Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Remote Access
GlobalProtect remote access setup
All traffic (company and internet) is forwarded through the firewall
Remote Access is enforced to connect automatically after the user logs in (always on)
GlobalProtect Portal Login page is disabled
Idendity is verified through dual factor
Connecting devices are verify by Host Information Profile "HIP"
GlobalProtect remote access is rolled out to an initial test group
GlobalProtect remote access is rolled out to all mobile users
Data Centre
Reconnaissance Protection
Apply DoS Zone protection to the Internet zone
Block access from high risk sources
Malware base Protection
Threat Prevention license installed
PAN-DB URL filtering license installed
Apply a dedicated Security Profile group for Internet Inbound traffic to all related security policies
Apply a dedicated Security Profile group for Internet Outbound traffic to all related security policies
Apply a dedicated Security Profile group for traffic between internal networks to alert on threats
Wildfire license installed
Upload non-private files to Wildfire for Zero-day malware detection
Upload potentially private files to Wildfire for Zero-day malware detection
Limit security policies to the required zones
Protect Internet Services (Server which are reachable from the Internet)
Provide a report on all Internet Services
Group Internet Services
Rollout FireWall CA SSL Certificate to all servers
Provide SSL Certificates including private key of all Internet facing web servers
Decrypt SSL Outbound traffic to the Internet
Decrypt SSL Inbound traffic from the Internet
Further lock down the dedicated Security Profile group for Internet Inbound traffic
Block the download and upload of high risk file types
Allow only reqiured ports (specific or application default)
Allow only specific Applications for Internet inbound traffic
Allow only specific Applications for Internet outbound traffic
Allow only specific URLs for web based Internet outbound traffic
Limit security policies to specific source and destination IP addresses or countries
Server Internet Access (Server which are able to access the Internet but are not reachable from the Internet)
Rollout FireWall CA SSL Certificate to all servers
Decrypt SSL Outbound traffic to the Internet
Allow only reqiured ports (specific or application default)
Allow only specific Applications for Internet outbound traffic
Allow only specfic URL categories for web based Internet outbound traffic
Block the download of high risk file types
Limit security policies to specific source and destination IP addresses or subnets
Delete wide open Internet access rules
Internal Traffic
Lock down the dedicated Security Profile group for traffic between internal networks
Limit security policies to specific source and/or destination IP addresses or networks
Zero Trust
Move Internet facing applications into a dedicated DMZ
Move the most business critical applications into a dedicated zone on the FireWall
Move all datacentre applications into a dedicated zones on the FireWall
medium medium
n/a none
n/a none
n/a none
high none
high none
low none
low none
n/a none
n/a none
low none
low none
low none
n/a none
low none
n/a none
high low
high low
high low
n/a none
n/a low
n/a none
n/a low
n/a medium
low low
low medium
medium medium
low low
low low
3.
low none
low none
low none
low none
low none
low none
low none
low none
low medium
high medium
medium low
medium medium
n/a none
high low
medium low
low none
medium low
medium low
low low
high low
2.
high none
high none
high low
2.5.2, 2.6.2 high low
low none
2.5.2 high none
2.5.2 high none
2.5.2 high none
medium low
n/a none
n/a none
2.5.2 n/a low
2.3.2 n/a none
2.5.2 high high
2.3.2 medium medium
2.1.2, 2.3.2 high medium
2.5.2 high medium
medium low
2.1.2 medium low
2.5.2, 2.6.2 medium low
2.5.2 high medium
medium low
high medium
medium medium
2.1.2, 2.7.2
high medium
high medium
high medium
4.
n/a none
n/a none
high none
high none
medium none
medium none
n/a none
n/a none
n/a none
Site B Site C
yes
no
partially