New firewall implementations are never easy but maintaining a robust security posture is vital to your business. The goal of this document is to provide answers to common questions and help elevate concerns when deploying a US Signal Managed Security powered by Palo Alto into your environment.
How Will Palo Alto Firewall be Deployed In the US Signal Implementation
US Signal takes advantage of Palo Alto’s VM-series Palo Alto firewalls and deploys them in our managed data centers. US Signal refers to these firewalls as Cloud-Based Advanced Security (CBAS) gateways. For many customers, these firewalls provide access to the Internet for Cloud Hosting, MPLS, and Data Protection services. These firewalls also provide a Site-to-Site and Remote Access VPN termination point to connect to remote customer branch offices.
What Type Of Access Will I Have To The Firewall?
US Signal customers are given Read-Only access to the firewall via web graphical user interface (GUI) from within the internal LAN. You will be able to view traffic and threat logs, review policy rules, monitor VPN status, and generate reports.
What Type Of Network Traffic Is Blocked & What Type Of Traffic Is Allowed Through the Firewall?
The Palo Alto firewall, by default, is setup as a zero-trust platform. This means that all inbound and outbound network traffic will be blocked unless a security policy rule explicitly permits it.
How Do I Make Changes Or Request New Additions To Existing Features On The Firewall
To make changes or additions to the firewall configuration, such as modifying a security rule or setting up a new VPN tunnel, a trouble ticket will need to be created with the Technical Operations Center (TOC). The TOC support team can be reached via phone or email 24/7 and is trained to handle modifications to the firewall in addition to configuring new features supported by the firewall platform.
Does The Palo Alto Firewall Support Site-to-Site IPsec VPN Solutions, And If So, Does It Differ From Other Third-Party Platforms?
The Palo Alto firewall features a Route-based Site-toSite IPSec VPN solution, whereas other vendors may use a Policy-based VPN solution.
Will the Palo Alto Route-Based VPN Work with a third-party-based VPN, And Is There Anything That I Need To Be Aware Of?
The Palo Alto firewall does provide support to interoperate with third-party policy-based VPNs. When doing so, many of the advantages associated with a route-based VPN may not be supported. The biggest difference is that the Palo Alto firewall makes forwarding decisions over a VPN tunnel based on its routing table and destination IP address. There cannot be overlapping remote VPN networks configured on the Palo Alto firewall.
Does the Palo Alto Firewall Support A remote Access VPN Solution, And If So, How Do I deploy it To Users?
The Palo Alto firewall’s remote access VPN solution is referred to as GlobalProtect. The client and configuration files can be downloaded by navigating to the firewall’s FQDN from a web browser. Mobile devices can download the GlobalProtect application from the iOS/Android App store and enter the FQDN from within the application to obtain the configuration file. This will NOT be Provisioned by default.
How Will Remote Access VPN Users Authenticate?
It is recommended that you provide an external authentication source, such as a RADIUS or LDAP server, that the firewall can use to authenticate remote VPN users. This allows you to maintain complete control over remote access VPN user account administration. Although less scalable and secure, the local user database on the Palo Alto firewall can alternatively be used to authenticate users. When using the firewall’s local user database, you are responsible for opening a ticket with the Technical Operations Center to add, remove, or modify user accounts.
How Can I Control What Networks The Remote Users Have Access To?
By default, once connected to the VPN client, all traffic is encrypted and routed to the Palo Alto firewall no matter the destination. However, the Palo Alto firewall does support Split-Tunnel configuration allows for traffic destined to only corporate networks maintained in US Signal’s infrastructure to be sent across the tunnel.
What Is App-ID?
App-ID is a feature that allows the Palo Alto firewall to do Layer 7 (application) identification, classification, and filtering. Network traffic is not only classified by source & destination IP address, ports, - and the transport layer protocol (TCP/UDP), but also application signatures, decoding, and heuristics.
How Is App-ID Implemented & Do I Need To Enable It?
App-ID functions on a security policy rule basis. What this means that the security policy rules on the Palo Alto platform can use App-ID or the traditional portbased method. Leveraging App-ID is recommended, however, is not a requirement and can be bypassed.
What Are the Advantages & Disadvantages Of Using App-ID?
Traditional legacy firewalls will make security policy rule enforcement based on IP address, Ports, and Protocols, collectively. This may allow for evasive and malicious applications to disguise themselves as “trusted” network traffic by using well-known ports and protocols. The use of App-ID allows for the underlying application behind the network traffic to be identified properly and for security policy rule enforcement to take place based on the application. The disadvantage of using App-ID is that some network traffic can be inadvertently blocked if there is not a clear understanding of which applications are in use within the network.