Security Policy Best Practices
    : Maintain Security Policy Best Practices
    Focus
    Download PDF
    Focus
    1. Home
    2. Best Practices
    3. Security Policy Best Practices
    4. Security Policy Best Practices
    5. Maintain Security Policy Best Practices
    Download PDF

    Security Policy Best Practices

    Maintain Security Policy Best Practices

    Table of Contents

    Maintain Security Policy Best Practices

    Maintain your best practices Security policy deployment in PAN-OS and Prisma Access.
    After you plan and deploy Security policy best practices, maintain your best practice deployment as your network and its applications, users, devices, and infrastructure change.
    1. Keep all security subscriptions current to avoid gaps in coverage.
    2. Keep up with Applications and Threats content updates and follow best practices for Applications and Threats content updates.
    3. Review Release notes for the latest features, changes to default behavior, issues, etc.
    4. Create daily, weekly, monthly (and any other period you need) maintenance checklists.
      Security policy deployment maintenance is a recursive task because new applications, users, and IoT devices are continuously added to and deleted from your environment as things change over time. For example, checklists can include:
      • Evaluating Applications and Threats content updates.
      • Using Policy Optimizer for managing applications.
      • Reviewing IoT and SaaS policy recommendations and updates. The posture of IoT devices may change over time and SaaS applications used may change over time or need to be treated differently and require updating. Keep sanctioned/tolerated/unsanctioned tags for applications updated.
      • Setting times to run Security posture analysis tools.
      • Reviewing behavior changes and issues documented in the release notes.
      • Reviewing Security policy rules to see if you can tighten them or if they are no longer needed.
    5. Maintain App-ID in Security policy:
      • Review new and modified content-delivered App-IDs and adjust rules as necessary.
      • As you add new applications to your network, include them in specific, granular policy rules. Use tags and application filters to automate adding sanctioned applications, including new App-ID Cloud Engine applications, to rules.
      • When your company stops using an application, remove it from allow rules to prevent unauthorized use.
      • Regularly review the applications your Security policy rules allow.
    6. Maintain User-ID in Security policy:
      • As you add new users to your network, add them to the appropriate user groups to control their access and include them in policy, or add them directly to rules if they belong to no group.
      • As users leave the company or as their contracts end, remove them from user groups to prevent access. Remove individuals from rules if they weren't added as part of a group.
      • Continue to follow best practices for user group mapping and best practices for dynamic user groups (DUGs) as you add and remove users from groups and policy rules.
    7. Maintain and update Security profiles and profile groups as your network and goals evolve. When you add new allow rules, ensure that they have the appropriate Security profiles attached.
    8. Update Log Forwarding as needed as for new rules and applications:
      • Apply an appropriate Log Forwarding profile to every new Security policy rule or use a default Log Forwarding profile to automatically apply a Log Forwarding profile to new rules. If you use a default profile, check the rule to ensure that the default profile is appropriate and if not, replace it with an appropriate profile.
      • Periodically review what you’re logging and what you’re not logging and how you’re logging it. Ensure that you’re logging the traffic you want to log and logging all the information you want to log for Security Operating Center (SOC) operations.
      • Update log forwarding profiles as administrators join and leave the company.
      • As new applications come into your network, update Log Forwarding to accommodate them.
    9. Use security posture analysis tools to check your best practices deployment:
    10. Use firewall tools to check activity and adjust Security policy as needed.
      • Use log information in PAN-OS (also applies to Panorama Managed Prisma Access) and Cloud Managed Prisma Accessto investigate and monitor traffic.
      • Use the Application Command Center to see graphical summaries of applications, users, threats, URLs, and content that traverses your network.
      • Use App Scope reports to help understand changes in application usage and user activity, bandwidth usage, and network threats.
      • Create Custom reports to view the exact data you want to investigate.
    11. Check Policy Optimizer regularly to examine the rulebase and find and fix unused rules, over-provisioned rules, and rules with unused applications. Add checking Policy Optimizer to your regularly scheduled maintenance.
    12. Use SecOps tools and services to monitor your entire security posture proactively, help prevent threats, and investigate issues:
      • Cortex XSIAM combines SOC analytics for proactive monitoring with SIEM capabilities.
      • Cortex XSOAR provides comprehensive security orchestration, automation, and response,including response playbooks, for comprehensive threat intelligence management and real-time collaboration.
      • Cortex XDR provides an extended detection and response platform that monitors and manages cloud, network, and endpoint events and data.
      • SOC Services such as SecOps Prevention Posture Assessment, optimization, and learning workshops.
    13. The following resources provide more information about Palo Alto Networks platforms, features, and support:

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.