Improve Visibility into Traffic
Increase visibility into traffic as much as possible
to protect against hidden threats, evasive applications, and malicious
content.
You can’t protect yourself against threats
you can’t see, so you must ensure you have full visibility into
traffic, across all users and applications, at all times. Complete
visibility into the applications, content, and users on your network
is the first step toward informed policy control:
- Maximize Security profile adoption. After you Review the Adoption Summary and identify gaps in adoption, remediate the gaps using the safe transition steps to move toward a full best practice Security profile implementation.
- Maximize Logging adoption (including Log Forwarding) across the Security policy rulebase to inspectalltraffic.
- Configure best practices for dynamic content updates to ensure the firewall has the latest application and threat signatures to protect your network and that you deploy updates based on your network security and availability requirements.
- Enable User-ID in user zones (internal, trusted zones from which users initiate traffic) to map application traffic and associated threats to users and devices.Don’t enable User-ID in external untrusted zones. If you enable User-ID (or client probing such as WMI) on an external untrusted zone, probes could be sent outside your protected network and expose User-ID information such as the User-ID Agent service account name, domain name, and encrypted password hash, which could enable an attacker to compromise your network.
- Reduce or eliminate Application Override rules so you can inspect the applications and content these rules control (an Application Override rule is a layer 4 rule that doesn’t allow the firewall to inspect the traffic). Eliminate the need for or reduce the scope of basic Application Override rules:
- Validate whether the use case for the rule still exists. Often, an Application Override rule was created to overcome a specific issue related to performance, protocol decoders, or unknown applications. Over time, PAN-OS updates, content updates, or hardware upgrades may remove the need for some Application Override rules. If you run PAN-OS 9.0 or later on firewalls or PAN-OS 9.0 or later on a Panorama managing firewalls running PAN-OS 8.1 (or later), you can use Policy Optimizer to transform the rule to a layer 7 rule.
- Reduce the scope of the Application Override rule so it only affects the minimum possible amount of traffic. Rules that are defined too broadly may override more traffic than necessary or intended. Define source and destination zones, address, and/or ports in each Application Override rule to limit the rule’s scope as much as possible.
- Create layer 7 custom applications for internal applications.
- Create Service objects with custom timeout values.
- Plan to deploy DoS and Zone Protection and take baseline CPS measurements so you can set reasonable flood protection thresholds.
When you implement these native App-ID, Content-ID, User-ID,
and SSL Decryption capabilities, the firewall gains visibility into
and can inspect all of your traffic—applications, threats, and content—and
tie events to the user, regardless of location, device type, port,
encryption, or an attacker’s evasive techniques.
Improving the adoption of capabilities such as SSL Decryption,
logging, flood protection, Security profiles, etc., may result in
additional firewall resource consumption. Understand the capacity
of your firewalls and ensure they’re properly sized to handle any
additional load. Your Palo Alto Networks SE or CE can help you size
the deployment. You also may need additional log storage space.
After you configure changes, Run the BPA to validate
the changes, measure progress, and prioritize the next changes.
Recommended For You
Recommended Videos
Recommended videos not found.
