Disclaimer: The Palo Alto Networks Best Practices booklet mentioned in this article was published in 2017 and references PAN-OS 7. While this references older software, we still recommend these best practices for your next-generation firewalls.
"What should I do, and why?”
This is precisely the question that Fuel’s recently released Palo Alto Networks Best Practices booklet aims to answer when it comes to improving security, performance, manageability, and high availability. It’s a 300+ page resource chock-full of specific, immediately useful, practical advice.
If you have yet to download the Fuel Best Practices Booklet, you’re missing out on a major benefit of Fuel membership. Download the Best Practices Booklet today!
As for those of you who have downloaded it, you’ve probably noticed how extensive this resource is. To help you get started with the Best Practices Booklet, our volunteer Education Committee has selected 10 best practices that they did not know about, implemented after reading about them, or changed their approach thanks to this booklet.
- Avoid Password Profiles – page 77
Reviewers were stunned to realize the dangers of password profiles. “Any Password Profile assigned to an administrator account will overrule the global settings for Minimum Password Complexity. This is dangerous as it could quietly reduce the security compliance requirements for passwords. By ensuring you have no Password Profiles configured, you maintain compliance with the Minimum Password Complexity settings.”
- Force Admins to Acknowledge the Login Banner – page 83
Volunteers noted that they didn’t know that there was an option to force acknowledgement!
- Configure Your Geographic Location – page 93
The best part of this best practice might not be anything about your Next-Generation Firewall Configuration; it’s the recommendation on how to accurately determine your latitude and longitude.
- Prefer to Not Log DNS, NTP, DCHP and LDAP Traffic – page 277
Our volunteers enjoyed the honesty of this recommendation – that not all traffic warrants logging unless you are required to do so for compliance, and you can save time and resources by shaving off some of the less critical sessions.
- Configure Your Dynamic Updates Refresh Schedule – page 59
Everyone has been told why it’s important to stay current with frequent updates. Setting aside time to do these updates can be difficult, so automation is extremely valuable. One of our reviewers also noted that you can choose to set automatic updates not to download until 24 hours after release, to allow for any final bug fixes.
- Build a Lab for Learning, Experimentation, and Testing – page 49
Throughout the booklet’s review, our volunteers called out the need to test new configurations or rules in a non-production environment before sending them live; a learning lab is the perfect way to do that. If you don’t have the budget to set up a separate firewall, make sure you’re taking advantage of Fuel’s Virtual Lab, which provides access to desktop clients, Linux servers and Palo Alto Networks Next-Generation Firewall, and allows users to freely configure to test different features.
- Create and Use Admin Role Profiles – page 72
Palo Alto Networks Next-Generation Firewalls offer a deep and granular level of permission-setting. This can be done for individual users, but even with regular administrator permission audits, it’s too easy to miss a key permission, or to allow incorrect or unneeded access to an individual because you forgot to update his or her account. Profiles ensure consistency in management, and will save you time when changing permissions for large groups.
- Block Internet Connections To and From Bogons and Fullbogons – page 174
And not just because they write terrible poetry (wait, those are Vogons.) Our reviewers liked having the IPv4 Bogon list handy, as well as a reference on where to identify Fullbogons.
- Control Access to the Management Port with Security Groups for AWS – page 307
If you’re using (or considering using) VM-series firewalls for Amazon Web Services (AWS), remember that the AWS cloud’s public IP subnets are well known and receive lots of malicious scanning from the Internet. By creating a security group just for the firewall’s management port, you can lock down exactly which IP addresses are allowed to connect, and over which ports.
- Use App-ID and User-ID! – pages 234-241
If you’re not utilizing App-ID and User-ID, why not?! Stop ignoring some of the most powerful, impactful and easy to use features on your Next-Generation Firewall. Start using application filters in your rules, and adding users (or better yet, user groups) to your security policy rules.