Learn the risks of the traditional approach to securing
data center server traffic to internet servers (for updates, certificate
revocation checks, etc.) and how the best practice approach mitigates
The traditional legacy approach to securing data center
traffic flowing to the internet leaves valuable assets exposed to
risk, while the best practice approach protects your valuable assets.
The Traditional Approach
The Best Practice Approach
Create port-based rules and/or IP-based rules,
which provide sufficient security in the trusted network.
Port-based and IP-based rules can’t control
which applications to allow to connect to the internet. If a port
is open, any application can use the port.
Create strict application-based whitelist
rules that allow only data center servers that retrieve updates
to use only legitimate applications to communicate only with legitimate update
servers. Log and monitor whitelist rule violations.
Data center servers only reach out to trusted
servers such as update servers, so decrypting that traffic isn’t
Malware or command-and-control software that
is already in the data center may attempt to communicate with external
servers to download more malware or exfiltrate data.
Decrypt all traffic from the data center to
the internet. Create a custom URL categories that defines the URLs
data center servers are allowed to contact and use it in Security
policy to limit internet access to external servers. Use the same
custom URL in Decryption policy to decrypt traffic to those external
Mix blocking and alerting threat prevention
profiles from multiple vendors.
A conglomeration of individual tools leaves
security holes for attackers and may not work together well.
The Palo Alto Networks suite of coordinated
security tools works together to plug security holes and prevent