Palo Alto Networks Security Best Practices Checklist

Palo Alto Networks NGFW Best Practices Network Security Best Practise/Site Preparation Device Configuration - Adapt the

Views 82 Downloads 0 File size 68KB

Report DMCA / Copyright

DOWNLOAD FILE

Recommend stories

Palo Alto Networks

54 0 2MB Read more

Alfresco Security Best Practices - Guide.pdf

58 2 2MB Read more

Palo Alto Networks Vs Fortinet

Palo Alto Networks vs Fortinet Fortinet Weaknesses Fortinet Marketing & Positioning 1. Fortinet Is Perceived As An SMB

99 0 541KB Read more

best-practices

829 3 440KB Read more

palo alto

PALO ALTO CHIMBOTE CURSO : SEMINARIO DE URBANISMO DOCENTE : ARQ.WALTER BARBI SALINAS ARQ.KELLY PAZOS ESTUDIANTES : EST.A

17 1 536KB Read more

Best Spiritual Practices

Best Practices that help me stay focussed on my spiritual path of Awareness. I write this with the intention of sharing

32 1 79KB Read more

Oil Analysis Best Practices

Proactive and Predictive Strategies For Setting Oil Analysis Alarms And Limits In the past, users of oil analysis have r

56 1 214KB Read more

Cementing Best Practices

Revision No.: Occidental Oil and Gas Corporation Global Drilling Community Global Cementing Best Practices 00 Revisio

59 1 662KB Read more

Pro Python Best Practices

187 17 5MB Read more

SCCM Security Checklist

3 0 113KB Read more

Author / Uploaded
Kaushal Kishor

Citation preview

Palo Alto Networks NGFW Best Practices Network Security Best Practise/Site

Preparation Device Configuration - Adapt the general system configuration to the latest best practices Software upgrade to the latest recommended release Define Login Banner Certificate Expiration Check enabled Customize Log Storage Quota Limit Management Interface Services Setup SNMPv3 (only if required) Enable Statistics Services Verify Update Server Identity Enable NTP Time Synchonization Change WildFire to use the EU Public Cloud Change Wildfire File Size Limits to the maximum Get Wildfire to report on Grayware Files Setup dedicated admin accounts to authenticate against Active Directory Setup a local fallback superuser account Remove the default admin account Customize Response Pages Customize dynamic AntiVirus update Customize dynamic Applications and Threats update Customize dynamic Wildfire update High Availability Mgmt Interface used for HA1 Backup Passive Link State set to auto HA2 Keep-alive Log enabled Link and Path Monitoring configured and activated HA tested Security Policy Restructuring Delete disabled rules Delete unused rules Move uncontrolled Internet access rules to the end of the rulebase Move Web Access Policy into Panorama Post-Rules Move System rules into Panorama Pre-Rules

Web Access Policy for Enduser Devices User Identification Setup Group Mapping with a dedicated list of included groups Windows Server Monitoring - enable Log Monitor and Session Read Disable client probing (WMI and NetBios) Customize the cache based on the DHCP lead time Add active directory service accounts to the Ignore User list Define include/exclude Networks

Define Access Control List to restrict access to the user-id agent from firewalls (dedicated User-ID agent) Set the User-ID agent service recovery to "Restart the Service" (dedicated User-ID agent) Malware scanning Threat Prevention license installed Antivirus profile applied to all policies Anti-Spyware profile applied to all policies Set DNS Sinkhole to block suspicious DNS Queries Enable Passive DNS Monitoring Vulnerability Protection profile applied to all policies Wildfire license installed Upload non-private files to Wildfire for Zero-day malware detection Upload potentially private files to Wildfire for Zero-day malware detection Application Control Apply negative enforcement policy to “Block Known Bad” applications Restrict non-corporate e-mail applications to a limited user group Limit Fallback rules to port 80 & 443 Define "deny any any" rule for users in the web access groups URL Filtering PAN-DB URL filtering license installed URL Filtering profile applied to all policies Block access to malicious URL categories Block access to potentially dangerous URL categories Restrict web advertisement to a limited user group Block access to “unknown” URLs Log HTTP Header information File Blocking File blocking profile applied to all policies Block the download of “PE” and Multi-Level-Encoded zip files SSL Decryption Configure SSL Decryption Allow forwarding of decrypted content Rollout FireWall CA SSL Certificate to all users Enforce SSL decryption with a Decryption Profile Activate SSL Decryption for test user group Activate SSL Decryption for all users Web Access Policy rollout Apply new Web Access Policy to an initial test group Apply new Web Access Policy to all users Application Control Enforcement Identify Applications used per usergroup and add to App rules Delete Fallback rules

Remote Access GlobalProtect remote access setup All traffic (company and internet) is forwarded through the firewall Remote Access is enforced to connect automatically after the user logs in (always on) GlobalProtect Portal Login page is disabled

Idendity is verified through dual factor Connecting devices are verify by Host Information Profile "HIP" GlobalProtect remote access is rolled out to an initial test group GlobalProtect remote access is rolled out to all mobile users

Data Centre Reconnaissance Protection Apply DoS Zone protection to the Internet zone Block access from high risk sources Malware base Protection Threat Prevention license installed PAN-DB URL filtering license installed Apply a dedicated Security Profile group for Internet Inbound traffic to all related security policies Apply a dedicated Security Profile group for Internet Outbound traffic to all related security policies Apply a dedicated Security Profile group for traffic between internal networks to alert on threats Wildfire license installed Upload non-private files to Wildfire for Zero-day malware detection Upload potentially private files to Wildfire for Zero-day malware detection Limit security policies to the required zones Protect Internet Services (Server which are reachable from the Internet) Provide a report on all Internet Services Group Internet Services Rollout FireWall CA SSL Certificate to all servers Provide SSL Certificates including private key of all Internet facing web servers Decrypt SSL Outbound traffic to the Internet Decrypt SSL Inbound traffic from the Internet Further lock down the dedicated Security Profile group for Internet Inbound traffic Block the download and upload of high risk file types Allow only reqiured ports (specific or application default) Allow only specific Applications for Internet inbound traffic Allow only specific Applications for Internet outbound traffic Allow only specific URLs for web based Internet outbound traffic Limit security policies to specific source and destination IP addresses or countries Server Internet Access (Server which are able to access the Internet but are not reachable from the Internet) Rollout FireWall CA SSL Certificate to all servers Decrypt SSL Outbound traffic to the Internet Allow only reqiured ports (specific or application default) Allow only specific Applications for Internet outbound traffic Allow only specfic URL categories for web based Internet outbound traffic Block the download of high risk file types Limit security policies to specific source and destination IP addresses or subnets Delete wide open Internet access rules Internal Traffic Lock down the dedicated Security Profile group for traffic between internal networks Limit security policies to specific source and/or destination IP addresses or networks Zero Trust Move Internet facing applications into a dedicated DMZ

Move the most business critical applications into a dedicated zone on the FireWall Move all datacentre applications into a dedicated zones on the FireWall

Monitoring and Reporting Logging Set all security policies to log traffic at the end of the session Forward all logs to Panorama Threat Monitoring and Alerting Get immediately alerted on Wildfire submissions (malware & grayware) Get immediately alerted on critical Correlation Events Daily report for DNS Sinkhole events Weekly Threat Report Appropriate usage Monitoring Identify sanctioned SaaS applications Weekly or Monthly report on Application and URL usage System Monitoring Enable E-Mail alerts for critical system logs

Reference

Task Owner

Security Impact

Service Impact Risk

medium n/a n/a n/a high high low low n/a n/a low low low n/a low n/a high high high

medium none none none none none none none none none none none none none none none low low low

n/a n/a n/a n/a n/a

none low none low medium

low low medium low low

low medium medium low low

low low low low low low

none none none none none none

3.

Site A

3.3.2 3.3.2 3.3.2 3.6.2 3.3.2 3.3.2 3.3.2 3.3.2 3.5.2 3.3.2

low low

none none

high high high high low high high high high

none low medium low none medium none none none

high high medium high

low low medium medium

high medium high medium medium high low

none low low low low high none

medium high

low medium

low medium n/a medium medium high

low none low low high high

low high

medium medium

medium medium

low medium

n/a high medium low

none low low none

3.3.2

3.5.2

3.3.2

medium medium low high

low low low low

medium medium

low low

high high high high low high high high medium

none none low low none none none none low

n/a n/a n/a n/a high medium high high medium medium medium high medium

none none low none high medium medium medium low low low medium low

n/a high medium medium high high medium high

low high low low medium medium low medium

high medium

medium medium

high

medium

2. 2.1.2 2.1.2

2.5.2, 2.6.2 2.5.2 2.5.2 2.5.2

2.5.2 2.3.2 2.5.2 2.3.2 2.1.2, 2.3.2 2.5.2 2.1.2 2.5.2, 2.6.2 2.5.2

2.5.2 2.5.2 2.5.2, 2.6.2 2.5.2 2.5.2 3.3.2

2.1.2, 2.7.2

high high

medium medium

n/a n/a

none none

high high medium medium

none none none none

n/a n/a

none none

n/a

none

4.

Site B

yes no partially

Site C