Palo Alto

Panorama Advanced (managing PanOS)

Advanced means device management mode in SecureTrack is Advanced management

Access Requests: Manual target selection; Device object selection; User Identity (LDAP groups in source)
Modify Group: Designer; Provisioning + Committing; Provisioning + Committing in automatic step; Create/modify group
Add Access: Risk Analysis; Designer; Provisioning + Committing; Provisioning + Committing in automatic step; VerifierAuthorization and documentationAuto close
Remove Access: Auto close; Verifier (only in topology mode); Provisioning in automatic step; Provisioning; Designer
Decommission Network Object: Impact Analysis; Designer; Provisioning + Committing; Verifier; Authorization and documentation
Clone Network Object Policy: Designer; Provisioning (or) Provisioning and Committing; Verifier
Rule Decommission: Designer; Provisioning + Committing; Provisioning + Committing in automatic step; Verifier Authorization and documentation; Auto close
Rule Modification: Device object selection (object browser)Provisioning + Committing; Provisioning + Committing in automatic step
Rule Recertification: Update metadata

Notes for Panorama Advanced:

Access Request supports full Next-Generation Firewall (NGFW) capabilities, including Tags, AppID, Custom AppID, UserID, Dynamic Address Groups (DAGs), Security Profile Group (ContentID) and Log Forwarding profiles.

Custom AppID’s are not supported for SecureApp
Unique names are required for Custom AppID’s. If there are multiple Custom Apps with the same name (not case sensitive), same domain, and different services or values, they will not appear in the application list.
For Custom AppIDs with no services, if the app is being run on a Panorama device that does not have that app, Designer will view the Custom AppID as having ANY services.
TOS Aurora can create new DAGs with ACI tags (EPGs) or NSX-T Security Groups as match criteria.
You can define the default for Security Profile Group (ContentID) and Log Forwarding profiles in stconf. Once these profiles are set, Designer for Access Request will create new rules accordingly. For details, see Configuring Log Forwarding and Security Profile Groups.
You can customize Designer to add access in pre or post sections by configuring the default in stconf. For details, see Configuring Pre and Post Locations.

In SecureChange, you can leverage automation tools, such as target selection, Verifier, and Designer to automate access requests that contain FQDNs.
Rules on Panorama devices with ANY in the application column are treated as ANY by TOS, although Panorama treats them as 'Any predefined application'.
Access Request supports rule type for Designer and Verifier.
Access requests supports working with shared objects, this needs to be enabled in stconf. For details see Configuring Palo Alto Panorama for Shared Objects
Modify Group and Decommission Network Object supports shared groups/global objects.
Overriding objects are not supported for Decommission Network Object and Clone Network Object Policy. For Decommission Network Object, Designer suggests the implementation of manual changes.
New objects in a Rule Modification workflow can only be created on the policy where the rule is located. It is not possible to create a global object in a hierarchical environment and add the object to a rule on a sibling policy.
For a Palo Alto Panorama device with several hierarchies in a Rule Modification workflow, if an object name exists in a lower Device Group (DG), Designer does not allow the creation of an object with the same name in a higher DG, even though Panorama does allow using the same object names in different hierarchies.
Rule modification supports provision and commit in auto-step.
Rules with "Any" selected are not supported.
For Panorama and Prisma Access devices, Designer does not create rules with multiple zones; it will create a rule for each zone.
Palo Alto Device Groups (DGs) that manage Palo Alto Cloud NGFW on Azure are now supported. This enables policy visibility in the Rule Viewer, comparing revisions, creating reports, automation, and provisioning. You can also understand risk mitigation, cleanup calculations, audit and compliance, and automate firewall change requests to Palo Alto Cloud NGFW on Azure DGs.
If a rule on the Panorama device has Application = Any and Service = Application Default, TOS inaccurately considers the rule to be Service = Any. This limitation applies to all TOS calculations, such as shadowing, violations, matching rules, Verifier and Designer.

Note: TOS Aurora does not support Palo Alto Cloud NGFW Gateways; only the Panorama DG that manages the Gateway is supported.

PanOS Firewalls

Access Requests: Manual target selection; Device object selection
Modify Group: Create/modify group
Add Access: Risk Analysis; Verifier; Authorization and documentation; Auto close
Remove Access: Verifier
Decommission Network Object: Impact Analysis; Verifier
Rule Recertification: Update metadata

Notes on PanOS Firewalls:

Designer does not create rules with multiple zones; it will create a rule for each zone.

Prisma Access Policies (managed by Panorama)

Access Requests: Manual target selection; Device object selection; User Identity (LDAP groups in source)
Modify Group: Designer; Provisioning; Provisioning; Create/modify group
Add Access: Risk Analysis; Designer; Provisioning; Provisioning; VerifierAuthorization and documentationAuto close
Remove Access: Auto closeVerifier (only in topology mode)
Decommission Network Object: Impact Analysis; Designer; Provisioning; Verifier; Authorization and documentation
Clone Network Object Policy: Designer; Provisioning; Verifier
Rule Decommission: Designer; Provisioning; Provisioning; Verifier Authorization and documentation; Auto close
Rule Modification: Device object selection (object browser)Provisioning; Provisioning
Rule Recertification: Update metadata

Notes for Prisma Access Policies

In Panorama Prisma Access, you can configure zone association. There are two zone categories in which you can configure zones, namely Trusted and Untrusted. It is a Palo Alto best practice to only assign a single zone to Trusted and a single zone to Untrusted and to use these zones across all security policies. This is called one-on-one zone mapping. In this case, TOS Aurora supports this mapping in all tools (for example, violations, shadowing, and Designer).

If, however, the zone definitions in Panorama Prisma Access are configured with more than one zone and multiple zones are used across security policies (violating Palo Alto best practices), TOS Aurora only supports this configuration as follows: TOS Aurora will utilize only the first Panorama zone, in alphanumeric order, for the Interactive Map map and Designer calculations for each corresponding Prisma Access zone. TOS Aurora does not support multiple zones for shadowing and violations.

For example:

Trusted: Zone-A, Zone-B, Zone-C.

Untrusted: Zone-D, Zone-E, Zone-F.

During an Access Request with the topology mode enabled and Prisma nodes designated as target devices, when a user initiates Designer calculations to enhance Prisma security policy, Tufin will consider only Zone-A and Zone-D for the creation of rules.