This blog will showcase 5 Palo Alto Networks tools that will make your daily life easier.

What?

Expedition is the fourth evolution of the Palo Alto Networks Migration Tool. Although the purpose of this tool is to help migrate a configuration from another vendor to Palo Alto Networks xml, it can also be used for numerous daily operational tasks.

This tool is very powerful and can help immensely in the daily, weekly, monthly, or yearly clean-up of your rule base. However: with great power comes great responsibility. If used incorrectly, this can also break your configuration.

Please contact Orange Cyberdefense to help you get the most out of this awesome tool.

Why?

• Perform “Multi Edits,” changing parts of multiple policies at once: set security profiles, change zones, add addresses…
• Rename your IP address objects based on DNS, resolving them into FQDNs.
• Clean up unused objects and services and merge duplicate values.

Where?

The tool can be downloaded for free on the Palo Alto Networks Live platform.

What?

PAN-Configurator is a PHP library aimed at making PANOS config changes easy. It may seem a little complex compared to the GUI-based approach of the Palo Alto Networks platform, but the commands are straightforward, and the documentation provides some examples to get you started.

The tool can be used to manage large rule bases, execute complex rule merges, track unused object and other actions which are not directly offered by the standard GUI. In that sense, it is very similar to the Expedition tool described above; however, the CLI nature might appeal to some audiences and does grant you some additional flexibilities.

Why?

• Add a security profile (group) to all security policies which match certain characteristics like Zone, Device, Tag… Example: Apply a stricter security profile to all policies which allow outbound web traffic.
• Find duplicate objects and replace or merge them.
• Tag rules and objects based on match criteria to create a more structured rule base or highlight unsecure policies which need reviewing.

Where?

The tool comes as a free download at GitHub.

More information can be found on the Palo Alto Networks Live platform.

Best Practice Assessment (BPA) Tool

What?

The Best Practice Assessment (BPA) tool, created by Palo Alto Networks, evaluates a device’s configuration by measuring the adoption of capabilities, validating whether the policies adhere to best practices, and providing recommendations and instructions for how to remediate failed best practice checks. The tool performs more than 200 security checks on a firewall or Panorama configuration and provides a pass/fail score for each check.

Why?

The BPA is easy to use and provides an instant report.

• Use it to (regularly) review existing customer’s configurations and pinpoint insecure policies.
• Use it as a checklist for new installation or after major upgrades, which include new security features.
• Evaluate which remarks are valid or which are not relevant for a specific environment.

Please note that best practices always depend on a customer’s environment. The results should always be interpreted by an experienced engineer. The tool is fast, easy to use, and provides an excellent starting point for a more secure and, above all, consistent configuration.

Where?

Upload config files to the BPA tool at the Palo Alto Customer Success portal.

Find out how Orange Cyberdefense can help you interpret the output and assist you in implementing the proposed changes here: Orange Cyberdefense full BPA.

What?

MineMeld is an open-source application that streamlines the aggregation, enforcement, and sharing of threat intelligence.

The tool consists of 3 components. Miners, which extract a list of indicators (of compromise) from known sources. Aggregators, which manipulate these lists to include, exclude or merge objects. And lastly, the output component, which provides a list readable by the Palo Alto Networks firewall using external dynamic lists (or dynamic address groups).

Why?

MineMeld is a great tool for SOC-based operations and can help with automating some daily (NOC) tasks.

• Track all IPs and URLs associated with Office365 and all its sub-components (Skype for Business, SharePoint Online, Yammer, …) to create specific URL filtering profiles or Policy-based Forwarding policies to route certain traffic.
• Use an existing file hosted on a SharePoint to populate URL allow and block lists. This provides fully managed customers the ability to control their own URL lists without the need for login credentials to the Palo Alto Networks firewalls.
• Increase the security of your appliance by leveraging external threat intelligence sources and creating block policies based on indicators of compromise (IOCs) seen in the wild.

Where?

MineMeld comes ready to deploy on Azure, AWS, VMware or Ubuntu. More information and documentation on the Palo Alto Networks Live Community. It is also obtainable on GitHub.