This blog will showcase 5 Palo Alto Networks tools that will make your daily life easier.
Expedition is the fourth evolution of the Palo Alto Networks Migration Tool. Although the purpose of this tool is to help migrate a configuration from another vendor to Palo Alto Networks xml, it can also be used for numerous daily operational tasks.
This tool is very powerful and can help immensely in the daily, weekly, monthly, or yearly clean-up of your rule base. However: with great power comes great responsibility. If used incorrectly, this can also break your configuration.
Please contact Orange Cyberdefense to help you get the most out of this awesome tool.
The tool can be downloaded for free on the Palo Alto Networks Live platform.
PAN-Configurator is a PHP library aimed at making PANOS config changes easy. It may seem a little complex compared to the GUI-based approach of the Palo Alto Networks platform, but the commands are straightforward, and the documentation provides some examples to get you started.
The tool can be used to manage large rule bases, execute complex rule merges, track unused object and other actions which are not directly offered by the standard GUI. In that sense, it is very similar to the Expedition tool described above; however, the CLI nature might appeal to some audiences and does grant you some additional flexibilities.
The tool comes as a free download at GitHub.
More information can be found on the Palo Alto Networks Live platform.
The Best Practice Assessment (BPA) tool, created by Palo Alto Networks, evaluates a device’s configuration by measuring the adoption of capabilities, validating whether the policies adhere to best practices, and providing recommendations and instructions for how to remediate failed best practice checks. The tool performs more than 200 security checks on a firewall or Panorama configuration and provides a pass/fail score for each check.
The BPA is easy to use and provides an instant report.
Please note that best practices always depend on a customer’s environment. The results should always be interpreted by an experienced engineer. The tool is fast, easy to use, and provides an excellent starting point for a more secure and, above all, consistent configuration.
Upload config files to the BPA tool at the Palo Alto Customer Success portal.
Find out how Orange Cyberdefense can help you interpret the output and assist you in implementing the proposed changes here: Orange Cyberdefense full BPA.
MineMeld is an open-source application that streamlines the aggregation, enforcement, and sharing of threat intelligence.
The tool consists of 3 components. Miners, which extract a list of indicators (of compromise) from known sources. Aggregators, which manipulate these lists to include, exclude or merge objects. And lastly, the output component, which provides a list readable by the Palo Alto Networks firewall using external dynamic lists (or dynamic address groups).
MineMeld is a great tool for SOC-based operations and can help with automating some daily (NOC) tasks.
MineMeld comes ready to deploy on Azure, AWS, VMware or Ubuntu. More information and documentation on the Palo Alto Networks Live Community. It is also obtainable on GitHub.
Technically not really a tool, “load config partial” is a command that can be used via the CLI. It provides a quick and safe way for copying or merging different firewall configurations.
The XML export of a Palo Alto Networks firewall or Panorama appliance can be edited using any text editor, but blindly copying and pasting xml parts can and will lead to mistakes.
Using the CLI, you can merge configurations with ease. Upload the xml configuration of any firewall: this includes other device models or a Panorama config. You can then choose to merge all the address objects, interfaces, global protect config… into your current candidate config. After a review using the GUI, you can commit your changes. The load config partial command provides validation of the configuration to make sure the xml remains valid.
Another practical use case is moving objects between device groups or templates in a Panorama environment.
More information about the command and its parameters can be found here.