A Wicked Cool Palo Alto Networks Feature That Not Everyone Knows About
3 min read
One of my roles in the company is to participate in our regular new hire training, and in our last session, I was asked a question that I had never been asked before. The question was, “What is the coolest feature in your product that not everyone knows about?” While there are many, many very cool features in our product, without hesitation I told them that it is actually a combination of three features that allow customers to collect external data and use it to automate firewall deployment and policy updates.
Let me explain.
To be specific, the three cool features I am referring to are the XML API, Dynamic Address Groups (DAG) and Virtual Machine Monitoring (VM-Monitoring). They are standard PAN-OS features and are supported in both our virtualized and appliance-based form factor firewalls. I believe the reason users don’t know about them is that they see these three features as being primarily applicable to managing the dynamic nature of virtualized environments, ensuring that security keeps pace with business.
But the best-kept secret around these features is that they are equally valuable when used with our appliance form-factor firewalls. Just think about the external data sources that you may refer to regularly and then use (manually) to manage your network security. Now imagine if there was a way to automate those tedious, day-to-day tasks. You understand the value these features might provide.
It’s true that they are invaluable in a virtualized environment because they facilitate two forms of automation:
- They help automate the provisioning of a VM-Series firewall so that when new virtual machines are created, our next-generation firewall can be deployed simultaneously.
- They bring a sense of order to policy chaos by updating policies dynamically as virtualized and hardware form-factor workloads are added, changed or removed.
In a virtualized environment, change is common and happens rapidly. But often security, as part of a set of best practices, follows a more rigid change control process that may mean delays. Therefore, the value of these three features is they allow security to keep pace with the speed of change in virtualized environments. You can preserve the flexibility of a virtualized environment and ensure important security updates get made just as rapidly. Here are two other examples of how these features solve a variety of challenges using our appliances:
- Automating the deployment of hundreds of physical firewalls: Imagine the challenge of deploying our firewall appliance to hundreds of remote locations, quickly, consistently and cost-effectively. The solution for this customer was a strict adherence to IP addressing on the networking side that they mapped to named objects in PAN-OS such as “External_IP”, “Wireless_network”, and “Wired_workstations”. The objects are then used in Panorama Templates and the IP addresses are dynamically provisioned, greatly simplifying firewall deployment. One of our firewalls is sent to the remote location, they are connected to the network and Panorama is used to deliver the configuration via a Template. Device Groups are then used to complete the setup.
- Enabling policy creation that accompanies IT asset allocation: In another example of how these three features can enable dynamic policy updates, a customer is integrating our firewall with their IT ticketing solution (ServiceNow) as a means of generating policy updates as new IT assets are deployed. In this scenario, the new asset (PC, Workstation, Laptop) IP address is harvested and pulled into the firewall as part of the policy update.
Most security professionals have too many things to do in a single day. The ability use the XMP API, DAG and VM-Monitoring to tie our enterprise security platform, both virtualized or physical form-factor, into external data sources as a means of automating what are normally manual and time consuming tasks is a wickedly cool feature.
Got a cool example of how you use any of these features? Comment and let us know.
Matt Keil
[Palo Alto Networks Blog]
English