Panorama fills some gaps for us
August 09, 2018
Panorama fills some gaps for us
Sr. Systems Analyst (Team Lead)
CelaneseChemicals, 5001-10,000 employees
Score 8 out of 10
Overall Satisfaction with Palo Alto Panorama
We use Panorama to manage firewalls internally. Management of devices is only done with IT staff. OT staff have some auditing capabilities. We use Panorama's Device Grouping to be able to manage different types of firewalls in the organization, as well as common security requirements with the different types of firewalls.
- Being able to create common rules that can be maintained on multiple firewalls is very beneficial to our management of the different functional needs of the firewalls.
- Using templates to manage regional requirements is helpful for rolling out changes in the networking side, from user managemnet globally to SEIM/Syslog collection regionally, being able to stack templates helps deliver the necessary changes across multiple firewalls.
- Panorama's Dashboard and ACC provides useful information that can be set to see All firewalls, or just certain groups of firewalls. Since each group of firewalls has different applications running through them, being able to isolate one group at a time helps identify if there are errant devices causing unexpected traffic, and what type of traffic it is.
- The ability to push out OS updates could be improved in Panorama. It has the abilities, but the use is not intuitive, to the point that we generally connect directly to the firewalls to download the OS updates directly.
- Scheduling. It would be nice to be able to schedule jobs to run at certain times. Pushing out updates, like OS updates mentioned above, can require significant bandwidth. So being able to schedule that work for hours that would not directly affect the users would be a welcome addition.
- The list of devices in the Templates tabs should be sorted the same way that he devices are grouped in the Device Group tab, rather than just alphabetical. If there was a way to chose the order of the devices, maybe by tag, that would work as well.
- Overall, it has reduced the time that our administrators have had to spend managing firewall configurations. While we used Cisco CSM previous to migrating to Palo Alto Panorama, it was not as robust with its capabilities to manage groups of devices.
- One big advantage that we have seen is the reduction in the amount of time it takes to roll out a new firewall installation. With the grouping of firewalls, the majority of the configuration is in place and only new objects and site specific requirements need to be added. This significantly decreased time to go live for new sites.
Prior to the installation of Palo Alto firewalls, we were using Cisco CSM to manage Cisco ASA firewalls. In my review I mention some limitaitons that we saw with CSM compared to Panorama. The biggest things were the management of common requirements; network, policy, objects, etc. Things that need to go to a groups of, or all of, the firewalls were not handled well in CSM. So each change of groups of servers, like Active Directory servers would require changes on the firewalls individually, with Panorama, we can make one change and push it out to as many firewalls as that change affects and it will not push to those firewalls not using the object, policy or other that was changed.
Palo Alto Panorama does well in our environment, where we have specific requirements for different groups of firewalls. Whether by region and/or function, overall Panorama does a very good job of being able to leverage commonalities and push changes to multiple groups of firewalls.Panorama is not a monitoring system. It does monitor things like sync status, and whether the devices are accessible, but it cannot be confused with an active monitoring system, so it is not an all in one solution. Also, as mentioned in my cons, there is no capability for scheduling jobs, to work around bandwidth limitations.
Using Palo Alto Panorama
IT Firewall Team - Manage the devices with Panorama
IT Strategy Team - Read only view of devices for base when testing in lab
IT Security Team - Read only audit of all firewalls
OT Management Team - Read only audit of firewalls in the OT group
3 - All support is privided by the IT Firewall Team. The team manages the devices and coaches the other teams on how to get the information they need out of Panorama.
- Manage the devices by the IT Firewall Team
- Audit policies for accuracy by the IT Security Team
- Audit policy changes on the OT related devices by the OT Management Team
- Common policies and network settings. It is not really innovative, but it is a huge timesaver without affecting the security of the devices.
- Backing up the running configurations on all of the firewalls into one repository. Again, not innovative, but has been very useful.
- The use of the Managed Devices view to make sure that all of the firewalls are getting the updates sent, rather than having to review every set of responses, you can use this view to pinpoint the devices that had issues and then look at the responce information to make corrections as necessary.
- We are not currently using the VPN (Global Connect) capabilities, but do see that in the future. Panorama should give us the ability to manage regional VPN gateways with common rules and requirements.
- Enhance our threat protection. That is on the devices and not Panorama, but is managed by Panorama.
Panorama has given us much more than we expected and the support for the product, by Palo Alto Networks has been great. We would like to see some improvements that I mentioned in another review, like scheduling changes, but overall Panorama has provided a very capable product and we are very happy with it.
Using Palo Alto Panorama
My biggest issue is not being able to schedule changes or software pushes, other than that the software is very easy to use after using it for a short period of time.
Like to use
Easy to use
Technical support not required
Quick to learn
Feel confident using
- Common rule changes on a group of firewalls using shared objects.
- Generating the initial template for configuring a new firewall.
- Looking for common traffic from multiple firewalls in a common place.