Hear how AlgoSec seamlessly integrates with Palo Alto Networks NGFWs to simply and intelligently automate App-ID and User-ID security policy change workflows, business application connectivity mapping and compliance reporting across on-premise and cloud environments.
Best Practics for Automating Next Generation Firewall Change Processes
1. BEST PRACTICES FOR
AUTOMATING NEXT GENERATION
FIREWALL CHANGE PROCESSES
Edy Almer, VP Product, AlgoSec
Moshe Itah, Product Line Manager, Palo Alto Networks
2. • Supporting business transformation initiatives such as cloud and SDN
• Lack of visibility into business application connectivity requirements
• Slow, manual and error-prone change management processes
• Costly outages and exposure to risk due to misconfigurations
• Time-consuming audits and reactive compliance verification
2 | Confidential
DO YOU STRUGGLE WITH?
3. ELIMINATE THE TRADEOFF
3 | Confidential
Security Business Agility
Avoid misconfiguration and
reduce attack surface
Proactively mitigate risk
Ensure continuous compliance
Enforce Network Segmentation
Provision network changes in
minutes, not days
Understand business requirements
and avoid application outages
Align teams to foster DevSecOps
Free up time by automating processes
18. APP-ID AND USER-ID SUPPORT
• Policy analysis
• Automatically and seamlessly replace ports with applications
at layer 7
• Zero-touch change management
• Proactive risk analysis
• Add/remove/modify traffic and intelligent rule design
• Policy push directly to Palo Alto Networks devices (through
Panorama)
• Mixed NGFW and non user/application-aware infrastructure, and
cloud (VMware NSX, AWS, Azure)
19 | Confidential
19. APP-ID AND USER ID CONNECTIVITY MANAGEMENT
• Changes include application default, app_id and user data
20 |
20. PANORAMA SUPPORT
• Automated policy push through Panorama to its devices, including
user-awareness, application awareness
• Support for large estates
• Automatically populate firewalls in AlgoSec
• Identify and incorporate candidate policies in the analysis (aggregated changes
not yet committed to the devices)
• Allow low risk change requests to be automatically resolved, while
security operations must approve or reject only higher risk items
21 | Confidential
22. PRAGMATIC AUTOMATION
• Collate all changes related to a policy
• Allow mixed device based work orders and policy based work orders
on the same ticket
Make single change to Panorama instead of hundreds of
individual device level changes – while still supporting device
based changes for other vendors.
23 |
24. 25 |
• Support assignment of Panorama device groups to
organizational groups in AD
• Each group handles and approves changes to “its” devices
• Align with organizational structure
• Improve inter team synchronization
• Reduce errors
• Provide full results to requestors
SUPPORT ORGANIZATION STRUCTURE & DEVICE GROUPS