Managing Palo Alto Policies with STRUCTURA.IO - Part 1
Problem
Traditionally, Firewall Administrators would receive a request for a firewall change via a ticketing system and would typically carry out making the changes during a change or maintenance window using the GUI or the CLI of the firewall. There are already two opportunities for human error in this process. The first issue can be found in the ticket request; is the data in the ticket accurate and complete? The second issue is relying on the firewall admins’ implementation of the ticket. Another area that can be improved upon is providing a source of truth for the firewall: A dictionary of all the objects that should exist, the policies that are installed, and where they sit within the ruleset. Digging even deeper, provide teams visibility into when objects were added, when they changed, and who made the change.
Challenge
Solution
The solution we developed can be rolled out in three stages. The first phase was moving the Firewall Admins away from the GUI and CLI and in Infrastructure as Code, using Structura. This enabled us to standardize the workflow across the Security team and reduce the learning curve it would typically take to adopt an IaC methodology in their practice. Object creation is as simple as dragging the resource (such as an address object) into the workspace, selecting it, and entering the required fields presented to the firewall admin. In Panorama, there is a single resource that manages the entire ruleset; so for the firewall admin to make a change to the policy, all they needed to do was open the resource and either select the rule that needed modification or create a new one, and enter in the fields as required. Typically the policy would require values for the source and destination zones, addresses, services, and applications. These Objects are all listed in the “Quick Chip” panel within Structura. A simple click and drag of these chips into the desired field would assign the object to the field in the configuration.
Once the Firewall’s Object and Policies were defined as Infrastructure as Code, we could then utilize Git for source control. Changes made in Structura could then be pushed to a repository giving the Firewall Admins insight into what was changed, who by, and when. Instead of doing the work during the change window, it could now be done ahead of time, verified by other team members asynchronously, and the push to the Panorama was a click of a button, shortening the average length of the change window and reducing human-error that could be introduced.