Palo

Need Help? Contact us online at www.consigas.com or give

We are a Palo Alto Networks Certified Professional Service

do all day every day. Let us share our experience with you t
most important a piece of mind by truly securing your valu

Network Security Best Practise/Site

Preparation
Device Configuration - Adapt the general system configuration to the latest best practices
Software upgrade to the latest recommended release
Define Login Banner
Certificate Expiration Check enabled
Customize Log Storage Quota
Limit Management Interface Services
Setup SNMPv3 (only if required)
Enable Statistics Services
Verify Update Server Identity
Enable NTP Time Synchonization
Change WildFire to use the EU Public Cloud
Change Wildfire File Size Limits to the maximum
Get Wildfire to report on Grayware Files
Setup dedicated admin accounts to authenticate against Active Directory
Setup a local fallback superuser account
Remove the default admin account
Customize Response Pages
Customize dynamic AntiVirus update
Customize dynamic Applications and Threats update
Customize dynamic Wildfire update
High Availability
Mgmt Interface used for HA1 Backup
Passive Link State set to auto
HA2 Keep-alive Log enabled
Link and Path Monitoring configured and activated
HA tested
Security Policy Restructuring
Delete disabled rules
Delete unused rules
Move uncontrolled Internet access rules to the end of the rulebase
Move Web Access Policy into Panorama Post-Rules
Move System rules into Panorama Pre-Rules
Web Access Policy for Enduser Devices
User Identification
Setup Group Mapping with a dedicated list of included groups
Windows Server Monitoring - enable Log Monitor and Session Read
Disable client probing (WMI and NetBios)
Customize the cache based on the DHCP lead time
Add active directory service accounts to the Ignore User list
Define include/exclude Networks
Define Access Control List to restrict access to the user-id agent from firewalls (dedicated User-ID agent)
Set the User-ID agent service recovery to "Restart the Service" (dedicated User-ID agent)
Malware scanning
Threat Prevention license installed
Antivirus profile applied to all policies
Anti-Spyware profile applied to all policies
Set DNS Sinkhole to block suspicious DNS Queries
Enable Passive DNS Monitoring
Vulnerability Protection profile applied to all policies
Wildfire license installed
Upload non-private files to Wildfire for Zero-day malware detection
Upload potentially private files to Wildfire for Zero-day malware detection
Application Control
Apply negative enforcement policy to “Block Known Bad” applications
Restrict non-corporate e-mail applications to a limited user group
Limit Fallback rules to port 80 & 443
Define "deny any any" rule for users in the web access groups
URL Filtering
PAN-DB URL filtering license installed
URL Filtering profile applied to all policies
Block access to malicious URL categories
Block access to potentially dangerous URL categories
Restrict web advertisement to a limited user group
Block access to “unknown” URLs
Log HTTP Header information
File Blocking
File blocking profile applied to all policies
Block the download of “PE” and Multi-Level-Encoded zip files
SSL Decryption
Configure SSL Decryption
Allow forwarding of decrypted content
Rollout FireWall CA SSL Certificate to all users
Enforce SSL decryption with a Decryption Profile
Activate SSL Decryption for test user group
Activate SSL Decryption for all users
Web Access Policy rollout
Apply new Web Access Policy to an initial test group
Apply new Web Access Policy to all users
Application Control Enforcement
Identify Applications used per usergroup and add to App rules
 Delete Fallback rules

Remote Access
GlobalProtect remote access setup
All traffic (company and internet) is forwarded through the firewall
Remote Access is enforced to connect automatically after the user logs in (always on)
GlobalProtect Portal Login page is disabled
Idendity is verified through dual factor
Connecting devices are verify by Host Information Profile "HIP"
GlobalProtect remote access is rolled out to an initial test group
GlobalProtect remote access is rolled out to all mobile users

Data Centre
Reconnaissance Protection
Apply DoS Zone protection to the Internet zone
Block access from high risk sources
Malware base Protection
Threat Prevention license installed
PAN-DB URL filtering license installed
Apply a dedicated Security Profile group for Internet Inbound traffic to all related security policies
Apply a dedicated Security Profile group for Internet Outbound traffic to all related security policies
Apply a dedicated Security Profile group for traffic between internal networks to alert on threats
Wildfire license installed
Upload non-private files to Wildfire for Zero-day malware detection
Upload potentially private files to Wildfire for Zero-day malware detection
Limit security policies to the required zones
Protect Internet Services (Server which are reachable from the Internet)
Provide a report on all Internet Services
Group Internet Services
Rollout FireWall CA SSL Certificate to all servers
Provide SSL Certificates including private key of all Internet facing web servers
Decrypt SSL Outbound traffic to the Internet
Decrypt SSL Inbound traffic from the Internet
Further lock down the dedicated Security Profile group for Internet Inbound traffic
Block the download and upload of high risk file types
Allow only reqiured ports (specific or application default)
Allow only specific Applications for Internet inbound traffic
Allow only specific Applications for Internet outbound traffic
Allow only specific URLs for web based Internet outbound traffic
Limit security policies to specific source and destination IP addresses or countries
Server Internet Access (Server which are able to access the Internet but are not reachable from the Internet)
Rollout FireWall CA SSL Certificate to all servers
Decrypt SSL Outbound traffic to the Internet
Allow only reqiured ports (specific or application default)
Allow only specific Applications for Internet outbound traffic
Allow only specfic URL categories for web based Internet outbound traffic
 Block the download of high risk file types
Limit security policies to specific source and destination IP addresses or subnets
Delete wide open Internet access rules
Internal Traffic
Lock down the dedicated Security Profile group for traffic between internal networks
Limit security policies to specific source and/or destination IP addresses or networks
Zero Trust
Move Internet facing applications into a dedicated DMZ
Move the most business critical applications into a dedicated zone on the FireWall
Move all datacentre applications into a dedicated zones on the FireWall

Monitoring and Reporting

Logging
Set all security policies to log traffic at the end of the session
Forward all logs to Panorama
Threat Monitoring and Alerting
Get immediately alerted on Wildfire submissions (malware & grayware)
Get immediately alerted on critical Correlation Events
Daily report for DNS Sinkhole events
Weekly Threat Report
Appropriate usage Monitoring
Identify sanctioned SaaS applications
Weekly or Monthly report on Application and URL usage
System Monitoring
Enable E-Mail alerts for critical system logs
 Palo Alto Networks NGFW Best Practices
onsigas.com or give us a call +353 (1) 5241014

rofessional Service Provider (CPSP) and the Next-Generation Security Platform is what we
perience with you to make your Next-Generation Security project a smooth experience but
securing your valuable IT assets

Reference Task Owner Security Impact Service Impact Risk Site A

Consigas medium medium

Consigas n/a none
Consigas n/a none
Consigas n/a none
Consigas high none
Consigas/CSTR high none
Consigas low none
Consigas low none
Consigas n/a none
Consigas n/a none
Consigas low none
Consigas low none
Consigas low none
Consigas n/a none
Consigas low none
Consigas n/a none
Consigas high low
Consigas high low
Consigas high low

Consigas n/a none

Consigas n/a low
Consigas n/a none
Consigas n/a low
Consigas/CSTR n/a medium

Consigas low low

Consigas low medium
Consigas medium medium
Consigas low low
Consigas low low
 3.

Consigas/CSTR low none

Consigas low none
Consigas low none
Consigas low none
Consigas low none
Consigas low none
Consigas/CSTR low none
Consigas/CSTR low none

3.3.2 Consigas high none

3.3.2 Consigas high low
3.3.2 Consigas high medium
3.6.2 Consigas high low
Consigas low none
3.3.2 Consigas high medium
3.3.2 Consigas high none
3.3.2 Consigas high none
3.3.2 Consigas high none

3.5.2 Consigas high low

3.3.2 Consigas high low
Consigas medium medium
Consigas high medium
3.3.2
Consigas high none
Consigas medium low
Consigas high low
Consigas medium low
Consigas medium low
Consigas high high
Consigas low none
3.5.2
Consigas medium low
Consigas high medium
3.3.2
Consigas low low
Consigas medium none
CSTR n/a low
Consigas medium low
CSTR/Consigas medium high
CSTR/Consigas high high

CSTR/Consigas low medium

CSTR/Consigas high medium

Consigas medium low

 Consigas medium medium

Consigas n/a none

Consigas high low
Consigas medium low
Consigas low none
Consigas medium low
Consigas medium low
CSTR/Consigas low low
CSTR/Consigas high low

2.

2.1.2 Consigas medium low

2.1.2 Consigas medium low

Consigas high none

Consigas high none
Consigas high low
2.5.2, 2.6.2 Consigas high low
Consigas low none
2.5.2 Consigas high none
2.5.2 Consigas high none
2.5.2 Consigas high none
Consigas medium low

Consigas n/a none

CSTR n/a none
2.5.2 CSTR n/a low
2.3.2 CSTR n/a none
2.5.2 Consigas high high
2.3.2 Consigas medium medium
2.1.2, 2.3.2 Consigas high medium
2.5.2 Consigas high medium
Consigas medium low
2.1.2 Consigas medium low
2.5.2, 2.6.2 Consigas medium low
2.5.2 Consigas high medium
Consigas medium low

2.5.2 CSTR n/a low

2.5.2 Consigas high high
Consigas medium low
2.5.2, 2.6.2 Consigas medium low
2.5.2 Consigas high medium
 2.5.2 Consigas high medium
Consigas medium low
3.3.2 Consigas high medium

Consigas high medium

Consigas medium medium
2.1.2, 2.7.2
Consigas/CSTR high medium
Consigas/CSTR high medium
Consigas/CSTR high medium

4.

Consigas n/a none

Consigas n/a none

Consigas high none

Consigas high none
Consigas medium none
Consigas medium none

Consigas n/a none

Consigas n/a none

Consigas n/a none

 Site B Site C

yes
no
partially