Maintain the Data Center Best Practice Rulebase
Table of Contents
10.0 (EoL)
Expand all | Collapse all
-
- What Is a Data Center Best Practice Security Policy?
- Why Do I Need a Data Center Best Practice Security Policy?
- Data Center Best Practice Methodology
- How Do I Deploy a Data Center Best Practice Security Policy?
- How to Assess Your Data Center
-
- Create the Data Center Best Practice Antivirus Profile
- Create the Data Center Best Practice Anti-Spyware Profile
- Create the Data Center Best Practice Vulnerability Protection Profile
- Create the Data Center Best Practice File Blocking Profile
- Create the Data Center Best Practice WildFire Analysis Profile
- Use Cortex XDR Agent to Protect Data Center Endpoints
- Create Data Center Traffic Block Rules
- Order the Data Center Security Policy Rulebase
- Maintain the Data Center Best Practice Rulebase
- Use Palo Alto Networks Assessment and Review Tools
End-of-Life (EoL)
Maintain the Data Center Best Practice Rulebase
As conditions in your data center change, update the
Security policy rulebase accordingly. Modify rules to control new
and modified applications, protect new servers and other devices,
and account for user feedback about application availability.
Applications constantly evolve, so your application allow list
needs to evolve with them. Because the best practice rules leverage
policy objects to simplify administration, adding support for a
new application or removing an application from your allow list typically
means modifying the corresponding application group or application
filter accordingly.
Palo Alto Networks sends content updates
that you should download automatically and schedule for installation
on firewalls as soon as possible. Most content updates contain updates
to threat content (antivirus, vulnerabilities, anti-spyware, etc.)
and may contain modified App-IDs. On the third Tuesday of each month,
the content update also contains new App-IDs. You can set separate
thresholds to delay installing regular content updates and to delay
installing the once-a-month update that contains new App-IDs for
a specified period of time after the download. Delaying installation
enables you to install content updates that don’t include new App-IDs
as quickly as possible to get the latest threat signatures, while
also providing more time to examine new App-IDs before installing
them.
The content updates on the third Tuesday of each month
that contain new App-IDs may cause changes in Security policy enforcement.
Before you install new or modified App-IDs, review the policy impact,
stage updates to test impact, and modify existing Security policy
rules if necessary. The most efficient way to control downloading
and installing content updates on firewalls is loading them on and pushing
them from Panorama if you use Panorama.
Follow the general
content update best practices,
but keep in mind that data center availability is usually critical,
so you may not choose to roll out content updates as fast in the
data center as you would on internet-facing firewalls:
-
Quickly test content updates in a safe area of the network before you install them in the data center.
-
For content updates that don’t contain new App-IDs, set the installation threshold to no more than eight hours after the automatic download and conduct testing within that period.
-
For content updates that contain new App-IDs, set the installation threshold to no more than eight days after the automatic download and conduct testing within that period.
-
Configure Log Forwarding for all content updates.
- Before installing a new content update, review new and modified App-IDs to determine if there is policy impact.
- If necessary, modify existing
Security policy rules to accommodate the
App-ID changes.
You can disable selected App-IDs if some App-IDs require more testing and install the rest of the new App-IDs. Finish testing any necessary policy revisions before the next monthly content release with the new App-IDs arrives (third Tuesday of each month) to avoid overlap.Over time, the list of applications used in the data center usually stabilizes, so fewer and fewer new App-IDs are relevant. (Most new App-IDs pertain to internet-facing applications.) This reduces the risk of new App-IDs creating an issue in the data center and may enable you to install content updates with new App-IDs faster.
- Prepare policy updates to account for App-ID changes included in a content release or to add new sanctioned applications to or remove applications from your allow rules.
Other ways to maintain the best practice rulebase include:
-
Use Palo Alto Networks Assessment and Review Tools to identify gaps in security coverage.
-
User feedback about applications they can no longer access may identify gaps in the rulebase or risky applications that were in use on your network before positive enforcement prevented their use.
-
Compare the asset inventory list you created when you assessed you data center to the assets themselves and ensure that those assets are protected appropriately.
-
Use Palo Alto Networks logging and monitoring tools such as the Application Command Center (ACC) to find and investigate unexpected activity, which may indicate a misconfigured or missing rule. Run reports periodically to check that the level of security you want to apply is applied.If you use Panorama to manage firewalls, you can monitor firewall health to compare devices to their baseline performance and to each other to identify deviations from normal behavior.