PSE-SoftwareFirewall Questions and Answers

Address Group:

Address groups in Palo Alto Networks firewalls allow for the grouping of multiple addresses or address objects. This capability enables the sharing of cloud-learned tags with on-premises firewalls, facilitating the consistent application of security policies across hybrid cloud environments.

App-ID is a feature that provides application-based segmentation and helps prevent lateral threat movement within a network. By identifying and controlling applications traversing the network regardless of port, protocol, or encryption (SSL or SSH), App-ID allows granular security policies to be applied, thereby limiting the spread of threats within the network.

References:

Palo Alto Networks App-ID Technology: App-ID

Palo Alto Networks Application and Threat Content: App-ID Overview

In Cisco ACI, traffic is directed to a Palo Alto Networks firewall by creating contracts between endpoint groups (EPGs) that send traffic to the firewall. These contracts define the policy for communication between EPGs, ensuring that traffic is inspected and secured by the firewall before reaching its destination.

References:

Cisco ACI and Palo Alto Networks Integration Guide: Contracts and Policies

Cisco ACI Fundamentals: ACI Contracts

For a customer deploying VM-Series firewalls in a private data center and concerned about protecting resources from malware and lateral movement, the following subscriptions are recommended:

Threat Prevention:This subscription provides comprehensive threat detection and prevention capabilities, including IPS, anti-virus, anti-spyware, and vulnerability protection.

WildFire:This advanced threat intelligence service analyzes suspicious files and identifies new malware, providing protection against zero-day exploits and threats.

References:

Palo Alto Networks Threat Prevention: Threat Prevention

Palo Alto Networks WildFire: WildFire

CN-Series for EKS Security:

The CN-Series firewalls are specifically designed to secure Kubernetes environments, such as Amazon EKS. Deploying them in a high availability (HA) pair ensures robust, fault-tolerant security for containerized workloads, providing continuous protection and high availability.

Software next-generation firewall (NGFW) credits can be used to enable DNS security on Palo Alto Networks firewalls. These credits allow customers to activate DNS Security service, which provides real-time protection against DNS-based threats by leveraging machine learning and continuous analysis.

References:

Palo Alto Networks DNS Security: DNS Security

Palo Alto Networks Licensing Guide: Software NGFW Credits

Consistent Security Across the Environment:

CN-Series firewalls are designed to provide security for containerized environments by protecting traffic between pods and other workload types. This ensures that security policies are consistently enforced across all elements of the environment, maintaining a unified security posture.

CN-Series for DevOps deployments:

The CN-Series firewall is specifically designed to secure containerized environments and is ideal for protecting extensive DevOps deployments. It integrates seamlessly with Kubernetes and other container orchestration platforms, providing the necessary security controls for DevOps processes.

The CN-Series firewalls are purpose-built for securing Kubernetes environments. They provide network security, visibility, and threat prevention specifically tailored to containerized applications and microservices running in Kubernetes.

Using the Heartbeat Backup:

The heartbeat backup is a mechanism that helps to prevent split-brain scenarios in a high availability (HA) configuration by providing an additional path for heartbeatcommunication. This ensures that both firewalls in the HA pair are aware of each other's status.

The VM-Series plugin supports integration with multiple public cloud platforms, including:

Amazon Web Services (AWS):The VM-Series firewalls can be deployed in AWS to provide comprehensive security for cloud applications and data, leveraging AWS's native services and integration capabilities.

Azure:The VM-Series firewalls also integrate with Microsoft Azure, offering advanced security features and policies for applications and data hosted in Azure's cloud environment.

References:

Palo Alto Networks VM-Series on AWS: VM-Series on AWS

Palo Alto Networks VM-Series on Azure: VM-Series on Azure

To integrate a Palo Alto Networks VM-Series firewall with Azure Orchestration, an API Key is required. The API Key is used to authenticate and authorize the firewall to interact with Azure services, enabling automated management and orchestration of security policies and configurations.

References:

Palo Alto Networks Integration with Azure: Azure Integration

Azure API Management:Azure API Key

Data-plane vCPU Licensing:

The CN-Series firewalls are licensed based on the number of data-plane vCPUs. This licensing model reflects the processing power dedicated to handling traffic and security enforcement within the containerized environment.

Visibility into application-level cluster traffic:

VM-Series firewalls and hardware firewalls that are external to the Kubernetes cluster lack the necessary visibility into the traffic and communications occurring at the application level within the cluster. This limitation impedes their ability to effectively protect containerized workloads.