Follow Post-Deployment Data Center Best Practices
This checklist shows you how to monitor and maintain your best practice data center deployment to keep your network safe as applications and circumstances evolve.
After you begin deploying data center best practices, monitor the network to ensure that security and access are working as expected, and then maintain the rulebase as circumstances change.
- Check the predefined Applications report (MonitorReportsApplication
to verify that only applications you whitelisted in Security policy
rules are running.If you find unexpected applications, review the Security policy rules and refine them to eliminate unexpected applications or to accommodate legitimate applications.
- Log all data center traffic.
- Create custom reports to monitor the block rules, which protect against potential attacks and also identify policy gaps and unexpected behaviors so you can tune the rulebase.
- Create a custom report to log intra-data-center traffic that matches the predefined intrazone-default allow rule at the bottom of the rulebase, which allows all traffic within the same zone by default.
- Enable logging on and create a custom report for data center traffic that matches the predefined interzone-default rule at the bottom of the rulebase, which denies all traffic between zones by default.
- Listen and respond to user feedback.User complaints about losing access to applications identifies gaps in the rulebase or risky applications that were in use on your network before application whitelisting prevented their use.
- Periodically compare the baseline measurements you took
during the planning stage to the current measurements to evaluate progress,
identify changes, and find areas of improvement.At the same time, revisit your goal for the ideal future state of the network to assess progress. If you manage firewalls with Panorama, monitor firewall health to compare devices to their baseline performance and to each other to identify deviations from normal behavior.
- Evolve application whitelist rules over time because applications evolve, user requirements change, and content updates modify existing App-IDs and introduce new App-IDs.
- Use Palo Alto Networks assessment and review tools to assess your current prevention posture and your adoption of best practices.
- Refer to the full Data Center Best Practice Security Policy for details about each planning, deployment, and post-deployment step and how they benefit you.
Data Center Security Policy Best Practices Checklist
If you’re already familiar with Palo Alto Networks’ platform, this checklist streamlines planning for and deploying security best practices in your data center. ...
Log and Monitor Data Center Traffic
Use logging and monitoring tools to find out which applications are in use, how they behave, and who is really on your data center network ...
Monitor Data Center Block Rules and Tune the Rulebase
Monitor traffic that you explicitly block so that you can investigate potential attacks and evaluate whether you should allow any of the blocked traffic. ...
Maintain the Data Center Best Practice Rulebase
As conditions in your data center change, update the Security policy rulebase accordingly. Modify rules to control new and modified applications, protect new servers and ...
Create Intra-Data-Center Application Whitelist Rules
Create whitelist rules that allow servers in different data center server tiers to communicate so that they can provide application services, while preventing unnecessary communication ...
Create User-to-Data-Center Application Whitelist Rules
Create whitelist rules that allow different groups of users access to only the data center applications and resources that they require for business purposes, and ...
What Data Center Traffic to Log and Monitor
The types of data center traffic you should log and monitor, the tools you can use to analyze the traffic, and how to best utilize ...
Data Center Best Practice Security Policy
Learn about Palo Alto Networks data center security policy best practices to protect your most valuable assets. ...
Create Data-Center-to-Internet Application Whitelist Rules
Create whitelist rules that allow the appropriate data center servers to connect to update servers, certificate revocation servers, and other necessary servers on the internet, ...