Palo Alto Networks NGFW Best Practices Network Security Best Practise/Site Preparation Device Configuration - Adapt the
Views 82 Downloads 0 File size 68KB
Palo Alto Networks NGFW Best Practices Network Security Best Practise/Site
Preparation Device Configuration - Adapt the general system configuration to the latest best practices Software upgrade to the latest recommended release Define Login Banner Certificate Expiration Check enabled Customize Log Storage Quota Limit Management Interface Services Setup SNMPv3 (only if required) Enable Statistics Services Verify Update Server Identity Enable NTP Time Synchonization Change WildFire to use the EU Public Cloud Change Wildfire File Size Limits to the maximum Get Wildfire to report on Grayware Files Setup dedicated admin accounts to authenticate against Active Directory Setup a local fallback superuser account Remove the default admin account Customize Response Pages Customize dynamic AntiVirus update Customize dynamic Applications and Threats update Customize dynamic Wildfire update High Availability Mgmt Interface used for HA1 Backup Passive Link State set to auto HA2 Keep-alive Log enabled Link and Path Monitoring configured and activated HA tested Security Policy Restructuring Delete disabled rules Delete unused rules Move uncontrolled Internet access rules to the end of the rulebase Move Web Access Policy into Panorama Post-Rules Move System rules into Panorama Pre-Rules
Web Access Policy for Enduser Devices User Identification Setup Group Mapping with a dedicated list of included groups Windows Server Monitoring - enable Log Monitor and Session Read Disable client probing (WMI and NetBios) Customize the cache based on the DHCP lead time Add active directory service accounts to the Ignore User list Define include/exclude Networks
Define Access Control List to restrict access to the user-id agent from firewalls (dedicated User-ID agent) Set the User-ID agent service recovery to "Restart the Service" (dedicated User-ID agent) Malware scanning Threat Prevention license installed Antivirus profile applied to all policies Anti-Spyware profile applied to all policies Set DNS Sinkhole to block suspicious DNS Queries Enable Passive DNS Monitoring Vulnerability Protection profile applied to all policies Wildfire license installed Upload non-private files to Wildfire for Zero-day malware detection Upload potentially private files to Wildfire for Zero-day malware detection Application Control Apply negative enforcement policy to “Block Known Bad” applications Restrict non-corporate e-mail applications to a limited user group Limit Fallback rules to port 80 & 443 Define "deny any any" rule for users in the web access groups URL Filtering PAN-DB URL filtering license installed URL Filtering profile applied to all policies Block access to malicious URL categories Block access to potentially dangerous URL categories Restrict web advertisement to a limited user group Block access to “unknown” URLs Log HTTP Header information File Blocking File blocking profile applied to all policies Block the download of “PE” and Multi-Level-Encoded zip files SSL Decryption Configure SSL Decryption Allow forwarding of decrypted content Rollout FireWall CA SSL Certificate to all users Enforce SSL decryption with a Decryption Profile Activate SSL Decryption for test user group Activate SSL Decryption for all users Web Access Policy rollout Apply new Web Access Policy to an initial test group Apply new Web Access Policy to all users Application Control Enforcement Identify Applications used per usergroup and add to App rules Delete Fallback rules
Remote Access GlobalProtect remote access setup All traffic (company and internet) is forwarded through the firewall Remote Access is enforced to connect automatically after the user logs in (always on) GlobalProtect Portal Login page is disabled
Idendity is verified through dual factor Connecting devices are verify by Host Information Profile "HIP" GlobalProtect remote access is rolled out to an initial test group GlobalProtect remote access is rolled out to all mobile users
Data Centre Reconnaissance Protection Apply DoS Zone protection to the Internet zone Block access from high risk sources Malware base Protection Threat Prevention license installed PAN-DB URL filtering license installed Apply a dedicated Security Profile group for Internet Inbound traffic to all related security policies Apply a dedicated Security Profile group for Internet Outbound traffic to all related security policies Apply a dedicated Security Profile group for traffic between internal networks to alert on threats Wildfire license installed Upload non-private files to Wildfire for Zero-day malware detection Upload potentially private files to Wildfire for Zero-day malware detection Limit security policies to the required zones Protect Internet Services (Server which are reachable from the Internet) Provide a report on all Internet Services Group Internet Services Rollout FireWall CA SSL Certificate to all servers Provide SSL Certificates including private key of all Internet facing web servers Decrypt SSL Outbound traffic to the Internet Decrypt SSL Inbound traffic from the Internet Further lock down the dedicated Security Profile group for Internet Inbound traffic Block the download and upload of high risk file types Allow only reqiured ports (specific or application default) Allow only specific Applications for Internet inbound traffic Allow only specific Applications for Internet outbound traffic Allow only specific URLs for web based Internet outbound traffic Limit security policies to specific source and destination IP addresses or countries Server Internet Access (Server which are able to access the Internet but are not reachable from the Internet) Rollout FireWall CA SSL Certificate to all servers Decrypt SSL Outbound traffic to the Internet Allow only reqiured ports (specific or application default) Allow only specific Applications for Internet outbound traffic Allow only specfic URL categories for web based Internet outbound traffic Block the download of high risk file types Limit security policies to specific source and destination IP addresses or subnets Delete wide open Internet access rules Internal Traffic Lock down the dedicated Security Profile group for traffic between internal networks Limit security policies to specific source and/or destination IP addresses or networks Zero Trust Move Internet facing applications into a dedicated DMZ
Move the most business critical applications into a dedicated zone on the FireWall Move all datacentre applications into a dedicated zones on the FireWall
Monitoring and Reporting Logging Set all security policies to log traffic at the end of the session Forward all logs to Panorama Threat Monitoring and Alerting Get immediately alerted on Wildfire submissions (malware & grayware) Get immediately alerted on critical Correlation Events Daily report for DNS Sinkhole events Weekly Threat Report Appropriate usage Monitoring Identify sanctioned SaaS applications Weekly or Monthly report on Application and URL usage System Monitoring Enable E-Mail alerts for critical system logs
Reference
Task Owner
Security Impact
Service Impact Risk
medium n/a n/a n/a high high low low n/a n/a low low low n/a low n/a high high high
medium none none none none none none none none none none none none none none none low low low
n/a n/a n/a n/a n/a
none low none low medium
low low medium low low
low medium medium low low
low low low low low low
none none none none none none
3.
Site A
3.3.2 3.3.2 3.3.2 3.6.2 3.3.2 3.3.2 3.3.2 3.3.2 3.5.2 3.3.2
low low
none none
high high high high low high high high high
none low medium low none medium none none none
high high medium high
low low medium medium
high medium high medium medium high low
none low low low low high none
medium high
low medium
low medium n/a medium medium high
low none low low high high
low high
medium medium
medium medium
low medium
n/a high medium low
none low low none
3.3.2
3.5.2
3.3.2
medium medium low high
low low low low
medium medium
low low
high high high high low high high high medium
none none low low none none none none low
n/a n/a n/a n/a high medium high high medium medium medium high medium
none none low none high medium medium medium low low low medium low
n/a high medium medium high high medium high
low high low low medium medium low medium
high medium
medium medium
high
medium
2. 2.1.2 2.1.2
2.5.2, 2.6.2 2.5.2 2.5.2 2.5.2
2.5.2 2.3.2 2.5.2 2.3.2 2.1.2, 2.3.2 2.5.2 2.1.2 2.5.2, 2.6.2 2.5.2
2.5.2 2.5.2 2.5.2, 2.6.2 2.5.2 2.5.2 3.3.2
2.1.2, 2.7.2
high high
medium medium
n/a n/a
none none
high high medium medium
none none none none
n/a n/a
none none
n/a
none
4.
Site B
yes no partially
Site C