Improve Visibility into Traffic

Increase visibility into traffic as much as possible to protect against hidden threats, evasive applications, and malicious content.
You can’t protect yourself against threats you can’t see, so you must ensure you have full visibility into traffic, across all users and applications, at all times. Complete visibility into the applications, content, and users on your network is the first step toward informed policy control:
  • Maximize Security profile adoption. After you Review the Adoption Summary and identify gaps in adoption, remediate the gaps using the safe transition steps to move toward a full best practice Security profile implementation.
  • Maximize Logging adoption (including Log Forwarding) across the Security policy rulebase to inspect
  • Configure best practices for dynamic content updates to ensure the firewall has the latest application and threat signatures to protect your network and that you deploy updates based on your network security and availability requirements.
  • Enable User-ID in user zones (internal, trusted zones from which users initiate traffic) to map application traffic and associated threats to users and devices.
    Don’t enable User-ID in external untrusted zones. If you enable User-ID (or client probing such as WMI) on an external untrusted zone, probes could be sent outside your protected network and expose User-ID information such as the User-ID Agent service account name, domain name, and encrypted password hash, which could enable an attacker to compromise your network.
  • Reduce or eliminate Application Override rules so you can inspect the applications and content these rules control (an Application Override rule is a layer 4 rule that doesn’t allow the firewall to inspect the traffic). Eliminate the need for or reduce the scope of basic Application Override rules:
    • Validate whether the use case for the rule still exists. Often, an Application Override rule was created to overcome a specific issue related to performance, protocol decoders, or unknown applications. Over time, PAN-OS updates, content updates, or hardware upgrades may remove the need for some Application Override rules. If you run PAN-OS 9.0 or later on firewalls or PAN-OS 9.0 or later on a Panorama managing firewalls running PAN-OS 8.1 (or later), you can use Policy Optimizer to transform the rule to a layer 7 rule.
    • Reduce the scope of the Application Override rule so it only affects the minimum possible amount of traffic. Rules that are defined too broadly may override more traffic than necessary or intended. Define source and destination zones, address, and/or ports in each Application Override rule to limit the rule’s scope as much as possible.
    • Create layer 7 custom applications for internal applications.
    • Create Service objects with custom timeout values.
  • Plan to deploy DoS and Zone Protection and take baseline CPS measurements so you can set reasonable flood protection thresholds.
When you implement these native App-ID, Content-ID, User-ID, and SSL Decryption capabilities, the firewall gains visibility into and can inspect all of your traffic—applications, threats, and content—and tie events to the user, regardless of location, device type, port, encryption, or an attacker’s evasive techniques.
Improving the adoption of capabilities such as SSL Decryption, logging, flood protection, Security profiles, etc., may result in additional firewall resource consumption. Understand the capacity of your firewalls and ensure they’re properly sized to handle any additional load. Your Palo Alto Networks SE or CE can help you size the deployment. You also may need additional log storage space.
After you configure changes, Run the BPA to validate the changes, measure progress, and prioritize the next changes.

Recommended For You