Palo Alto Networks Next-Generation firewalls

Implement Palo Alto Networks best practices

• Content update schedule not following best practices – Antivirus, Wildfire, Content, GlobalProtect data file, GlobalProtect clientless VPN content
• Ensure update schedule set to download and install
• Debug mode enabled
• WildFire cloud registration is failing
• EDL(s) configured – empty or not used in policy
• High neighbor discovery (ND) cache usage

Automate maintenance tasks

• Device configuration backup
• Panorama certificate about to expire
• License usage limit approaching
• License about to expire
• Contract(s) expiration nearing
• VPN software end of support nearing
• Hardware & software end of support nearing

Detect high availability unreadiness

• Static routing table does not match
• Network interface MTU does no match
• NTP servers used do not match
• Radius servers do not match
• Cluster members’ domain names mismatch
• HA pair member is in suspended state for too long

Increase network visibility

• SSL decryption – memory usage too high, sessions near capacity
• VPN – tunnels down, dropping packets due to authentication errors or decryption errors
• System – CPU, log DB usage, critical processes, packet buffer, packet descriptor
• Network Interfaces – packet drops, errors, link utilization, data plane pool utilization
• Connections – limit nearing, drastic drop, connection to Panorama
• Dynamic content update – WildFire, URL filtering, External Dynamic List

Demonstrate compliance

• Vulnerability profile not following best practices
• Ensure dangerous URL categories are blocked
• Decryption profile not following best practices
• DNS sinkholing not enabled
• Insecure LDAP communication
• Admin lockout time not within the recommended range
• Checks for OS software versions, DNS & NTP servers to ensure compliance