Overall Satisfaction with Palo Alto Panorama
We use Panorama to manage firewalls internally. Management of devices is only done with IT staff. OT staff have some auditing capabilities. We use Panorama's Device Grouping to be able to manage different types of firewalls in the organization, as well as common security requirements with the different types of firewalls.
- Being able to create common rules that can be maintained on multiple firewalls is very beneficial to our management of the different functional needs of the firewalls.
- Using templates to manage regional requirements is helpful for rolling out changes in the networking side, from user managemnet globally to SEIM/Syslog collection regionally, being able to stack templates helps deliver the necessary changes across multiple firewalls.
- Panorama's Dashboard and ACC provides useful information that can be set to see All firewalls, or just certain groups of firewalls. Since each group of firewalls has different applications running through them, being able to isolate one group at a time helps identify if there are errant devices causing unexpected traffic, and what type of traffic it is.
- The ability to push out OS updates could be improved in Panorama. It has the abilities, but the use is not intuitive, to the point that we generally connect directly to the firewalls to download the OS updates directly.
- Scheduling. It would be nice to be able to schedule jobs to run at certain times. Pushing out updates, like OS updates mentioned above, can require significant bandwidth. So being able to schedule that work for hours that would not directly affect the users would be a welcome addition.
- The list of devices in the Templates tabs should be sorted the same way that he devices are grouped in the Device Group tab, rather than just alphabetical. If there was a way to chose the order of the devices, maybe by tag, that would work as well.
- Overall, it has reduced the time that our administrators have had to spend managing firewall configurations. While we used Cisco CSM previous to migrating to Palo Alto Panorama, it was not as robust with its capabilities to manage groups of devices.
- One big advantage that we have seen is the reduction in the amount of time it takes to roll out a new firewall installation. With the grouping of firewalls, the majority of the configuration is in place and only new objects and site specific requirements need to be added. This significantly decreased time to go live for new sites.
Prior to the installation of Palo Alto firewalls, we were using Cisco CSM to manage Cisco ASA firewalls. In my review I mention some limitaitons that we saw with CSM compared to Panorama. The biggest things were the management of common requirements; network, policy, objects, etc. Things that need to go to a groups of, or all of, the firewalls were not handled well in CSM. So each change of groups of servers, like Active Directory servers would require changes on the firewalls individually, with Panorama, we can make one change and push it out to as many firewalls as that change affects and it will not push to those firewalls not using the object, policy or other that was changed.
Using Palo Alto Panorama
8 -
IT Firewall Team - Manage the devices with Panorama
IT Strategy Team - Read only view of devices for base when testing in lab
IT Security Team - Read only audit of all firewalls
OT Management Team - Read only audit of firewalls in the OT group
3 - All support is privided by the IT Firewall Team. The team manages the devices and coaches the other teams on how to get the information they need out of Panorama.
- Manage the devices by the IT Firewall Team
- Audit policies for accuracy by the IT Security Team
- Audit policy changes on the OT related devices by the OT Management Team
- Common policies and network settings. It is not really innovative, but it is a huge timesaver without affecting the security of the devices.
- Backing up the running configurations on all of the firewalls into one repository. Again, not innovative, but has been very useful.
- The use of the Managed Devices view to make sure that all of the firewalls are getting the updates sent, rather than having to review every set of responses, you can use this view to pinpoint the devices that had issues and then look at the responce information to make corrections as necessary.
- We are not currently using the VPN (Global Connect) capabilities, but do see that in the future. Panorama should give us the ability to manage regional VPN gateways with common rules and requirements.
- Enhance our threat protection. That is on the devices and not Panorama, but is managed by Panorama.
Using Palo Alto Panorama
Pros | Cons |
---|---|
Like to use Relatively simple Easy to use Technical support not required Well integrated Consistent Quick to learn Convenient Feel confident using Familiar | None |
- Common rule changes on a group of firewalls using shared objects.
- Generating the initial template for configuring a new firewall.
- Looking for common traffic from multiple firewalls in a common place.
- Pushing out upgrades to OS.
- Common certificate management.
Yes - I do not believe that Panorama has a mobile interface, but I have run Panorama on my phone browser successfully many times.