Palo Alto Networks Best Practice Compliance with Indeni
Intro and goal of this post:
- Importance of best practice analysis
- How Indeni differs from manual checks and the Palo Alto Networks BPA tool.
- Best practices covered by Indeni
Best Practice Analysis:
So, you have made a big investment in security with your firewall and all the features it has enabled. But, how do you know you have things set up properly and securely?
In an ideal world you have a large group of engineers and administrators along with several SEs, tech support, and a few developers from the manufacturer that all agreed on the best way to configure your environment. In reality, while there are companies big enough to have manufacturer resident engineers on site, they can’t always agree on the best configuration. That’s why manufacturers are starting to publish their own best practices. Best practices are the accumulation of known-good optimizations, configurations, and practices intended by the creation of each feature. Some of these come from professional services, engineering, contractors, support teams or even customer experiences.
Palo Alto Networks has come up with the Best Practice Assessment tool available in your support portal (https://support.paloaltonetworks.com). Their BPA tool allows for a configuration/Tech Support File upload to analyze your settings based on a few questions such as identifying what security zones are Untrusted/Internet, Trusted/Corporate, SCADA, DMZ, etc. See how to use their BPA tool at the end of this post.
Currently the Palo Alto Networks BPA Tool is a manual process. While it’s been around for a few years, it used to require someone from Palo Alto Networks to run it for you. That changed at the start of 2019 when they made it self-service in the Support Portal. Even so, it takes some skilled interpretation to understand the results. Therefore, they recommend you get an SE to review the results with you. (https://www.paloaltonetworks.com/services/bpa). I saw there will be an API solution coming out soon, but for now they recommend manually uploading the config to run a BPA after every commit. Learn more about the API here: What’s NEW with the BPA! (Episode 21) Learning Happy … – YouTubehttps://www.youtube.com/watch?v=0q2e2CE4eGQ
Indeni can help ensure some of these best practices are in place with automated checks running 24/7 without uploading files. Through our expertise in Palo Alto Networks, we have implemented a number of BPA based best practice into Indeni with the intent to have comprehensive integration in the future. Indeni can notify you if a configuration change accidentally moves you away from a best practice configuration!
How Indeni Can Help:
Indeni covers many of the simple, yet crucial settings that don’t require a zone-based or comprehensive security analysis. Some complex and higher risk-based items, such as security policy practices will be left to the Palo Alto Network’s BPA tool for now. Indeni will focus on settings that are likely overlooked or mistakenly changed, but whose impact means they should be detected quickly by an on-site automated tool.
Just like health checks added on a regular basis to Indeni, best practices will continue to be expanded upon as well.
The next section contains just a few featured best practice checks within the Indeni platform.
What Indeni Does:
- Ensure App and Threat Signatures are correctly configured for updates
- Indeni will trigger a notification when:
- Content update schedule is not set to download and install.
- Combination of delay and threshold exceed a 48hrs maximum.
- Delay is the value setting for how old the update file must be.
- Threshold is the frequency between updates.
- Commands run:
- Checks configuration for threat update schedule
- Example:
- Indeni will trigger a notification when:
- Benefits
- Ensures security is added quickly
- Allows for alerting if updates are delayed too far out to catch new threats. Delays allow for use by other customers before installing in your environment.
- Screenshot in Indeni
2. Ensure “Require SSL/TLS secured connection” is enabled for LDAP
- Indeni will trigger a notification when SSL is not enabled for LDAP communication with your server.
- Commands run
- Checks configuration for LDAP server profiles without the “Require SSL/TLS secured connection” setting.
- Example:
- Benefits
- Ensures security in your user authentication and lookups to your directory server.
- Ensures no passwords will be sent in clear text
- Screenshot in Indeni
3. Check that all anti-spyware profiles have DNS sinkhole enabled.
- Indeni will trigger a notification when a spyware profile has no DNS sinkhole option configured in every profile. The alarm includes the name of the anti-spyware profile.
- This alert uses the Palo Alto Networks API interface to parse through the configured anti-spyware profiles and check if any of them does not have this feature enabled.
- Benefits
- You will be reminded of the best practice for any new spyware profiles.
- From PAN-OS 8.1 on, DNS Sinkhole for IPv4 is automatically set to enabled and using Palo Alto Networks Sinkhole IP (72.5.65.111) for 8.1 and sinkhole.paloaltonetworks.com for 9.x.
- Screenshot in Indeni.
- 9.0 example of being enabled by default.
4. Ensure AV Update set to hourly and action is download and install
- Indeni will trigger a notification when set to a time frequency greater than hourly.
- Commands run:
- Checks configuration for antivirus update schedule
- Example:
- Benefits
- Ensures security is added quickly
- Allows for alerting if updates are delayed too far out to catch new threats. Delays allow for use by other customers before installing in your environment.
- Screenshot in Indeni
5. Ensure Wildfire updates set to every minute and action set to download and install.
- Indeni will trigger a notification when Wildfire updates less frequently than every minute or is not set to download and install.
- Commands run
- Checks configuration for Wildfire update schedule
- Example:
- Benefits
- Ensures security is added quickly
- Allows for alerting if updates are delayed too far out to catch new threats.
- Something to keep in mind here is Palo Alto Networks will sometimes recommend that 1min update intervals are too aggressive for some older hardware as they cannot complete the update before the next install is queued. This can cause update failure alerts if enabled on the firewall and HA pairs to become out of sync on updates. For devices in that scenario you will need to disable the Indeni best practice rule for the update.
- Screenshot in Indeni
Summary:
Best practices are considered to be a recommended configuration in an ideal environment. Nobody knows your environment better than you and your team. Many additional requirements, company policy, special use cases, third party products and mitigations can affect what you implement on Palo Alto Networks firewalls. Always investigate the core meaning behind each best practice and ensure you are either willing to take the risk by not following it or having other mitigations in place. Knowing every company may not follow each best practice, you may disable rules not applicable to your environment. Just remember that, if something does break, whoever gets the trouble ticket might not know that the decision was deliberate, so keep track of why you disabled the rules in your ITSM tickets. Your fellow admins will thank you.
If you have other best practices Indeni should monitor, please make your suggestions on the Indeni Crowd.