How Palo Alto Networks Streamlines Workflows by Securing Microsoft Azure

Matt Keil

Category: Cloud Computing

One of three articles in a series about security for the three major public cloud environments: AWS, Azure and Google.

I had a recent conversation with a large oil industry customer, which highlighted the power of the cloud. It took this customer three weeks to provision a virtualized server that they already owned. In Microsoft Azure, it can be done in hours.

That on-demand flexibility is both a benefit and a challenge. The challenge is that your entire infrastructure is made up of on-demand services and may be enabled by different users whose main concern may not be the security of your cloud infrastructure. To help enforce a consistent security posture and minimize security-induced friction, our VM-Series now integrates with several Azure visibility and monitoring services and can be deployed in a fully automated manner using new templates and scripts.


Azure Security Center Integration for Improved Visibility

The VM-Series Azure Security Center integration allows you to collect, search and analyze security data generated by Threat Prevention, URL Filtering and WildFire, along with data generated by other Azure security infrastructure components. Based on potential network security risks detected by Azure Security Center, it will recommend and allow you to deploy the VM-Series directly from Azure Marketplace.


Active Health Monitoring With Application Insights

To more tightly integrate with your Azure infrastructure monitoring tools, the VM-Series using PAN-OS 8.1 can send internal VM-Series metrics directly to Azure Application Insights as a means of monitoring the capacity, health status and availability of your VM-Series firewall, along with the other Azure infrastructure resources deployed.

The VM-Series metrics that can be sent to Application Insights include:

  • Session utilization %
  • Total active sessions
  • Dataplane CPU utilization %
  • Dataplane packet buffer utilization %
  • SSL proxy utilization %
  • GlobalProtect active tunnels
  • GlobalProtect tunnel utilization %

In addition to active VM-Series health monitoring, Application Insights can be enabled to trigger actions using webhooks or Azure Functions when a metric has exceeded its defined threshold. For example, if dataplane CPU utilization exceeds 70 percent, an Azure Function can be triggered to file a ticket in ServiceNow for administrative follow-up or send a text via Twilio or PagerDuty to the security team that can create/terminate a VM-Series firewall instance.


Automating Deployments With Terraform and Ansible

Another way to ensure policy consistency in Azure, and across multiple cloud environments, is to use third-party orchestration and configuration tools, such as Terraform and Ansible, as a common automation toolset. When combined with the VM-Series automation features, Terraform and Ansible enable you to create completely “touchless” deployments, effectively embedding security into your application development workflow process.

When a developer needs to start a new project, for example, a Terraform template can deploy a VM-Series firewall, complete with licenses and subscriptions, from a bootstrapped configuration stored in Azure Storage. The Terraform provider for PAN-OS or Ansible, in conjunction with the XML API, can then be used to apply any last-minute configuration changes.


Support for Azure Security Center and Applications Insights will be available as part of the upcoming PAN-OS 8.1 release slated for availability in March 2018. The templates and scripts are available now.


Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42