Scribd Logo
Carica

Benvenuto in Scribd!

  • Palo Alto Networks Security Best Practices Checklist

    Caricato da

    Kaushal Kishor
    2K visualizzazioni12 pagine
    Checklist for pal alto

    Copyright

    © © All Rights Reserved

    Formati disponibili

    XLSX, PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    Checklist for pal alto

    Copyright:

    © All Rights Reserved
    Scarica in formato XLSX, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    2K visualizzazioni12 pagine

    Palo Alto Networks Security Best Practices Checklist

    Caricato da

    Kaushal Kishor
    Checklist for pal alto

    Copyright:

    © All Rights Reserved
    Scarica in formato XLSX, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 12

    Palo Alto Networks NGFW Best Practices

    Network Security Best Practise/Site


    Preparation
    Device Configuration - Adapt the general system configuration to the latest best practices
    Software upgrade to the latest recommended release
    Define Login Banner
    Certificate Expiration Check enabled
    Customize Log Storage Quota
    Limit Management Interface Services
    Setup SNMPv3 (only if required)
    Enable Statistics Services
    Verify Update Server Identity
    Enable NTP Time Synchonization
    Change WildFire to use the EU Public Cloud
    Change Wildfire File Size Limits to the maximum
    Get Wildfire to report on Grayware Files
    Setup dedicated admin accounts to authenticate against Active Directory
    Setup a local fallback superuser account
    Remove the default admin account
    Customize Response Pages
    Customize dynamic AntiVirus update
    Customize dynamic Applications and Threats update
    Customize dynamic Wildfire update
    High Availability
    Mgmt Interface used for HA1 Backup
    Passive Link State set to auto
    HA2 Keep-alive Log enabled
    Link and Path Monitoring configured and activated
    HA tested
    Security Policy Restructuring
    Delete disabled rules
    Delete unused rules
    Move uncontrolled Internet access rules to the end of the rulebase
    Move Web Access Policy into Panorama Post-Rules
    Move System rules into Panorama Pre-Rules

    Web Access Policy for Enduser Devices


    User Identification
    Setup Group Mapping with a dedicated list of included groups
    Windows Server Monitoring - enable Log Monitor and Session Read
    Disable client probing (WMI and NetBios)
    Customize the cache based on the DHCP lead time
    Add active directory service accounts to the Ignore User list
    Define include/exclude Networks
    Define Access Control List to restrict access to the user-id agent from firewalls (dedicated User-ID agent)
    Set the User-ID agent service recovery to "Restart the Service" (dedicated User-ID agent)
    Malware scanning
    Threat Prevention license installed
    Antivirus profile applied to all policies
    Anti-Spyware profile applied to all policies
    Set DNS Sinkhole to block suspicious DNS Queries
    Enable Passive DNS Monitoring
    Vulnerability Protection profile applied to all policies
    Wildfire license installed
    Upload non-private files to Wildfire for Zero-day malware detection
    Upload potentially private files to Wildfire for Zero-day malware detection
    Application Control
    Apply negative enforcement policy to Block Known Bad applications
    Restrict non-corporate e-mail applications to a limited user group
    Limit Fallback rules to port 80 & 443
    Define "deny any any" rule for users in the web access groups
    URL Filtering
    PAN-DB URL filtering license installed
    URL Filtering profile applied to all policies
    Block access to malicious URL categories
    Block access to potentially dangerous URL categories
    Restrict web advertisement to a limited user group
    Block access to unknown URLs
    Log HTTP Header information
    File Blocking
    File blocking profile applied to all policies
    Block the download of PE and Multi-Level-Encoded zip files
    SSL Decryption
    Configure SSL Decryption
    Allow forwarding of decrypted content
    Rollout FireWall CA SSL Certificate to all users
    Enforce SSL decryption with a Decryption Profile
    Activate SSL Decryption for test user group
    Activate SSL Decryption for all users
    Web Access Policy rollout
    Apply new Web Access Policy to an initial test group
    Apply new Web Access Policy to all users
    Application Control Enforcement
    Identify Applications used per usergroup and add to App rules
    Delete Fallback rules

    Remote Access
    GlobalProtect remote access setup
    All traffic (company and internet) is forwarded through the firewall
    Remote Access is enforced to connect automatically after the user logs in (always on)
    GlobalProtect Portal Login page is disabled
    Idendity is verified through dual factor
    Connecting devices are verify by Host Information Profile "HIP"
    GlobalProtect remote access is rolled out to an initial test group
    GlobalProtect remote access is rolled out to all mobile users

    Data Centre
    Reconnaissance Protection
    Apply DoS Zone protection to the Internet zone
    Block access from high risk sources
    Malware base Protection
    Threat Prevention license installed
    PAN-DB URL filtering license installed
    Apply a dedicated Security Profile group for Internet Inbound traffic to all related security policies
    Apply a dedicated Security Profile group for Internet Outbound traffic to all related security policies
    Apply a dedicated Security Profile group for traffic between internal networks to alert on threats
    Wildfire license installed
    Upload non-private files to Wildfire for Zero-day malware detection
    Upload potentially private files to Wildfire for Zero-day malware detection
    Limit security policies to the required zones
    Protect Internet Services (Server which are reachable from the Internet)
    Provide a report on all Internet Services
    Group Internet Services
    Rollout FireWall CA SSL Certificate to all servers
    Provide SSL Certificates including private key of all Internet facing web servers
    Decrypt SSL Outbound traffic to the Internet
    Decrypt SSL Inbound traffic from the Internet
    Further lock down the dedicated Security Profile group for Internet Inbound traffic
    Block the download and upload of high risk file types
    Allow only reqiured ports (specific or application default)
    Allow only specific Applications for Internet inbound traffic
    Allow only specific Applications for Internet outbound traffic
    Allow only specific URLs for web based Internet outbound traffic
    Limit security policies to specific source and destination IP addresses or countries
    Server Internet Access (Server which are able to access the Internet but are not reachable from the Internet)
    Rollout FireWall CA SSL Certificate to all servers
    Decrypt SSL Outbound traffic to the Internet
    Allow only reqiured ports (specific or application default)
    Allow only specific Applications for Internet outbound traffic
    Allow only specfic URL categories for web based Internet outbound traffic
    Block the download of high risk file types
    Limit security policies to specific source and destination IP addresses or subnets
    Delete wide open Internet access rules
    Internal Traffic
    Lock down the dedicated Security Profile group for traffic between internal networks
    Limit security policies to specific source and/or destination IP addresses or networks
    Zero Trust
    Move Internet facing applications into a dedicated DMZ
    Move the most business critical applications into a dedicated zone on the FireWall
    Move all datacentre applications into a dedicated zones on the FireWall

    Monitoring and Reporting


    Logging
    Set all security policies to log traffic at the end of the session
    Forward all logs to Panorama
    Threat Monitoring and Alerting
    Get immediately alerted on Wildfire submissions (malware & grayware)
    Get immediately alerted on critical Correlation Events
    Daily report for DNS Sinkhole events
    Weekly Threat Report
    Appropriate usage Monitoring
    Identify sanctioned SaaS applications
    Weekly or Monthly report on Application and URL usage
    System Monitoring
    Enable E-Mail alerts for critical system logs
    Reference Task Owner Security Impact Service Impact Risk Site A

    medium medium
    n/a none
    n/a none
    n/a none
    high none
    high none
    low none
    low none
    n/a none
    n/a none
    low none
    low none
    low none
    n/a none
    low none
    n/a none
    high low
    high low
    high low

    n/a none
    n/a low
    n/a none
    n/a low
    n/a medium

    low low
    low medium
    medium medium
    low low
    low low

    3.

    low none
    low none
    low none
    low none
    low none
    low none
    low none
    low none

    3.3.2 high none


    3.3.2 high low
    3.3.2 high medium
    3.6.2 high low
    low none
    3.3.2 high medium
    3.3.2 high none
    3.3.2 high none
    3.3.2 high none

    3.5.2 high low


    3.3.2 high low
    medium medium
    high medium
    3.3.2
    high none
    medium low
    high low
    medium low
    medium low
    high high
    low none
    3.5.2
    medium low
    high medium
    3.3.2
    low low
    medium none
    n/a low
    medium low
    medium high
    high high

    low medium
    high medium

    medium low
    medium medium

    n/a none
    high low
    medium low
    low none
    medium low
    medium low
    low low
    high low

    2.

    2.1.2 medium low


    2.1.2 medium low

    high none
    high none
    high low
    2.5.2, 2.6.2 high low
    low none
    2.5.2 high none
    2.5.2 high none
    2.5.2 high none
    medium low

    n/a none
    n/a none
    2.5.2 n/a low
    2.3.2 n/a none
    2.5.2 high high
    2.3.2 medium medium
    2.1.2, 2.3.2 high medium
    2.5.2 high medium
    medium low
    2.1.2 medium low
    2.5.2, 2.6.2 medium low
    2.5.2 high medium
    medium low

    2.5.2 n/a low


    2.5.2 high high
    medium low
    2.5.2, 2.6.2 medium low
    2.5.2 high medium
    2.5.2 high medium
    medium low
    3.3.2 high medium

    high medium
    medium medium
    2.1.2, 2.7.2
    high medium
    high medium
    high medium

    4.

    n/a none
    n/a none

    high none
    high none
    medium none
    medium none

    n/a none
    n/a none

    n/a none
    Site B Site C

    yes
    no
    partially

    Potrebbero piacerti anche