Transcript
THROUGH THE MSSP LENS PANOS 7.0 Enhancements PAN-OS 7.0 represents a significant enhancement in the capabilities of the Palo Alto Networks security platform for Managed Security Service Providers (MSSPs) leveraging our disruptive technologies to deliver innovative solutions.
MSSP Focused The PAN-OS® 7.0 release included multi-tenant reporting capabilities; global search and filtering functions that let you find, clone, and/or stack objects; faster means to derive actionable intelligence about potential threats; better management tools for migrating managed appliances; and redeploying licenses of managed virtual machines.
Palo Alto Networks continues to enhance its platform with capabilities to support managed security service providers - and strives for continual improvement. Please talk with your Palo Alto Networks® sales teams for feedback or answers to questions about these, or any other features of our industry-leading technology. Panorama – Multi-tenant management capabilities: PAN-OS allows an admin to create a role-based access control (RBAC) account in Panorama™, whereby that role will only have access to one (or more) device group/template/context/ access domain(s). In version 7.0, a user’s views of the ACC console and monitor tabs are now limited by the role’s span of
control and visbility. Version 7.0 allows Panorama to be used as a multi-tenant reporting platform. Panorama – Automated correlation engine (ACE): events from any appliance can be forwarded to Panorama for further correlation. Automated correlation can be performed “on-box” on the PA-3000, PA-5000, and PA-7000 Series firewalls. The feature is useful for managed large-scale deployments of Palo Alto Networks gateways where the ACE engine can help identify interesting hosts by auto-correlating indicators of compromise (IOCs). This correlation engine enables an MSSP to quickly create security rules or direct
Figure 1: Automated Correlation Palo Alto Networks | Solution Brief
1
incident responders to contain and measure the problem, generating revenues and enabling faster SLA. Panorama – Import Device configuration: prior to version 7.0 it was not possible to import configuration from existing firewalls. Configurations had to be deconstructed and then created or pushed from Panorama to the managed appliance. With 7.0, users can now migrate previously customer-managed Palo Alto Networks firewalls into Panorama for configuration consolidation and integration into existing device groups and templates. • Import is located under Panorama -> Setup -> Operations - > Import device configuration to Panorama
Figure 2: Global Find matically with a click of a button. If the firewall/Panorama does not have Internet access, you must complete the process manually in two steps: • First, from the firewall or Panorama, you generate and export a license token file that includes information on the deactivated keys. • Second, you upload the token file on the Palo Alto Networks Support portal to dissociate the license keys from the firewall.
Panorama – Device Group and Template Stacking: As of 7.0, PAN-OS allows for multiple device groups and/or templates • For details, please refer to: https:// to be stacked on top of each other, paloaltonetworks.com/documentation/ enabling more granular and flexible 70/virtualization/virtualization/ hierarchy and object re-usability. This about-the-vm-series-firewall/ will enable MSSPs to develop a global deactivate-the-license-s.html device group policy, for example, that PAN-OS – Global Find: Version 7.0 enapplies to all customers, and then create ables an administrator to globally search a customer-specific device group over the entire configuration for a specific the managed appliances. However, once string, such as an IP address. Thus, the stacked templates are implemented, the feature is very useful in sifting through numbers of firewalls any given Panorama large configurations or in large deploycan manage drops from a maximum of ments of multiple devices. Furthermore, 1000 to 128; the limitation only applies the find function can be executed in to devices if there is one-to-one mapping (one device per template).
Panorama and would help reduce the likelihood of a failed commit from a duplicated object being invoked locally, as well as pushed out by the central manager. Global Find is labeled “Search” with a small magnifying glass icon, located in the topright corner of the Panorama UI. When you hover over this Search link, it brings up the text “Global Find.” See Figure 2. However, there is an implicit limitation that remains: while an MSSP can use this feature to find strings, there remains no on-box method to then replace those strings globally. String replacement must be done either manually on-box or by extracting the configuration and manipulating it using a tool like Palo Alto Networks Migration Tool (v 3.0). PAN-OS – Move/Clone Objects: managing at scale can be hard. With version 7.0, MSSP administrators can now manipulate defined objects, such as IP addresses, data patterns used in custom signatures, tags, and anything else defined under the object tab or in the object XML path (Figure 3). This should make it easier to
PAN-OS/Panorama – License and auth-code enhancements: MSSP can now deactivate and redeploy VM-Series licenses (and their associated subscriptions) between virtual firewalls. MSSP can use this to redeploy permanently entitled VMs between customers, as customers enroll or depart managed services. The license deactivation process enables an MSSP to self-manage licenses. • Whether you want to remove one or more active licenses or subscriptions attributed to a firewall (hardware-based or VM-Series firewall) or you want to deactivate the VM-Series firewall and unassign all active licenses and subscriptions, begin the deactivation process on the firewall or Panorama (and not on the Palo Alto Networks Support portal). • If the firewall/Panorama has Internet access, and can communicate with the Palo Alto Networks licensing servers, the license removal process completes autoFigure 3: Clone Objects Palo Alto Networks | Solution Brief
2
to determine the impact of deploying dynamic library updates before hitting the commit button. This is extremely useful when the need to deploy updated threat signatures drives a rapid, and often automated, push of the combined application and threat update. Applications which have been changed from a signature that matched one policy could now fail because they are defined as something other than in policy. This feature will alert the user in Panorama, or the local administrator of a firewall, which portions of the configuration will be impacted; and enable more successful commits during the maintenance window with higher levels of assurance about allowing application definitions to change without sacrificing up-to-date threat prevention protection.
Figure 4: Rule Usage
re-use an object that worked before as the basis for an updated variable or order of operation. Even better, PAN-OS gives admins a choice as to how the system should respond if that clone appears anywhere else during the commit process.
to find those that are more significant. With an expansion, the view shows ALL rules and how often they are being used, allowing administrators to determine whether those rules are required or can be removed.
PAN-OS – Rule usage: the ACC now displays, in a widget (Figure 4), the top ten most used rules, making it easier
Panorama/PAN-OS – Enhanced configuration validation: With version 7.0, MSSP administrators can “review policies”
Note that, in order for Panorama to alert and display warnings correctly and consistently, all firewalls and log collectors need to be in sync with the manager. Otherwise, Panorama will not know if a device is running soon-to-be affected code. The best practice is to mandate dynamic updates. Panorama – Log collector redundancy and retention: Version 7.0 permits a duplicate copy of each log to be stored across an M-series log collector cluster and important types of logs longer. This better enables an MSSP to ensure logs are retained long enough to meet customer-facing reporting requirements. PAN-OS – SNMP features: there are now counters for logical interfaces,
Figure 5: Enhanced Configuration Validation
Figure 6: Mandated Dynamic Updates
Palo Alto Networks | Solution Brief
Figure 7: Tag Browser
3
Figure 8: SaaS Application Usage Report
sub-interfaces, global counters (e.g., DOS-related, TCP state), LLDP MIBs
–– TCP state-related counters –– All relevant packet drop counters
Benefit: MSSPs need SNMP for their management offers. These include
• LLDP MIB implementation (based on MIB for IEEE 802.3AB-2009)
• SNMP counters for logical interfaces
–– Configuration
• Supported subinterface types
–– Neighbor information
–– L2/L3 subinterfaces –– Tunnel (including the status of IPSec tunnels) –– vWire –– LAG (802.3ad) –– Loopback –– Interfaces and ifMIB • ifXTable and ifStackTable MIB support • Global Counters (subset of “show global counters” CLI command) –– DoS related counters –– IP fragmentation counters
–– Statistics PAN-OS – WildFire grayware verdict: this feature adds another type of classification to WildFire’s previous verdicts of malware or benign. WildFire can now identify files that behave like malware but are not malicious in nature. MSSPs now have another reason to consider developing a service: a security team reviews the grayware results and rolls them into weekly summary updates for end customers who do not have the time to review such findings. Additionally, this feature strengthens the power of any WildFire-based zero-day prevention service.
4401 Great America Parkway Santa Clara, CA 95054 Main: +1.408.753.4000 Sales: +1.866.320.4788 Support: +1.866.898.9087 www.paloaltonetworks.com
PAN-OS/Panorama – Tag Browser: with one click an MSSP architect/SOC analyst can view all the tags in a rule base on a device or in a device group or across the entire managed device community. This enables an MSSP to more easily and consistently manage classifications and identify policies that are of a similar kind across large datasets. This will make it easier to find affected elements of firewall configurations when or if the MSSP security requirements, or those of individual customers, change. PAN-OS – SaaS Application Usage report: as of version 7.0, there is a predefined report providing visibility into SaaS application usage as shown in Figure 8. This will enable MSSPs building or selling visibility services to extend that functionality beyond seeing which applications are used behind the firewall. Applications can be correlated to the rule(s) that were used to secure them.
© 2015 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at http://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies. PAN_SB_MSSP_0S7_100815
