Legacy firewall rules are created around the Network (IPs) and Transport (Ports) layers of the Open Systems Interconnection (OSI) model. During a phased migration, legacy firewall rules are often converted to Palo Alto with like functionality to reduce downtime and ensure successful migration. Though one of the key strengths of Palo Alto firewalls is the ability to apply security rules at the Application layer (layer 7) via App-ID. Applications and application functions are identified by Palo Alto firewalls via multiple techniques, including application signatures (App-ID), decryption (if needed), protocol decoding, and heuristics. This increased level of granular visibility with reduce the burden on your SOC (Security Operations Center), decrease your attack surface, and generate better results around Penetration Testing. Also successfully implemented around specific applications with allow for increased PCI compliance and/or GDRP.
You’ve successfully migrated to a Palo Alto firewall as part of your phased deployment. As part of the second phase of the migration you will leverage Palo Alto’s Migration Tool to streamline rule cleanup and conversion to application rules. After the firewall has been inline for at least two weeks you should have enough log information to begin the conversion process.
The Tools of the Trade
You will need to download Palo Alto’s migration tool as well install VirtualBox or VMWare Workstation Player to run the migration tool.
Once you have the migration tool running on your VM software of choice login, update, and connect your firewall.
Clone Rules and Match App-ID
As a best practice to reduce disruptions to production traffic, and for quick reference, clone the existing legacy rules before utilizing the migration application feature. In the event the newly created application rule does not hit the top rule you’ll still have the original below it.
If the application identified is using the standard port for the application the migration tool identified from the syslogs it will change the service to ‘Application-Default’, if not it will change the service to ‘Any’.
Any – This simply means all ports: 1-65535, TCP or UDP. The selected applications are allowed or denied on any protocol or port.
Application-Default – Choosing this means that the selected applications are allowed or denied only on their default ports defined by Palo Alto Networks. This option is recommended for allow policies because it prevents applications from running on unusual ports and protocols, which if not intentional, can be a sign of undesired application behavior and usage.
Use the firewall and Palo Alto’s Applipedia as reference for applications you are creating application rules for to verify expected rule enforcement behavior and to make accommodations if your environment runs an application on a non-standard port.
Palo Alto customers receive new content via Dynamic Updates which contains updates to App-ID from vendors that may have updated their application since release. Palo Alto firewall uses these updates to better identify and enforce application rules. Palo Alto sends notifications to its customers before they deploy a new Application and Threat Content Release indicating what will change in each new version release for review. It is best practice to ensure you are using the latest application and threat versions.
Reconcile Applications from Logs
Once you’ve had a chance to review the applications the migration tool has identified from the log connector you’ll want to reconcile the application from the log. This process adds the identified application to the rule and modifies the service to ‘application-default’ or ‘any’ based on port(s) used.
There may be times Palo Alto identifies an application as unknown which will then need to have a custom application or application override made for the traffic. Though creating customs applications is out of scope of this lab, the following guidance could assist during your migration.
When the migration tool identifies an application as unknown, example:
The follow actions should be followed:
- Attempt to identify the traffic and create a custom app for the traffic. Creating Custom Applications
- If making a custom application isn’t possible migrate the split unknown app rule.
- Right click rule
- ‘App-ID Adoption’>’Split Rules Known/Unknown(Selection)
- Place the rule after order the application migrated rule but before the clone rule.
No Matches for Applications
When the migration tool returns ‘No Match’ for a rule consider the following:
- That the rule is not being hit. Rule hits can quickly be seen by using the ‘Highlight Unused Rules’ check box on the firewall.
- Run a report again on the firewall itself to make sure that rule has no hits.
- Consider disabling the rule as a first step then remove the rule.
Uploading the App Configuration
Once you’ve worked through all rules, it is time to upload the new configuration and import it into the firewall.
Before App-ID Adoption
After with cleanup and App-ID Adoption
Once all rules have been migrated from legacy rules to application rules you will want to assure that traffic passing through the firewall will not be able to evade your security policy. Review the Best Practice for Securing Your Network from Layer 4 and Layer 7 Evasion admin guide and verify additional DNS Proxy Object, Evasion Signatures, File Blocking and Zone Protection profiles are configured to ensure application policy is always enforced.
To read the full 15-page lab, use this link.
If you want to test this on your own and do not have access to a lab environment to do so, contact your Sun Management Account Rep to get pricing on a lab bundle. The newly released PA-220 and VM-50 appliances are excellent platforms for testing things such as this and there are specific part numbers for lab equipment that are more heavily discounted than the same appliance for use in production.
Sun Management is a Value Added Reseller (VAR) who focuses on Network and Internetwork Security Requirements. We focus in the Mid Atlantic area: Maryland (MD), Virginia (VA), District of Columbia (DC), West Virginia (WV), Delaware (DE) and Pennsylvania (PA). Our credentials include Palo Alto Networks Services Provider, Palo Alto Networks Certified Training Partner, and Palo Alto Networks Certified Managed Security Service Provider (MSSP) using CORTEX XSOAR in a multi-tenant environment.
We address requirements concerning Network Detection and Response (NDR); internal and external TLS and SSL requirements for complete data visibility; End Point Detection and Response (EDR); Gramm Leach Bliley Act, HIPPA, Sarbanes Oaxley and PCI DSS; penetration testing and firewall optimization; and Data Protection by tracking all Data Flows within the network, across applications, between users/servers and in the cloud. Contact us at (888) 773-9422 to setup a POC or if you just want more information.
Palo Alto’s Migration Tool
VMware Workstation Player
Creating Custom Applications:
Palo Alto Networks Best Practice