>
    Manage: Security Posture Settings
    Focus
    Download PDF
    Focus
    1. Home
    2. Strata Cloud Manager
    3. Manage: Security Posture
    4. Manage: Security Posture Settings
    Download PDF
    Strata Cloud Manager

    Manage: Security Posture Settings

    Table of Contents

    Manage: Security Posture Settings

    Customize security posture checks for your deployment to maximize relevant recommendations.
    Where Can I Use This?
    What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • NGFW (Managed by Strata Cloud Manager)
    • NGFW (PAN-OS or Panorama Managed)
    • VM-Series, funded with Software NGFW Credits
    • Prisma Access
       license or
      AIOps for NGFW Premium license (use the Strata Cloud Manager app)
    Strata Cloud Manager leverages a set of predefined
    Best Practice Checks
     that align with industry-specific standard cybersecurity controls, such as CIS (Center for Internet Security), and NIST (National Institute of Standards and Technology) and custom checks you create based on the specific needs of your organization. These checks evaluate configurations and settings within the cloud infrastructure, identifying deviations from best practices or compliance requirements.
    The security posture checks in Strata Cloud Manager encompass a range of security domains, including network security, data protection, and identity and access management. These checks assess firewall rules, encryption, authentication mechanisms, and the overall integrity of configurations.
    When your configuration detects deviations, Strata Cloud Manager provides actionable insights and remediation recommendations, and can even automate some parts of the process for correcting misconfigurations and noncompliant settings to help you maintain a secure and compliant cloud environment with minimal manual intervention.
    Security posture settings bring together the functionality of both the AIOps and Strata Cloud Manager security check settings pages.
    Select
    Manage
    Security Posture
    Settings
     to view, manage, and customize security posture checks for your deployment to maximize relevant recommendations.
    • Security Checks
       – List of the best practice checks that are used to evaluate your configuration.
      Your configuration is compared against these checks to assess the security posture of your devices and to generate security alerts. You can perform the following actions to manage these checks based on your environment:
      1. Set the severity level for your custom checks to identify the checks that are the most critical to your deployment.
        You can change the severity level for your custom checks, but the severity levels for Palo Alto Networks Best Practice Checks are fixed and can't be changed.
      2. Create and delete your own custom checks, clone and edit existing checks to create new ones, and make special exceptions for checks that you don't want applied to portions of your deployment.
        As part of the initial rollout of these checks, you can clone checks that are in the custom check framework.
      3. Set the response when a check fails.
        • Alert
           (default)—Raises an alert for the failed check.
        • Block
          —Stop potential misconfigurations before they enter your deployment. Block can mean any of the following depending on how you manage it:
          • Inline Checks on Strata Cloud Manager
            —Prevents you from committing or pushing a noncompliant configuration, but won't prevent you from saving your configuration locally.
          • Real-Time* Inline Checks on Strata Cloud Manager
            —Prevents you from even saving a noncompliant configuration.
          • Panorama Managed**
            —Prevents you from committing a noncompliant configuration to Panorama but won't prevent you from saving it to the Panorama candidate configuration.
          • PAN-OS Web Interface, API, or CLI management—Block has no enforcement effect on configurations that are not either Cloud managed or Panorama managed.
          • *Due to their logical complexity, some inline checks are run asynchronously on a fixed schedule but not in real time. A failure of a real-time check in your configuration will prevent you from saving that configuration, even locally.
          • **The Panorama CloudConnector Plugin is required to enforce the block commit action on Panorama.
    • Security Check Exceptions
      Turn off individual checks for devices or groups of devices you specify.
    • Zone to Role Mapping
      Map the zones in NGFWs to roles to get customized recommendations.
    • Role-to-Security Service Mapping
      Manage the security services needed for traffic between zones and roles in all NGFWs.

    Create a Custom Check

    Create your own custom check from an existing check. Alternatively, skip to step #4 to create a custom check from scratch.
    1. Select
      Manage
      Security Posture
      Settings
      .
    2. Identify the check you want to clone and
      Clone
      .
    3. Edit
       the check you cloned and skip to step #5 to make your changes.
    4. Go to
      Manage
      Security Posture
      Settings
      , and select
      Create Custom Check
      .
    5. Specify the
      General Information
       for your check. Your custom check must have a
      Name
       and a
      Description
      , but you should also add a
      Recommendation
       and a
      Rationale
       for your check to help others understand the intent of and best practice for your custom check.
    6. Optional
       Select an
      Object Type
      – the section of your configuration for which you're creating a check that determines which
      Rule Properties to Match
       you can choose when creating your check.
    7. Use the
      Logic Builder
       for your custom check.
      1. Add Expression
        –A single line of logic that describes the match criteria for a configuration.
        Rule Properties to Match
        Match Operator
        Specific Criteria
        • General–Name, Description, Position, and Schedule
        • Sources–Zones, addresses, Users
        • Destinations–Zones and addresses
        • Applications, Services, and URLs
        • Actions and Advanced Inspection
        • Is
        • Is not
        • Is empty
        • Is not empty
        • Starts with
        • Ends with
        • Contains
        • Greater than
        • In
        • Is equal or greater than
        • Is equal or less than
        • Less than
        • Equal
        • Not equal
        • Does not contain
        • All of
        • Some of
        • None of
        [Text field]
      2. Add Condition
        –Use logical operators (such as AND, OR, IF, THEN, ELSE, and ELSE IF) to connect or combine expressions, additional conditions, and groups.
      3. Add Group
        –Create a set of expressions, conditions, or both. This group, taken together, results in a True or False condition.
        • Adds a new expression or condition
        • Clones an expression or condition
        • Removes an expression or condition
        The expression in this example issues a warning when it sees policy rules that allow Okta traffic to and from Russian IP addresses. The example simply illustrates how the logic builder works, and isn't intended to be a recommendation.
    8. Save
       your check.

    Manage Your Checks

    You can perform any of the following
    Actions
     on your security checks:
    • Clone
      *–Creates a copy of a check.
    • Edit
      **–Make changes to an existing custom check.
    • Delete
      **–Removes a custom check you created.
    Select the checks you want to take action on and select the appropriate action.
    • *You can clone only one check at a time.
    • **You can edit or delete custom checks only.
    • You may need to get permission from an administrator to edit a custom check.

    Create an Exception for a Check

    Where needed, you can restrict where checks are applied in your deployment.
    1. Select
      Manage
      Security Posture
      Settings
      Security Check Exceptions
      and
      Create Security Check Exception
      .
      Alternatively, Select
      Manage
      Security Posture
      Settings
      , and identify the check you want to exclude and select it (
      Exceptions
       column).
    2. Specify the information needed to
      Create Exception Rule
       for your check. Provide a name, a reason, and conditions for your exception.
      The
      Security Check Exception
       feature is currently only applicable to alerts, and the
      Best Practices
       and
      Security Posture Insights
       dashboards.
    3. Optional
       Add a
      Ticket Number
       or a
      Description
       for your exception to help others understand the intent and history behind for your exception.
    4. Save
       your exception.

    Your Checks at Work

    Field-level checks show you where your configuration does not align with a best practice or custom check. The checks provide best practice guidance inline, so that you can immediately take action.
    You can also view and manage security checks right where you are.
    • Create and manage your policy rules–Security policy rules allow you to enforce rules and take action, and can be as general or specific as needed. (
      Manage
      Configuration
      NGFW and Prisma Access
      Security Services
      Security Policy
      )
    • Setup Devices–Configure service route, connection settings, allowed services, and administrative access settings for the management and auxiliary interfaces for your firewalls. (
      Manage
      Configuration
      NGFW and Prisma Access
      Device Settings
      Device Setup
      )
    If the configuration you're trying to save does not pass your criteria to pass, you will have the option to remediate the issue, or override* the warning and save your changes anyway.
    • *Override permission is governed by role-based access controls (RBAC) and must be enabled for your role for this option to appear. Actions pertaining to overrides, custom checks, and exceptions, are logged in Audit Logs:
      Incidents and Alerts
      Log Viewer
      Audit (log type)
      .
    • Everything you do with custom checks, overrides, and exceptions is logged in Audit:
      Incidents and Alerts
      Log Viewer
      Audit (log type)
      .

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.