On This Page
Palo Alto Networks
Panorama Advanced (Managing PanOS)
Advanced means device management mode in SecureTrack is Advanced management
- Dashboard Widgets
-
General (General overview of the system)
-
Cleanup (Summary of the number of rules that are disabled, fully shadowed, or have not been hit in the past year)
-
USP Compliance (The number of rules with violations, according to their severity level)
-
Audit (The number of rules with expired access or will have access expire within the next month)
-
Recent Changes (Rules and devices with changes in the past 30 days)
- Browsers
-
Rule Viewer (see Rule Viewer)
-
Object Lookup (See Object Lookup)
-
USP Viewer (see USP Viewer)
-
USP Alert Manager Viewer (see USP Alerts Manager)
-
USP Exceptions Viewer (see USP Exceptions)
-
Changes (see Change Browser)
-
Cleanup (see Cleanup Browser)
-
Device Viewer (see Device Viewer)
- Change Management
-
Rule and Object Usage Report (Displays statistics for most-used, least-used, and unused rules and objects)
-
Change Management (Policy and Side-by-Side policy change comparison in the Compare tab, Comparison report, and New Revision report)
-
Display IPv6 objects
-
Graphical Policy (Policies are displayed in SecureTrack as they are shown in the vendor's management software)
-
Change Window (see View and Update a Change Window)
-
Real-time Monitoring (Regularly automatically fetches policy information from the device)
-
Accountability - Saved Revisions
-
Create SecureChange ticket from Rule Viewer for:
-
Rule Decommission (Removes selected rules from supported devices)
-
Rule Modification (Receives rules from the Rule Viewer and lets you create a ticket in SecureChange for a handler to update firewall rules for supported devices)
-
Rule Recertification(Used to document and verify the need for a rule)
-
- Policy Analysis
-
Automatic Policy Generation (APG) (Analyzes firewall logs to determine actual business practices, and creates an optimized rulebase that limits traffic allowance to traffic actually used in the organization)
- Topology
-
Static Topology
-
Dynamic Topology
-
Calculate impact of NAT rules
-
Calculate impact of VPN policies
Notes for Panorama Advanced
-
Local PanOS firewall rules are not supported.
-
Visibility for Dynamic Address Groups (DAGs) and Panorama Tags in View Policy, Rule Viewer, Topology.
-
Panorama 8 and earlier is no longer supported.
-
If a rule on the Panorama device has Application = Any and Service = Application Default, TOS inaccurately considers the rule to be Service = Any. This limitation applies to all TOS calculations, such as shadowing, violations, matching rules, Verifier and Designer.
PanOS Firewalls
- Dashboard Widgets
-
General (General overview of the system)
-
Cleanup (Summary of the number of rules that are disabled, fully shadowed, or have not been hit in the past year)
-
USP Compliance (The number of rules with violations, according to their severity level)
-
Audit (The number of rules with expired access or will have access expire within the next month)
-
Recent Changes (Rules and devices with changes in the past 30 days)
- Browsers
-
Rule Viewer (see Rule Viewer)
-
Object Lookup (See Object Lookup)
-
USP Viewer (see USP Viewer)
-
USP Alert Manager Viewer (see USP Alerts Manager)
-
USP Exceptions Viewer (see USP Exceptions)
-
Changes (see Change Browser)
-
Cleanup (see Cleanup Browser)
-
Device Viewer (see Device Viewer)
- Change Management
-
Rule and Object Usage Report (Displays statistics for most-used, least-used, and unused rules and objects)
-
Change Management (Policy and Side-by-Side policy change comparison in the Compare tab, Comparison report, and New Revision report)
-
Display IPv6 objects
-
Graphical Policy (Policies are displayed in SecureTrack as they are shown in the vendor's management software)
-
Real-time Monitoring (Regularly automatically fetches policy information from the device)
-
Accountability - Saved Revisions
-
Create SecureChange ticket from Rule Viewer for:
-
Rule Decommission (Removes selected rules from supported devices)
-
Rule Recertification(Used to document and verify the need for a rule)
-
- Policy Analysis
-
Automatic Policy Generation (APG) (Analyzes firewall logs to determine actual business practices, and creates an optimized rulebase that limits traffic allowance to traffic actually used in the organization)
- Topology
-
Static Topology
Notes for PanOS Firewalls
- Real-time monitoring uses syslogs.
- APG does not recognize Palo Alto users and applications.
- Accountability is supported when changes are made directly to a firewall.
Prisma Access Policies (managed by Panorama)
- Dashboard Widgets
-
General (General overview of the system)
-
Cleanup (Summary of the number of rules that are disabled, fully shadowed, or have not been hit in the past year)
-
Audit (The number of rules with expired access or will have access expire within the next month)
-
Recent Changes (Rules and devices with changes in the past 30 days)
- Browsers
-
Rule Viewer (see Rule Viewer)
-
Object Lookup (See Object Lookup)
-
Changes (see Change Browser)
-
Cleanup (see Cleanup Browser)
-
Device Viewer (see Device Viewer)
- Change Management
-
Change Management (Policy and Side-by-Side policy change comparison in the Compare tab, Comparison report, and New Revision report)
-
Display IPv6 objects
-
Graphical Policy (Policies are displayed in SecureTrack as they are shown in the vendor's management software)
-
Change Window (see View and Update a Change Window)
-
Real-time Monitoring (Regularly automatically fetches policy information from the device)
-
Create SecureChange ticket from Rule Viewer for:
-
Rule Decommission (Receives rules from the Rule Viewer and lets you create a ticket in SecureChange for a handler to update firewall rules for supported devices)
-
Rule Modification (Receives rules from the Rule Viewer and lets you create a ticket in SecureChange for a handler to update firewall rules for supported devices)
-
Rule Recertification(Used to document and verify the need for a rule)
-
Notes for Prisma Access Policies
-
TOS Aurora supports Prisma Access Remote Networks Device Groups (DGs) and Mobile Users DGs, which you can import. You can also import Prisma Access Service Connection DGs to TOS Aurora; however, TOS Aurora does not provide support for them.