FUEL EDUCATION SERIES

PALO ALTO NETWORKS 101

TABLE OF CONTENTS

Fuel Education Series Palo Alto Networks 101 ..............................................................................................................1

Reasons for Migration to a Palo Alto Networks Next-Generation Firewall ...................................................................2

Viruses, Exploits and Worms, Oh My! .......................................................................................................................2

Distributed Environments ..........................................................................................................................................2

The Threat from Within .............................................................................................................................................2

Practical Business Considerations..............................................................................................................................2

Building Your Migration Evaluation Dream Team .........................................................................................................2

Your Technology Team ..............................................................................................................................................3

Include Operations ....................................................................................................................................................3

Partners and Customers ............................................................................................................................................3

Beginning an Evaluation ................................................................................................................................................4

Evaluate your Current Firewall ..................................................................................................................................4

Perform a Policy Audit ...........................................................................................................................................4

Understand Your Assets ........................................................................................................................................4

Define Improvement .............................................................................................................................................4

Reference Documents ...........................................................................................................................................5

Build the Business Case .............................................................................................................................................5

Evaluate Your Options ...................................................................................................................................................5

Make the Call .................................................................................................................................................................6

Countdown to Migration ...............................................................................................................................................6

REASONS FOR MIGRATIO N TO A PALO ALTO NET WORKS NEXT-GENERATION FIREWALL

Whether you’re looking to move away from your current firewall provider, to simplify and unify your cybersecurity
approach, or thinking about tomorrow’s risks today, there are a lot of reasons to consider taking advantage of
Next-Generation Firewall technology.
VIRUSES, EXPLOITS AN D WORMS, OH MY!

Today’s cybersecurity considerations go far beyond the need to filter traffic from a few malicious URLs or spotting
standard suspicious email attachments. The number and complexity of attacks on organizations of all sizes
increases every day, and the speed with which hackers adapt and invent has reached a break-neck pace. It is no
longer possible to be reactive to threats to your organization; in fact, it never was. The Next-Generation Firewall
offers a proactive approach to managing malware, and utilizes a targeted strategy based on information and a
more sophisticated policy structure.
DISTRIBUTED ENVIRONMENTS

Gone is the ability to set up a perimeter around your network and call it a day. With the explosion of SaaS, cloud
storage, mobile computing and an increasing number of at-risk endpoints, your cybersecurity strategy must be
prepared to allow the right traffic and users while identifying zero-day threats and negating that. Traditional
firewalls offer no capability to protect and monitor beyond your own network.
THE THREAT FROM WITHIN

In their2016 Cyber Security Intelligence Index, IBM found that 60% of all attacks were carried out by insiders; this
includes both malicious efforts and unwitting actors who were exploited for access. You cannot prevent human
error, and even the best organizations can face a risk from employees, so user-driven policy management, careful
reporting and logging, and pattern assessment are critical safety components. A traditional firewall limits what can
come in, but a Next-Generation Firewall can also keep your assets and information secure from the inside.
PRACTICAL BUSINESS C ONSIDERATIONS

There are so many other technological risks to consider when evaluating your firewall, but there are also several
important factors on your organization’s balance sheet and org chart that factor into a migration decision:
 Retiring Legacy Equipment – If you are working with outdated equipment, making the shift to a new
platform may make more long-term financial success
 Simplicity – Using multiple vendors for services and equipment means integrations, different monitoring
tools, and difficulty looking at your organization holistically. A unified cybersecurity stack can help to
create efficiencies and ensure seamless coverage.
 Future Strategic Needs – Can your defenses scale with your organization? What about addressing future
needs, or growing threats to your industry? Can you meet the compliance guidelines and
recommendations, and for how long? Being proactive in your approach to security may require an initial
investment, but compared to the recovery costs from a breach, this is a small concern.
 Customer Confidence – From a business standpoint, being able to highlight your advanced security
strategies helps your customers feel secure.

BUILDING YOUR MIGRATION EVALUATION DREAM TEAM

So you’ve been selected to evaluate whether now is the right time to migrate to a Next-Generation Firewall, and to
provide a comparison between options. There are many templates and checklists of features you will want to
consider when choosing a firewall (links provided in the Checklist section), but this move has an impact on your
entire organizationally, and as such, your evaluation team should include representation from multiple business
and technological teams
YOUR TECHNOLOGY TEAM

 Your CISO/CSO – It goes without saying that, if your organization has a c-level security role, they will be
deeply involved in this decision. Make sure you understand their expectations, major concerns, and how
they will measure the success of this project before you even begin collecting information.
 Infrastructure Security – Any division of your organization that has a direct connection to your network
must be included, and will bring insight you may not have. This includes network & system
administrators, data center managers, hardware management, and more.
 Corporate IT – If you have a separate team for addressing employee hardware (computers, phones, etc.),
make sure they have a representative, since they will be the front line for questions from users whose
processes are impacted.
 Your development teams may not need to be directly involved, but they should be aware that you are
considering a shift, and why. This could impact the ability of their programs and apps to access data,
communicate with third party sites, and more. If you are trying to address a gap or prevent a repeat
breach, you should be talking to all teams that could re-open this door.

INCLUDE OPERATIONS

 CIO – Your CSO will most likely deliver updates to your CIO on progress and developments, but make sure
you understand what his/her goals are and how they will measure your success.
 Business Units – Many business processes may have to be altered or stopped entirely once your new
security measures are in place, so it’s a good idea to include representation from your business units.
They can also help understand what their most common and critical tasks are, and act as an advocate
during the migration as you work to communicate changes with organizational employees.
o Give some special attention to Human Resources. Depending on your plans for monitoring and
storing information on users, there may be privacy considerations, or updates that your HR team
needs to make to their documentation.
 Once you’ve finalized your decision and drafted your migration timeline, it’s a good idea to give all
organizational employees a “heads up” about the change. You want users to know this change is
occurring in case they experience issues after the migration, and how to report them.

PARTNERS AND CUSTOMERS

 It’s very easy to only think about the impact within your business, but make sure you have a plan in place
to communicate this change to partners and customers who make be affected. Any organization you
share information with, or who does business through your channels could be affected.
 For clients, any impacts to the location of your data and how it is security could have compliance
considerations.
BEGINNING AN EVALUATION

Okay, you’re ready to start your evaluation. Now what?

EVALUATE YOUR CURREN T FIREWALL

First things first: you’ll want to understand what your current firewall is providing in terms of coverage and what
will need to be covered going forward. While it may seem like there’s a chance to either start with a clean slate, or
to hoard policies and take everything with you, this is the time to figure out what’s worth keeping, what isn’t
working, and what you’re not sure about

PERFORM A POLICY AUDIT

 Which policies are currently in use? How many haven’t been used in more than 6 months?
 How much traffic is hitting your active policies? Where is it coming from and where is it going?
o You may need to consider a virtualized solution that will cover cloud-based apps and assets.
 Look at your documentation – is there any rationale for the current policies, and does it still hold true?
 Are your policies very general, or extremely granular? Remember that, to take full advantage of a Next-
Generation Firewall, you may need to change the methodology behind your policy development.
 SANS has a policy audit checklist you may find helpful.

UNDERSTAND YOUR ASSETS

 Consider creating a topological map of your current architecture and traffic patterns so that you can
visualize your needs.
 Look at what vendors or third party services will be affected, too. How well will they work post-migration?
 Consider your greatest asset: your staff team. How is your team organized? Will roles change, increase or
merge with a more robust cybersecurity strategy in place?

DEFINE IMPROVEMENT

 Chances are, you didn’t just decide to start considering a migration. Did you read about an attack and it
made you nervous? Have you experienced a breach? Make a list of your most pressing cybersecurity
concerns, and then note how well you think your current system manages them.
 If you’re using a traditional firewall, you’re not incorporating any protecting around any cloud-based
systems, employee usage of SaaS, mobile device management, or endpoint security. You also probably
don’t have strong analysis capabilities, or have to use another vendor to supply them.
o What efficiencies would a migration create for your organization?
o What current gaps in your protection strategy would this fill? Can you measure how much traffic
is moving through these channels right now?
 What business opportunities might be created through a more secure organization? How would it
improve service to your customers or clients?
 What are the risks if you do not enhance your protection? Consider documenting the cost of a breach,
service attack or exposure to malware.
o Looking for examples? Try the Unit 42 blog.
REFERENCE DOCUMENTS

 This checklist covers both pre- and mid- and post-migration considerations
 Palo Alto Networks also has a document for planning your deployment that might give you some ideas.
 Don’t forget to consider your cloud environment needs: https://www.sans.org/reading-
room/whitepapers/cloud/introduction-securing-cloud-environment-34052
 This SANS whitepaper includes some great information on what you should document pre-migration:
https://www.sans.org/reading-room/whitepapers/firewalls/migrating-services-firewall-technologies-1199
 Take a look at this

BUILD THE BUSINESS C ASE

 Don’t forget to look at the business considerations; you’ll need to translate technical needs into business
terms
 There is a great video on Palo Alto Networks that outlines some of the biggest points you’ll need to cover:

EVALUATE YOUR OPTIONS

Once you’ve collected your historical information, made a list of your business needs, and brought your team
together, it’s time to evaluate your potential firewall options.

 See what criteria Gartner thinks matters in an Enterprise Firewall Solution.

 NetworkWorld.com also made a list of 7 key factors to look for in a Next-Generation Firewall solution.
 Consider Services: https://www.paloaltonetworks.jp/content/dam/paloaltonetworks-
com/en_US/assets/pdf/services/professional-services-firewall-migration.pdf
 Major considerations usually include:
o Platform Type (Hardware, SaaS, mixed)
o Feature sets that may include:
 Integrated IPS
 Reporting & Analytics
 Application and User-based Controls
 Deep Packet Inspection
 Architectural Flexibility
 Virtualization
 Enterprise VPN
o Performance
o TCO (total cost of ownership)
o Manageability
o Price
o Support
 The priority and criteria for your checklist will be unique to your organization, and should be developed
based on the information you collected earlier.
 Make sure your entire team is in agreement about what your priorities are!
 Don’t forget to look at utilizing migration services. Teams like the Palo Alto Networks Migration Services
Division can help you ensure a seamless transition, identify issues or roadblocks you might not see, help
to develop processes for cutover and troubleshooting, and in general make sure you are going to see an
immediate return on your investment.
MAKE THE CALL

After completing your historical analysis, gathering your team, developing your criteria, and agreeing on priorities,
you’re ready to begin you evaluation.

 Make a short list of possible options and submit a request for more information.
 After team review, cull your list to only the top 2-3 options, and provide a more detailed set of follow up
questions.
 Schedule demos or meetings to review the proposals with your team and ask questions.
 Consider developing a matrix for evaluation that will help your team objectively measure your options on
the same criteria.

When it’s time to make your recommendation, make sure you have all of the following:

 Buy-in from the evaluation team and key stakeholders

 A brief overview of the evaluation process
 Outline of what is being proposed, including available costs, estimated timing, resource needs, and any
impact to services
 Expected ROI in over several time periods (day 1, first 6 months, 3 years out)
 Efficiencies or opportunities that will be created
 Roadmap for any anticipated additional investment or enhancements
 TCO

COUNTDOWN TO MIGRATION

In the next edition of Palo Alto Networks 101, we’ll cover:

 Developing a Communication Plan

 Your Migration Checklist
 Designing a Test Plan
 Cutover
 Post-Launch Check-ups
 Troubleshooting Issues