Bringing a Semblance of Order to Policy Chaos

Matt Keil


Ask firewall administrators about their day-to-day challenges and sooner or later they will come around to one that I am calling policy chaos. The term chaos aptly defines both the daily fire drills associated with physical firewall appliances as well as the rapid rate of change typical of moving into a cloud or virtualized environment. Maybe the marketing team needs a new application and the deadline is tomorrow, or an employee needs access to a restricted database for research. The necessary management approvals on the business side might go quickly, but in most companies, the firewall policy changes require more steps– review, approve, request change control, implement, push live.

As companies move toward virtualization and cloud computing, this chaos will only increase. The beauty of virtualization is that it lets organizations efficiently use of a pool of compute resources to create virtual machines and associated applications that are spun up and taken down in minutes to meet changes in demand. But that rate of change in a virtualized or cloud computing environment is far faster than the traditional process for deploying security policies allows. Enter more policy chaos.

One of the many ways to address a chaotic environment is through automation, a technique that has proven effective across a wide range of industries in bringing order to policy chaos. At Palo Alto Networks, we can bring some semblance of order to your policy chaos using Dynamic Address Groups, VM-Monitoring and the XML API – all standard features in PAN-OS.

Here’s how these features work. Your computing resource pool may include a combination of both physical and virtual servers. These servers all have an IP address, but they also have other attributes or characteristics such as the OS, the application, and perhaps location. The policy automation with begins with VM-Monitoring collecting the compute resource attributes from resource management tools such as vCenter, ESXi and AWS-VPC or the XML-API. PAN-OS then converts those attributes into tags, which you can use to define a Dynamic Address Group.

Based on the tags you use in the group definition, the associated compute resource IP addresses are collected and used as part of the security policy. As new VMs or physical servers that fulfill your group definition are added or their attributes change, the policy automatically updates. The result is your security policy can now keep pace with the rate of change occurring in your virtualization environment.

Another piece that excites firewall administrators is automated policy removal. As servers or VMs are taken out of service, the address group is updated automatically, as is the policy. The end result is your policy chaos is reduced and you may say, “We don’t know what that rule is, but we left it because it might have broken something,” far less frequently.

Check out a short video below to see these features in action.

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42


SUBSCRIBE TO RSS