Palo Alto Networks

Panorama Advanced (Managing PanOS)

Advanced means device management mode in SecureTrack is Advanced management

Dashboard Widgets

General (General overview of the system)

Cleanup (Summary of the number of rules that are disabled, fully shadowed, or have not been hit in the past year)

USP Compliance (The number of rules with violations, according to their severity level)

Audit (The number of rules with expired access or will have access expire within the next month)

Recent Changes (Rules and devices with changes in the past 30 days)

Browsers

Rule Viewer (see Rule Viewer)

Object Lookup (See Object Lookup)

USP Viewer (see USP Viewer)

USP Alert Manager Viewer (see USP Alerts Manager)

USP Exceptions Viewer (see USP Exceptions)

Changes (see Change Browser)

Cleanup (see Cleanup Browser)

Device Viewer (see Device Viewer)

Change Management

Rule and Object Usage Report (Displays statistics for most-used, least-used, and unused rules and objects)

Change Management (Policy and Side-by-Side policy change comparison in the Compare tab, Comparison report, and New Revision report)

Display IPv6 objects

Graphical Policy (Policies are displayed in SecureTrack as they are shown in the vendor's management software)

Change Window (see View and Update a Change Window)

Real-time Monitoring (Regularly automatically fetches policy information from the device)

Accountability - Saved Revisions

Create SecureChange ticket from Rule Viewer for:

  • Rule Decommission (Removes selected rules from supported devices)

  • Rule Modification (Receives rules from the Rule Viewer and lets you create a ticket in SecureChange for a handler to update firewall rules for supported devices)

  • Rule Recertification(Used to document and verify the need for a rule)

Policy Analysis

Automatic Policy Generation (APG) (Analyzes firewall logs to determine actual business practices, and creates an optimized rulebase that limits traffic allowance to traffic actually used in the organization)

Topology

Static Topology

Dynamic Topology

Calculate impact of NAT rules

Calculate impact of VPN policies

Notes for Panorama Advanced

  • Local PanOS firewall rules are not supported.

  • Visibility for Dynamic Address Groups (DAGs) and Panorama Tags in View Policy, Rule Viewer, Topology.

  • Panorama 8 and earlier is no longer supported.

  • If a rule on the Panorama device has Application = Any and Service = Application Default, TOS inaccurately considers the rule to be Service = Any. This limitation applies to all TOS calculations, such as shadowing, violations, matching rules, Verifier and Designer.

PanOS Firewalls

Dashboard Widgets

General (General overview of the system)

Cleanup (Summary of the number of rules that are disabled, fully shadowed, or have not been hit in the past year)

USP Compliance (The number of rules with violations, according to their severity level)

Audit (The number of rules with expired access or will have access expire within the next month)

Recent Changes (Rules and devices with changes in the past 30 days)

Browsers

Rule Viewer (see Rule Viewer)

Object Lookup (See Object Lookup)

USP Viewer (see USP Viewer)

USP Alert Manager Viewer (see USP Alerts Manager)

USP Exceptions Viewer (see USP Exceptions)

Changes (see Change Browser)

Cleanup (see Cleanup Browser)

Device Viewer (see Device Viewer)

Change Management

Rule and Object Usage Report (Displays statistics for most-used, least-used, and unused rules and objects)

Change Management (Policy and Side-by-Side policy change comparison in the Compare tab, Comparison report, and New Revision report)

Display IPv6 objects

Graphical Policy (Policies are displayed in SecureTrack as they are shown in the vendor's management software)

Real-time Monitoring (Regularly automatically fetches policy information from the device)

Accountability - Saved Revisions

Create SecureChange ticket from Rule Viewer for:

  • Rule Decommission (Removes selected rules from supported devices)

  • Rule Recertification(Used to document and verify the need for a rule)

Policy Analysis

Automatic Policy Generation (APG) (Analyzes firewall logs to determine actual business practices, and creates an optimized rulebase that limits traffic allowance to traffic actually used in the organization)

Topology

Static Topology

Notes for PanOS Firewalls

  • Real-time monitoring uses syslogs.
  • APG does not recognize Palo Alto users and applications.
  • Accountability is supported when changes are made directly to a firewall.

Prisma Access Policies (managed by Panorama)

Dashboard Widgets

General (General overview of the system)

Cleanup (Summary of the number of rules that are disabled, fully shadowed, or have not been hit in the past year)

Audit (The number of rules with expired access or will have access expire within the next month)

Recent Changes (Rules and devices with changes in the past 30 days)

Browsers

Rule Viewer (see Rule Viewer)

Object Lookup (See Object Lookup)

Changes (see Change Browser)

Cleanup (see Cleanup Browser)

Device Viewer (see Device Viewer)

Change Management

Change Management (Policy and Side-by-Side policy change comparison in the Compare tab, Comparison report, and New Revision report)

Display IPv6 objects

Graphical Policy (Policies are displayed in SecureTrack as they are shown in the vendor's management software)

Change Window (see View and Update a Change Window)

Real-time Monitoring (Regularly automatically fetches policy information from the device)

Create SecureChange ticket from Rule Viewer for:

  • Rule Decommission (Receives rules from the Rule Viewer and lets you create a ticket in SecureChange for a handler to update firewall rules for supported devices)

  • Rule Modification (Receives rules from the Rule Viewer and lets you create a ticket in SecureChange for a handler to update firewall rules for supported devices)

  • Rule Recertification(Used to document and verify the need for a rule)

Notes for Prisma Access Policies

  • TOS Aurora supports Prisma Access Remote Networks Device Groups (DGs) and Mobile Users DGs, which you can import. You can also import Prisma Access Service Connection DGs to TOS Aurora; however, TOS Aurora does not provide support for them.