Monday, November 27, 2017
Have you taken advantage of the Palo Alto Networks Best Practices Booklet? Released in June of this year, it contains 300+ pages of specific, immediately useful advice for improving security, performance, manageability, and high availability. To get you started, or help you dive back in, here are two tips the Fuel community has found most helpful over the last month.
Use Static Routing
Dynamic Routing, using protocols such as RIP, BGP, OSPF, IGRP, EIGRP, etc., allows routers to automatically change routing instructions based on link and node availability and link capacity. It can provide high availability to complex networks and reduce transient outages when making network changes.
Despite its many advantages, dynamic routing can introduce routing uncertainty into network flows, and this can greatly complicate firewall troubleshooting. Firewall administrator graybeards know in their bones that an awful lot of firewall problems are really routing problems in disguise. Tracking a packet through a firewall is complicated enough without introducing uncertainty about whether the packets are even transiting the firewall at all. The first step in troubleshooting is to isolate the problem. If you can’t even be sure which path the packets are taking, it’s much harder to know where to begin.
When implementing, to reduce complexity and uncertainty, consider static routing for traffic passing through your firewall.
For a deeper dive into this particular topic, learn more here.
Configure an Interface Management Profile for Each Interface
Sometimes a firewall interface needs to do more than just pass packets (or not) to other interfaces. Sometimes it has to act as an IP host and participate as the server side in a client-server connection.
Not only do you want to specify precisely how the firewall will behave when a packet tries to transit an interface, but you also want to specify precisely how the firewall behaves when a packet tries to connect to an interface.
Take this two-step approach to implementation:
Go to Network > Network Profiles > Interface Mgmt and create or modify an Interface Management Profile:
Go to Network > Interfaces and edit each interface you wish to attach this Interface Management Profile to. In the dialog box, go to Advanced > Other Info:
Remember, an Interface Management Profile is for a “traffic” port, not the MGT port. Click here for a valuable resource to help dive deeper into this particular function.
Additional Resources (Yes, there’s more!)
For those who have downloaded the booklet and are looking to make the most of this valuable resource, be sure to check out the Fuel Tip of the Week Forum. Each week, the Fuel education team delivers a new tip for how to best utilize the Fuel Best Practices Booklet.
Resources like the Fuel Best Practices Booklet are invaluable to making the most of your cybersecurity investment. And sharing with your colleagues extends the value even further.
Not a Fuel member? Join today.