Managing Multiple Firewalls

The cost of complexity is rising as a result of additional devices on the network, more traffic, and increased use of cloud technologies. According to AlgoSec, around 25% of all security network outages are caused by human error.

Operational Efficiency and Planning for Growth

If you have more than two firewalls, you're spending time making configuration changes, adding or editing rules, and pulling logs. Between your multiple firewalls, several of those configurations and rules are probably similar, if not exactly the same. What's more, the view of your entire network is separated by different user interfaces that you must log in to individually. Each segment's traffic logs are separated into their respective firewall UI silos, making it difficult and time-consuming to correlate events across firewalls.

A 360-degree view of your network through a single pane of glass is important not only because it increases your visibility but also because it improves operational efficiency by providing you with access to all firewall traffic and threat logs, pushing global rules – entered once – to all applicable firewalls. The likelihood for human error is introduced each time you manually enter something. Why create and push identical rules to multiple firewalls when you could do this once and eliminate user error? This complete visibility, unfettered by separate UIs can make correlating IOCs across threat logs throughout the entire network much easier, highlighting the trail of each attempted attack, immediately pinpointing any resulting infection, and making clear any areas of weakness in your cyber defenses where you may need to refine policy or further segment your network.

A network security management system that provides you with the tools to easily organize, manage and discern important events across your organization can decrease your administrative workload, as well as prepare your organization for growth; so that when you need to deploy another firewall, you're already prepared to efficiently manage it.

Panorama™ network security management enables you to manage your distributed network of Palo Alto Networks® firewalls from one central location by empowering you to view all your firewall traffic, manage all aspects of device configuration, push global policies, and generate reports of traffic patterns or security incidents from a single console.

A Phased Approach to Network Security Management

Whether you've just implemented Palo Alto Networks products or have been administering them for years, make sure that you're maximizing their full value by reviewing our best practices for managing multiple firewalls.

Just like with any technology, there is usually a gradual approach to a complete implementation, consisting of carefully planned deployment phases meant to make the transition as smooth as possible, with minimal impact to your end users. With this approach in mind, we've recommended our management best practices in three phases, each building on the prior recommendations. The ultimate goal for your Panorama implementation should be to efficiently distribute policies and expand visibility of your network traffic to 360 degrees so that you can reduce risk and realize operational savings.

Phase 1: Planning Your Deployment

Understanding your current network setup, and planning your management structure accordingly, is vital to implementing Panorama to effectively scale firewall deployments — especially those that may be more complex — and decrease the gaps in security stemming from misconfigurations, as well as the day-to-day operational resources required to manage the network.

There are three basic approaches to implementing a management system with Panorama:

  • Replacing a legacy management system (port-port migration).
  • Installing a management system for the first time, because you already have too many firewalls to continue managing separately (port-port migration, followed by App-ID™).
  • Installing a management system for the first time as part of planning for future firewall placements, because you're preemptively solving for company growth and want to make future firewall expansion as painless as possible (port-port migration, followed by App-ID).

The first and second approaches are more common, as budgets for tools usually only become available when problems become more obvious and operational costs become more quantifiable. However, these scenarios require some heavy lifting with regard to migrating current management policy and configuration and potentially reorganizing groups of firewalls in a more functional, admin-friendly way.

The third approach requires significant planning, both from a projected company-growth and budgetary standpoint, but results in a more organized and labor-saving firewall deployment.

Figure 1: How Panorama works

For any of these implementation scenarios, it's always best to proactively plan redundancy into your Panorama deployment by installing Panorama devices as HA pairs with an active device in one geographical location and a passive device in another.

Phase 2: Organizing Your Network and Policies

Using the device groups and templates within Panorama allows you to arrange your network so that rule sets and configurations can be applied to firewalls efficiently in ways that make the most sense for your organization. These two features within Panorama also make it easy to deploy additional firewalls, making your company's growth much less painful where IT and security are concerned, by allowing you to implement rules and configurations common to other firewalls. You'll only need to create rules for the new firewall that are specific to that firewall and not shared with another firewall under management.

Once you've determined how your network security will be organized and managed by Panorama, migrate all existing firewall policies and configurations to Panorama by adding each firewall as a managed device. When firewall policies have been migrated and when new rules are created, use tags to label them so that you can easily search for all rules that apply to a specific zone, initiative, region, etc.

Firewalls managed by Panorama can be organized using both Templates for network and device configurations and Device Groups for policies and objects within the Panorama UI. Each has a hierarchical structure to help you efficiently group items common to all or sets of firewalls and match organizational structures.

Panorama must be running the most recent version of PAN-OS® that is also running on its managed firewalls for all version features to pair with Panorama and work properly. For instance, if Panorama is running an earlier version of PAN-OS than the firewalls it has under management, it will not be able to connect to those firewalls on later PAN-OS versions.

Figure 2: Geographical organization

Figure 3: Functional organizaton

Tag rule sets specific to regions, initiatives, user group, etc., using the tagging structure within Panorama's Objects tab to help you identify, at a high level, the rule set with which it's associated. You can apply multiple tags to individual rules and use color-coding to distinguish between them, making them easy to search as well as visually easy to differentiate. Rules can be associated with multiple tags too, making rule tagging more flexible than traditional folder-based groupings.

Phase 3: Configuring for Consistent Visibility, Efficiency And Security

You'll need to identify your firewall admins and global admins and secure their access to both the Panorama UI and their respective firewalls under management. Giving each admin a unique login to Panorama will ensure both that they have granular access privileges to functionality appropriate for their job role and that audit logs are accurate and provide the detail needed for audits.

Think about how you want your administrators to access the firewalls for which they're responsible, and configure that access plan accordingly. Factor in events like internal or required third-party audits and adding and removing admin access as IT personnel enter or exit your organization. Panorama provides you with granular options and controls for administrative access, such as read and write access, for nearly every piece of functionality and managed firewall within your Panorama implementation.

The ACC and Monitor tabs within Panorama can be customized by each admin to help them keep a close eye on malicious traffic across the part of the network for which they're responsible. This tab contains integrated logs, correlated security events, and customizable visual representations of network-wide application traffic and threats; plus this is where reports can be scheduled and run.

It's also important to make sure Panorama and all of its managed firewalls are paired with regard to content updates that contain the newest threat signatures and App-IDs. Configure all managed firewalls with identical content updates through Panorama templates to make sure that your entire network always has the latest IPS, malware, and DNS signature packages, and new App-IDs can be applied to policies consistently across all managed firewalls.

Figure 4: Policy evaluation order

Tips:

  • If your organization requires that any traffic logs be kept for a certain amount of time, calculate the size of the logs and estimate how much space you'll need to comply with your company's log retention policies, factoring in organizational growth over that time period. You may need to put dedicated log collectors in place alongside Panorama.
  • Any custom signatures or App-IDs previously created on each individual firewall must also be created on Panorama so that the threat intelligence and context they provide can be consumed by the management system.
  • Group your firewalls either by geography or function so that you can efficiently and easily identify and create rules and configurations that apply to all firewall groups, all firewalls within a group, or a few firewalls that make up a subgroup.
  • Create a rule-naming scheme that is both utilitarian and informative about the rule itself. Resist the urge to name rules based on their IT ticket ID or by the order in which they will be hit by traffic, as neither of these naming schemes is intuitive and the latter will require you to rename all rules whenever a single rule is added or removed.
  • When creating individual rules, take some time to add a brief description of the rule and any associated IT ticket IDs in the rule's Description form. This will not only help you keep track of why and when particular rules were added but also make deprecating older rules a less painful process.
  • Change the master key that comes with Panorama from the default to encrypt firewall configurations and access in the most secure way possible.
  • Enforce that local firewall admins implement changes or run reports directly within Panorama, instead of on the local firewall, by removing direct access to local firewalls. Each time a change is made, logs of those changes are kept within Panorama, making it less complicated to audit yourfirewall policies and configurations or revert changes should someone make an error.
  • Run Panorama version 7.0 or above to utilize the Automated Correlation Engine. This feature automatically searches through all managed firewall logs, pulling out potential security events and patterns and correlating them to pinpoint infected endpoints across the network and provide you with information about tactics used across the attack lifecycle.
  • Schedule regular backups of all firewall configurations through Panorama as part of your disaster recovery plan. These backups can also help quickly mitigate potential compromises caused by user error.