Automation of Next-Generation Security Policies on Palo Alto Networks Firewalls.

From enhancing network security to maintaining connectivity, Palo Alto firewall management is critical to your business. Your Palo Alto Networks Next-Generation firewalls (NGFW) give you the ability to defend at speed and scale, but many netops teams struggle trying to manually manage their configs, especially across complex hybrid and multi-cloud deployments.

Automation gives you a way to move away from human-error prone processes that can create service outages and security risks. Additionally, when you have a consistent and reliable source of truth for the data that describes your firewall configurations, your automation tool can push changes across your device groups more consistently to better mitigate cybersecurity risks.

When you understand the benefits and limitations of these automations, you can make an informed decision about how to manage firewall security policies.

Understanding Palo Alto Firewall’s Strengths

Palo Alto’s firewalls leverage machine-learning for proactive threat detection so you can proactively mitigate network security risks. PAN-OS is the software that runs the NGFWs and allows you to use native capabilities to control security rules across applications, users, and devices.

Advanced Threat Prevention

Palo Alto firewalls include advanced intrusion prevention capabilities with real-time monitoring and URL filtering to block access to malicious websites. By integrating automation, you can manage the firewall rules and configs more efficiently across various security features, like:

• Advanced threat prevention including exploit, malware, and command-and-control protection
• Advanced URL filtering available on PAN-OS NGFW, Prisma Access, Cloud NGFW for AWS, and Cloud NGFW for Microsoft Azure
• Access control using Prisma to implement role-based access controls (RBAC)

Centralized Management

Palo Alto Networks offers centralized management features that empower users with easy-to-implement, consolidated policy creation for comprehensive network security management. With this unified interface, you can streamline security policy creation, deployment, and monitoring across distributed networks with a single security rulebase.

Granular Application Controls

Palo Alto firewalls offer granular control over applications so you can set policies based on application types, users, and content. These functionalities improve network security by ensuring that only authorized application and content traverse the network. Implementing granular application control helps you apply the principle of least privilege to manage application usage and mitigate unauthorized access risks.

What is firewall automation?

Firewall automation involves streamlining repetitive and time-consuming firewall management tasks with tools like:

• Ansible modules
• Terraform
• REST APIs
• Python scripts

When you implement firewall automation and workflows, you can generate high volumes of configuration objects and rules across your Palo Alto Networks deployment to improve operational efficiency.

What is Palo Alto Networks Panorama?

Panorama is the Palo Alto Networks centralized firewall management tool that allows you to automate policy workflows to adapt to changes. With the Panorama management server, you can onboard new firewalls or migrate existing firewalls.

What are some ways to automate configuration and management tasks on Palo Alto Firewall?

You can automate Palo Alto Networks firewall configs using REST APIs, allowing users to view, add, update, and delete firewall components programmatically.

Using Ansible

Ansible Automation Platform can be used to automate and orchestrate configurations for Palo Alto Networks firewalls, including both physical and virtualized forms and Panorama management tools. By integrating these Ansible playbooks, you can streamline and automate common tasks like:

• Configuration changes
• Security policy updates
• PAN-OS software upgrades

Ansible offers various Palo Alto Networks modules so you can create:

• Objects
• Services
• Interfaces
• Zones
• Policies

However, Ansible has two drawbacks:

• Speed: a large setup can take a long time to complete rule configs
• Limited modules: challenges when trying to automate complex tasks

Using Terraform

With Terraform, you can track change management over time for improved documentation. While it provides similar config management capabilities as Ansible, Terraform’s stateful nature will make updates rather than creating new objects.

Again, similar to Ansible, Terraform has limited modules which creates challenges when managing complex environments and security policies.

Using Python

The PAN-OS SDK allows you to use basic Python for task automation across Palo Alto Networks devices, including:

• Physical
• Virtualized NGFW
• Panorama

The PAN-OS SDK for Python includes use cases like:

• Object model of Firewall and Panorama config
• Various connection methods, including using Panorama as a proxy
• Operations being natively virtual system aware
• Supporting high availability pairs and retry/recovery during node failure
• Batch User-ID operations
• Device API exception classification

While Palo Alto offers some examples, you do need to be comfortable with Object-Oriented Programming (OOP) and basic Python to automate tasks for larger projects.

Using REST API

The PAN-OS REST API covers a subset of firewall and Panorama functions, and you need to use the XML API to complete configs and commit changes. Once you use your administrative credentials to get an API key, you can use the API key to make requests for use cases like:

• Working with objects
• Creating a security policy Rule
• Working with policy rules on Panorama
• Creating a tag
• Configuring a security zone
• Configuring a virtual SD-WAN interface
• Creating an SD-WAN policy pre rule
• Configuring an Ethernet interface
• Updating a virtual router

Automating Palo Alto Networks Firewall Security Policies with Tufin

The Tufin Orchestration Suite (TOS) enables you to automate next-generation security policies on Palo Alto Networks firewalls. For organizations that incorporate various firewall vendors, Tufin’s Unified Security Policies (USPs) create a standardized set of security rules so security teams can automate the implementation of network flows across vendors like Check Point, Cisco, and Palo Alto Networks.

The Tufin Orchestration Suite automates changes for Next-Generation Firewall flows, including applications, and performs a risk analysis, discovers relevant firewalls and network interfaces through a network topology analysis, and designs the optimal policy changes per firewall.

Tufin’s automation goes beyond calling APIs to change a specific firewall. It enables you to implement the right rules on the right firewalls with minimal user intervention and operational disruption while providing full control and visibility.