Palo Alto Networks firewalls can be difficult for new admins to properly set up, especially when it comes to deciding which security policies to build for their networks, knowing which licenses are needed and understanding how to harden the systems. To help admins get started, Tom Piens, founder of PANgurus, wrote Mastering Palo Alto Networks. After working on the vendor's knowledge base, Piens, a former Palo Alto engineer, knew exactly where admins struggle the most.
In this Q&A, Piens explains why the time was ripe to write this Palo Alto Networks firewall tutorial, who the book best serves and the various licenses needed to get the most out of the device.
Editor's note: This transcript has been edited for length and clarity.
Why did you decide to write a tutorial on Palo Alto Networks firewalls?
Tom Piens: When I joined Palo Alto Networks, the company didn't have a real knowledge base. It was just engineers writing articles if they had extra time -- customers would either find them helpful or not. After a while, it started to get messy and confusing. Engineers were posting multiple articles with different instructions. About five years into my tour as a support engineer, I was getting tired of the support role. At the same time, Palo Alto Networks realized its knowledge base needed an overhaul. I joined the LIVEcommunity, which was put in charge of improving the knowledge base. I was playing with the idea of writing a book, but I never found the time or the inspiration. I was contemplating leaving Palo Alto Networks when Packt contacted me and asked if I was interested in writing something.
Who did you write this firewall tutorial for?
Piens: I tried to please a wide audience. Readers could be anywhere between very novice administrators to somewhat advanced ones who work with Palo Alto Networks but want more out of their investment. In Chapter 1, I explain what the technology is and the way an admin should think about it before installation. The remaining chapters build upon each previous one to create a solid knowledge foundation. I started with the basics: how to set the box up, connecting it, how to go about configuring your interfaces, starting to build a couple of security policies and adding more until you have a fully functional device. I close out the book with how to troubleshoot.
In Chapter 3, you mention licenses organizations need to purchase. What licenses are needed to get everything in place as you describe in the chapter?
Piens: In general, there are two basic licenses: You have your Threat [Prevention] license, which has antivirus, antimalware and antivulnerability, and you have the WildFire license, which is the sandbox tool. Additional licenses include one for DNS security, which is the DNS sinkhole installation, and one for URL filtering. Palo Alto is starting to add DLP [data loss prevention] licenses now. In the past, DLP within the platform was weak. It would find a couple of signatures but didn't compare to professional DLP offerings. So, the company is focusing more on DLP now.
More on Mastering Palo Alto Networks
For help getting started with Palo Alto security policies, check out an excerpt of Chapter 3 of Mastering Palo Alto Networks.
How limited would the firewall be if a company opted not to purchase these additional licenses?
Piens: Without any licenses, you can still benefit from App-ID, [the firewall's traffic classification system]. But you wouldn't be protected against anything. You can block users from accessing certain applications, but there wouldn't be much protection for you. You'll basically have a fancy old-generation firewall. For protection against 90% of the threats out there, you need at least the Threat [Prevention], WildFire, URL Filtering and DNS Security licenses.
How much setup do Palo Alto Networks firewalls require? Are there initial settings out of the box or just what admins set up?
Piens: Out of the box, there's a single policy and a virtual wire interface for a hardware appliance interface. One is the external untrust interface, and the other is the internal trust interface. There's a single security policy that allows traffic to go out. If you want to get started from there, it's perfectly fine to just plug it in. If you already have firewalls in place and you don't want to go Layer 2 or Layer 3 and just want to have a test run, just plug it in. From there, you'll need to install your licenses, update your box and add your security profiles so you can start scanning.
Do you have any advice for admins setting up Palo Alto security policies for the first time?
Piens: That depends. If you want to implement Palo Alto's firewall, just install it on your network as it's easy to set up and maintain. It's also easy on an admin learning and building for the first time. I've installed a couple of devices where I put in a basic configuration and told the admins what they needed to know security policy-wise, like how to how to build a policy, and then gave them free rein to go wild to build their own policy. I went back a couple days later to verify they got the message and saw most of them built Palo Alto security policies that worked for them and did everything they needed without anything unnecessary in there. So, admins have options for the first installation.
If you don't want the box to participate in your network or want to see what it does before you fully implement, there's a tap port that can connect to a switch's mirror port. You can send all your traffic to the firewall and look at what it's doing. You can also see if App-ID works for you. If you're happy with the results, the second step is the virtual wire -- you can plug it into an existing Layer 3 environment where you're just passing packets along the wire and not participating in any writing or switching decisions.
Is there anything you wish Palo Alto Networks would do to make it easier to create or implement security policies?
Piens: Make it simpler for people to get started. There's always that first step -- and, if you're not accustomed to working with a firewall or not confident that you're going to be able to find your way around the GUI and then be able to make a solid policy without making mistakes, it can be daunting.
When you register a device, there's something called the Day 1 Configuration Tool in the Support Portal. The Day 1 Configuration is extremely basic, but that makes sense since it's not easy to serve everyone with a single config file. Naturally, you need to have more steps, but the more steps you add, the more difficult it becomes to get the firewall set up.
But, once admins are able to mix and match that all together, the firewall becomes something user-friendly by itself. Hopefully, my book helps people find their way around.
Is there anything Palo Alto Networks could add to make its firewall more secure?
Piens: There is plenty of stuff to configure to make the box a little more secure. But a lot of that also falls under the umbrella of 'it's not easy to create a unified, simplified, single, strengthened and hardened configuration that is going to work for everyone.'
One of the best ways to harden your box is to limit access, but how you guess which networks and which devices to block or allow, that's something that the user needs to do. Unfortunately, that's kind of hidden away. It might be good if the company finds a way to make it easier to find and do as that's one of the things a new admin is not going to find easily. It's going to be easy for them to create security policies, but the administrative configuration, hardening your management interface, making sure that you're using strong authentication and that your admins have the right role-based access -- that's still a very, very manual process.
About the author
Tom Piens has been working with Palo Alto Networks technology for the past 10 years and has authored or contributed to countless knowledge base articles. One of his passions is to help peers figure out how to solve issues or better understand and apply specific features or expected behavior. Piens is also known as "reaper" on the PANgurus and LIVEcommunity forums, as well as "PANWreaper" on Twitter. He enjoys the occasional whiskey or Belgian beer.