly every piece of functionality and managed firewall within your Panorama implementation.
The ACC and Monitor tabs within Panorama can be customized by each admin to help them keep a close eye on malicious traffic across the part of the network for which they're responsible. This tab contains integrated logs, correlated security events, and customizable visual representations of network-wide application traffic and threats; plus this is where reports can be scheduled and run.
It's also important to make sure Panorama and all of its managed firewalls are paired with regard to content updates that contain the newest threat signatures and App-IDs. Configure all managed firewalls with identical content updates through Panorama templates to make sure that your entire network always has the latest IPS, malware, and DNS signature packages, and new App-IDs can be applied to policies consistently across all managed firewalls.
Figure 4: Policy evaluation order