Follow Post-Deployment Data Center Best Practices

This checklist shows you how to monitor and maintain your best practice data center deployment to keep your network safe as applications and circumstances evolve.
After you begin deploying data center best practices, monitor the network to ensure that security and access are working as expected, and then maintain the rulebase as circumstances change.
  1. Check the predefined Applications report (
    Monitor
    Reports
    Application Reports
    Applications
    ) to verify that only applications you whitelisted in Security policy rules are running.
    If you find unexpected applications, review the Security policy rules and refine them to eliminate unexpected applications or to accommodate legitimate applications.
  2. Use Palo Alto Networks’ extensive monitoring tools, logging tools, predefined reports, and custom reports to capture and monitor activity for unexpected applications, users, traffic, and behaviors.
  3. Create custom reports to monitor the block rules, which protect against potential attacks and also identify policy gaps and unexpected behaviors so you can tune the rulebase.
  4. Create a custom report to log intra-data-center traffic that matches the predefined intrazone-default allow rule at the bottom of the rulebase, which allows all traffic within the same zone by default.
  5. Enable logging on and create a custom report for data center traffic that matches the predefined interzone-default rule at the bottom of the rulebase, which denies all traffic between zones by default.
  6. Listen and respond to user feedback.
    User complaints about losing access to applications identifies gaps in the rulebase or risky applications that were in use on your network before application whitelisting prevented their use.
  7. Periodically compare the baseline measurements you took during the planning stage to the current measurements to evaluate progress, identify changes, and find areas of improvement.
    At the same time, revisit your goal for the ideal future state of the network to assess progress. If you manage firewalls with Panorama, monitor firewall health to compare devices to their baseline performance and to each other to identify deviations from normal behavior.
  8. Evolve application whitelist rules over time because applications evolve, user requirements change, and content updates modify existing App-IDs and introduce new App-IDs.
    Maintain the data center best practice rulebase and review new and modified App-IDs before you install a new content release so you can modify the rulebase if the changes impact policy.
  9. Use Palo Alto Networks assessment and review tools to assess your current prevention posture and your adoption of best practices.
  10. Refer to the full Data Center Best Practice Security Policy for details about each planning, deployment, and post-deployment step and how they benefit you.

Related Documentation