Palo Alto Networks

Panorama Advanced (Managing PanOS)

Advanced means device management mode in SecureTrack is Advanced management

Dashboard Widgets

General (General overview of the system)

Cleanup (Summary of the number of rules that are disabled, fully shadowed, or have not been hit in the past year)

USP Compliance (The number of rules with violations, according to their severity level)

Audit (The number of rules with expired access or will have access expire within the next month)

Recent Changes (Rules and devices with changes in the past 30 days)

Browsers

Rule Viewer (see Rule Viewer)

Object Lookup (See Object Lookup)

USP Viewer (see USP Viewer)

USP Alert Manager Viewer (see USP Alerts Manager)

USP Exceptions Viewer (see USP Exceptions)

Changes (see Change Browser)

Cleanup (see Cleanup Browser)

Device Viewer (see Device Viewer)

Change Management

Rule and Object Usage Report (Displays statistics for most-used, least-used, and unused rules and objects)

Change Management (Policy and Side-by-Side policy change comparison in the Compare tab, Comparison report, and New Revision report)

Display IPv6 objects

Graphical Policy (Policies are displayed in SecureTrack as they are shown in the vendor's management software)

Change Window (see View and Update a Change Window)

Real-time Monitoring (Regularly automatically fetches policy information from the device)

Accountability - Saved Revisions

Create SecureChange ticket from Rule Viewer for:

  • Rule Decommission (Removes selected rules from supported devices)

  • Rule Modification (Receives rules from the Rule Viewer and lets you create a ticket in SecureChange for a handler to update firewall rules for supported devices)

  • Rule Recertification(Used to document and verify the need for a rule)

Policy Analysis

Automatic Policy Generation (APG) (Analyzes firewall logs to determine actual business practices, and creates an optimized rulebase that limits traffic allowance to traffic actually used in the organization)

Topology

Static Topology

Dynamic Topology

Calculate impact of NAT rules

Calculate impact of VPN policies

User Identity

Notes for Panorama Advanced

  • Local PanOS firewall rules are not supported.

  • Visibility for Dynamic Address Groups (DAGs) and Panorama Tags in View Policy, Rule Viewer, Topology.

  • TOS Aurora supports Panorama DAG objects with AND and OR conditions, including using parentheses. For example: ('DATACENTER' or 'DATACENTER-CLIENT' or 'DATACENTER-HYBRID') and ('DATACENTER-HQ') Other complex conditions are not supported.

  • In SecureTrack, there is visibility for FQDNs in security rules and change tracking, assessment, path analysis, and matching rules.

  • Panorama 8 and earlier is no longer supported.

  • Customers that use PAN DAG objects with criteria that match NSX-T Security Groups in their Panorama security policies can troubleshoot network connectivity and automate changes based on these objects' traffic.

  • PAN DAG objects with circular tagging are supported.

  • Customers that use PAN DAG objects with criteria that match ACI EPGs in their Panorama security policies can troubleshoot network connectivity and automate changes based on the traffic from these objects.

    • The requirements for TOS Aurora to support this capability are:

      • The Cisco ACI device needs to be monitored by TOS Aurora.

      • Reestablish a connection between the ACI and the Panorama device.

      • Retrieve a revision from the Panorama device.

      • TOS Aurora supports PAN DAG- based ACI tags only when the integration for APIC to Panorama is based on IPs.

      • The APIC IPs defined in Panorama must match the IPs that TOS Aurora monitors for the ACI devices.

    • For PAN DAG with ACI match criteria, TOS Aurora also considers the bridge domain IPs for the associated ACI EPGs.

    • TOS can monitor multiple ACI devices connected to a Panorama device.

    • Violation is not supported for Panorama rules with DAG objects associated with ACI EPGs.

  • If a rule on the Panorama device has Application = Any and Service = Application Default, TOS inaccurately considers the rule to be Service = Any. This limitation applies to all TOS calculations, such as shadowing, violations, matching rules, Verifier and Designer.

PanOS Firewalls

Dashboard Widgets

General (General overview of the system)

Cleanup (Summary of the number of rules that are disabled, fully shadowed, or have not been hit in the past year)

USP Compliance (The number of rules with violations, according to their severity level)

Audit (The number of rules with expired access or will have access expire within the next month)

Recent Changes (Rules and devices with changes in the past 30 days)

Browsers

Rule Viewer (see Rule Viewer)

Object Lookup (See Object Lookup)

USP Viewer (see USP Viewer)

USP Alert Manager Viewer (see USP Alerts Manager)

USP Exceptions Viewer (see USP Exceptions)

Changes (see Change Browser)

Cleanup (see Cleanup Browser)

Device Viewer (see Device Viewer)

Change Management

Rule and Object Usage Report (Displays statistics for most-used, least-used, and unused rules and objects)

Change Management (Policy and Side-by-Side policy change comparison in the Compare tab, Comparison report, and New Revision report)

Display IPv6 objects

Graphical Policy (Policies are displayed in SecureTrack as they are shown in the vendor's management software)

Real-time Monitoring (Regularly automatically fetches policy information from the device)

Accountability - Saved Revisions

Create SecureChange ticket from Rule Viewer for:

  • Rule Decommission (Removes selected rules from supported devices)

  • Rule Recertification(Used to document and verify the need for a rule)

Policy Analysis

Automatic Policy Generation (APG) (Analyzes firewall logs to determine actual business practices, and creates an optimized rulebase that limits traffic allowance to traffic actually used in the organization)

Topology

Static Topology

Notes for PanOS Firewalls

  • Real-time monitoring uses syslogs.
  • APG does not recognize Palo Alto users and applications.
  • Accountability is supported when changes are made directly to a firewall.

Prisma Access Policies (managed by Panorama)

Dashboard Widgets

General (General overview of the system)

Cleanup (Summary of the number of rules that are disabled, fully shadowed, or have not been hit in the past year)

Audit (The number of rules with expired access or will have access expire within the next month)

Recent Changes (Rules and devices with changes in the past 30 days)

Browsers

Rule Viewer (see Rule Viewer)

Object Lookup (See Object Lookup)

Changes (see Change Browser)

Cleanup (see Cleanup Browser)

Device Viewer (see Device Viewer)

Change Management

Change Management (Policy and Side-by-Side policy change comparison in the Compare tab, Comparison report, and New Revision report)

Display IPv6 objects

Graphical Policy (Policies are displayed in SecureTrack as they are shown in the vendor's management software)

Change Window (see View and Update a Change Window)

Real-time Monitoring (Regularly automatically fetches policy information from the device)

Create SecureChange ticket from Rule Viewer for:

  • Rule Decommission (Receives rules from the Rule Viewer and lets you create a ticket in SecureChange for a handler to update firewall rules for supported devices)

  • Rule Modification (Receives rules from the Rule Viewer and lets you create a ticket in SecureChange for a handler to update firewall rules for supported devices)

  • Rule Recertification(Used to document and verify the need for a rule)

Notes for Prisma Access Policies

  • Retrieving the Prisma Access Service IP is not supported for Service Connections. We recommend that you configure it manually, with a generic VPN connection, in the Interactive Map.

  • TOS Aurora supports Prisma Access Remote Networks Device Groups (DGs) and Mobile Users DGs, which you can import. You can also import Prisma Access Service Connection nodes to TOS Aurora.

  • You can import RN-SPNs, MU-SPNs, and SC-CANs to TOS and see their topology data. TOS Aurora supports change automation for these Prisma nodes with topology mode ON and provisioning. TOS Aurora does not support commit action to Panorama with Prisma Access.

  • For intrazone-default rules for Prisma Access DGs, TOS Aurora shows and considers these rules as Deny action, although they appear with Allow action in Panorama. All zones within the Prisma Access cloud are trusted. If this rule were in place, traffic among all gateways, portals, RN-SPNs, and SC-CANs would be allowed as part of the cleanup rules.

  • Prisma rule usage is not supported for Prisma traffic.

  • TOS Aurora supports Prisma from Panorama 9 and later.

  • Prisma multi-tenancy is not supported.

  • Prisma topology and automation-related capabilities support with enhanced performance mode. See Panorama Performance Mode.