Friday, October 18, 2024

Architecting for Palo Alto

Strat Cloud Manager ( => move away from Panorama 
Prisma Access (Global Protect)
Commits

General Protection

  • Zone Protection profiles on all interfaces
  • Migrate to Application-based rules
  • Shared rules .. eg.  geoblocks, bad apps, cleanup
  • Criticality threshold, medium severity is common
  • Zero trust
  • External Dynamic List


Remote User /On-Prem Protection

  • Threat Protection
  • URL Filtering
  • SSL Forward Proxy (SSLD)
  • Global Protect VPN W/Full Tunnel & HIPs
  • User-ID
  • Data Redistribution

Responsiveness
  • Directional Clean up rulesHA configured locally, not in panorama
  • Link and path monitoring for hardare 
  • Baseline or referenece device group
  • use tags
  • Self-documentation configuration
  • Security profile group for different use case
  • Device group tiers and shared templates
Resilience
  • Automate update installation, config backups
  • Separate virtual router for secondary ISP
  • Use path monitoring (not PBF) for route failover
  • HA configured locally, not in Panorama
  • Link and path monitoring for Hardware failover
  • Use monitor profiles for all IPSec tunnels

Palo Alto
Prisma  Access - Associate Tenant
Prisma Access - Mobile Developer Tenant
Panorama Gateways

No comments:

Post a Comment

Architecting for Palo Alto

Strat Cloud Manager ( => move away from Panorama  Prisma Access (Global Protect) Commits General Protection Zone Protection profiles on a...