Palo Alto Networks NGFW Security Policy Optimizer
How to evaluate NGFW tuning efficiency
The most common task is to check how efficiently your firewall is configured. To do this, there are free utilities and services from companies that deal with NGFW.
For example, it can be seen below that Palo Alto Networks has the opportunity directly from the support portal to start analyzing firewall statistics - an SLR report or an analysis of compliance with best practices - a BPA report. These are free online utilities that you can use without installing anything.
Expedition (Migration Tool)
Click on Unused
Click on Unused App
Click No Apps Specified
But what about Machine Learning
Expedition (Migration Tool)
A more complicated way to check your settings is to download the free Expedition utility (formerly the Migration Tool). It is downloaded as a Virtual Appliance under VMware, no settings are required with it - you need to download the image and deploy it under the VMware hypervisor, start and go to the web interface. This utility requires a separate story, only a course on it takes 5 days, there are so many functions there now, including Machine Learning and the migration of various configurations of policies, NAT and objects for different Firewall manufacturers. About Machine Learning, I will write more below in the text.
And the most convenient option (IMHO), which I’ll talk about in more detail today, is a policy optimizer built into the Palo Alto Networks interface itself. To demonstrate it, I installed a firewall at home and wrote a simple rule: permit any to any. In principle, such rules are sometimes seen even on corporate networks. Naturally, I turned on all NGFW security profiles, as can be seen in the screenshot:
The screenshot below shows an example of my home unconfigured firewall, where almost all connections fall into the last rule: AllowAll, which can be seen from the statistics in the Hit Count column.
There is a security approach called Zero Trust . What does this mean: we must allow people within the network exactly those connections that they need and prohibit everything else. That is, we need to add clear rules for applications, users, URL categories, file types; enable all IPS and antivirus signatures, enable sandboxing, DNS protection, use IoC from the available Threat Intelligence databases. In general, a decent amount of tasks when setting up a firewall.
By the way, the minimum set of necessary settings for Palo Alto Networks NGFW is described in one of the SANS documents: Palo Alto Networks Security Configuration Benchmark - I recommend starting with it. And of course there is a set of best practices for setting up a firewall at the manufacturer:Best practice .
So, I had a firewall at home for a week. Let's see what traffic on my network is:
If you sort by the number of sessions, then bittorent creates them most, then comes SSL, then QUIC. Together, these are statistics on both incoming and outgoing traffic: there are a lot of external scans of my router. There are 150
different applications on my network. So, all this was skipped by one rule. Now let's see what Policy Optimizer says about this. If you looked at the screenshot of the interface with security rules above, then at the bottom left you saw a small window that hints to me that there are rules that can be optimized. Let's click there.
What Policy Optimizer shows:
- What policies were not used at all, 30 days, 90 days. This helps to decide to remove them altogether.
- What applications were specified in the policies, but no such applications were found in the traffic. This allows you to remove unnecessary applications in the permitting rules.
- What policies allowed everything, but there really were applications that would be nice to specify explicitly according to the Zero Trust methodology.
Click on Unused
To show how this works, I added a few rules, and so far they have never missed a single package today. Here is their list:
Perhaps, over time, there will be traffic there and then they will disappear from this list. And if they are in this list for 90 days, then you can decide to remove these rules. After all, each rule provides an opportunity for a hacker.
There is a real problem when configuring the firewall: a new employee arrives, looks at the firewall rules, if they don’t have any comments and he doesn’t know why this rule is created, whether it needs to be real, whether it can be deleted: suddenly a person is on vacation and through 30 days, traffic will go again from the service he needs. And just this function helps him make a decision - no one uses it - delete!
Click on the Unused App
We click on the Unused App in the optimizer and see that interesting information opens in the main window.
We see that there are three rules where the number of allowed applications and the number of applications that actually passed under this rule are different.
We can click and see a list of these applications and compare these lists.
For example, click on the Compare button for the Max rule.
Here you can see that the facebook, instagram, telegram, vkontakte applications were allowed. But in reality, traffic went only in terms of applications. Here you need to understand that the facebook application contains several sub-applications.
The full list of NGFW applications can be seen on applipedia.paloaltonetworks.comand in the firewall interface itself in the Objects-> Applications section and in the search, type the application name: facebook, you get the following result:
So, some of these NGFW sub-applications saw, and some not. In fact, you can separately prohibit and allow different Facebook sub-functions. For example, allow watching messages, but prohibit chat or file transfer. Accordingly, Policy Optimizer talks about this and you can make a decision: not all Facebook applications are allowed, but only the main ones.
So, we realized that the lists are different. You can make the rules allow exactly those applications that really went over the network. To do this, you click the MatchUsage button. It turns out like this:
And you can also add applications that you think are necessary - the Add button in the left part of the window:
And then this rule can be applied and tested. Congratulations!
Click No Apps Specified
In this case, an important security window will open.
Such rules, where an application of the L7 level is not explicitly specified, most likely there are a lot of your network. And there is such a rule in my network - let me remind you that I made it during the initial setup, especially to show how Policy Optimizer works.
The picture shows that the AllowAll rule missed 220 gigabytes of traffic over the period from March 9 to March 17, which is 150 different applications in my network. And this is not enough. Usually in an average size corporate network 200-300 different applications.So, one rule skips as many as 150 applications. As a rule, this means that the firewall is configured incorrectly, because usually in one rule 1-10 applications are skipped for different purposes. Let's see what kind of applications they are: click the
Compare button :
The most wonderful thing for the administrator in the Policy Optimizer function is the Match Usage button - you can create a rule with one click, where you enter all 150 applications into the rule. Manually, doing this would be long enough. The number of tasks for the administrator to work even on my network of 10 devices is huge.
I have 150 different applications that transmit gigabytes of traffic at home! And how much do you have?But what is going on in the network of 100 devices or 1000 or 10000? I saw firewalls where 8000 rules and I am very glad that now administrators have such convenient automation tools.
Part of the applications that the L7 application analysis module in NGFW saw and showed you will not be needed on the network, so you simply remove them from the list of allowing rules, or make the rules clone using the Clone button (in the main interface) and enable in one application rule, and in block another application, as if it’s definitely not needed on your network. Such applications often include bittorent, steam, ultrasurf, tor, hidden tunnels such as tcp-over-dns and others.
Well, click on another rule - what is visible there:
Yes, here are applications specific to multicast. We must allow them to work watching video over the network. Click Match Usage. Excellent! Thanks Policy Optimizer.
What about Machine Learning
Now it’s fashionable to talk about automation. What I described came out very much helps. There is another opportunity that I must talk about. This is Machine Learning functionality built into the Expedition utility that was mentioned above. In this utility, it is possible to transfer rules from your old firewall of another manufacturer. It’s also possible to analyze existing Palo Alto Networks traffic logs and suggest which rules to write. This is similar to the functionality of Policy Optimizer, but in Expedition it is even more extended and you are offered a list of ready-made rules - you just need to approve them.
To test this functionality, there is laboratory work - we call it test drive. This test can be done by going to the virtual firewalls that the Palo Alto Networks Moscow office staff will launch upon your request.
The request can be sent to Russia@paloaltonetworks.com and write in the request: “I want to make UTD by the Migration Process”.
In fact, labs called Unified Test Drive (UTD) have several options and they are all available remotely upon request.
Only registered users can participate in the survey. Please come in.
Would you like someone to help you optimize your firewall policies?
- 10% Yes 1
- 40% No 4
- 60% Do it yourself 6