Best Practices for Getting Started with NGFWs
Focus
Focus
Next-Generation Firewall

Best Practices for Getting Started with NGFWs

Table of Contents

Best Practices for Getting Started with NGFWs

Learn about the best practices for your NGFW.
Where Can I Use This?What Do I Need?
  • NGFW (Managed by PAN-OS or Panorama)
Now that you have integrated the NGFW into your network and enabled the basic security features, you can begin configuring more advanced features. Here are some things to consider next:
  • Follow the Adminstrative Access Best Practices to make sure you are properly securing the management interfaces.
  • Configure a best-practice security policy rulebase to safely enable applications and protect your network from attack. Go to the Best Practices page and select security policy best practice for your NGFW deployment.
  • Set up High Availability—High availability (HA) is a configuration in which two NGFWs are placed in a group and their configuration and session tables are synchronized to prevent a single point to failure on your network. A heartbeat connection between the NGFW peers ensures seamless failover in the event that a peer goes down. Setting up a two-NGFW cluster provides redundancy and allows you to ensure business continuity.
  • Enable User Identification (User-ID)—User-ID is a Palo Alto Networks next-generation NGFW feature that allows you to create policies and perform reporting based on users and groups rather than individual IP addresses.
  • Enable Decryption—Palo Alto Networks NGFWs provide the capability to decrypt and inspect traffic for visibility, control, and granular security. Use decryption on a NGFW to prevent malicious content from entering your network or sensitive content from leaving your network concealed as encrypted or tunneled traffic.
  • Share Threat Intelligence with Palo Alto Networks —Permit the NGFW to periodically collect and send information about applications, threats, and device health to Palo Alto Networks. Telemetry includes options to enable passive DNS monitoring and to allow experimental test signatures to run in the background with no impact to your security policy rules, NGFW logs, or NGFW performance. All Palo Alto Networks customers benefit from the intelligence gathered from telemetry, which Palo Alto Networks uses to improve the threat prevention capabilities of the NGFW.