Practices for Completing the Firewall Deployment
Now that you have integrated the firewall into your
network and enabled the basic security features, you can begin configuring
more advanced features. Here are some things to consider next:
Learn about the different Management Interfaces that
are available to you and how to access and use them.
Replace the Certificate for Inbound Management Traffic. By
default, the firewall ships with a default certificate that enables
HTTPS access to the web interface over the management (MGT) interface
or any other interface that supports HTTPS management traffic. To
improve the security of inbound management traffic, replace the
default certificate with a new certificate issued specifically for
Set up High Availability—High
availability (HA) is a configuration in which two firewalls are
placed in a group and their configuration and session tables are
synchronized to prevent a single point to failure on your network.
A heartbeat connection between the firewall peers ensures seamless
failover in the event that a peer goes down. Setting up a two-firewall
cluster provides redundancy and allows you to ensure business continuity.
Manage Firewall Administrators—Every
Palo Alto Networks firewall and appliance is preconfigured with
a default administrative account (admin) that provides full read-write
access (also known as superuser access) to the firewall. As a best
practice, create a separate administrative account for each person
who needs access to the administrative or reporting functions of
the firewall. This allows you to better protect the firewall from
unauthorized configuration (or modification) and to enable logging
of the actions of each individual administrator.
Enable User Identification (User-ID)—User-ID
is a Palo Alto Networks next-generation firewall feature that allows you
to create policies and perform reporting based on users and groups
rather than individual IP addresses.
Alto Networks firewalls provide the capability to decrypt and inspect traffic
for visibility, control, and granular security. Use decryption on
a firewall to prevent malicious content from entering your network
or sensitive content from leaving your network concealed as encrypted
or tunneled traffic.