Managing Palo Alto Policies with STRUCTURA.IO - Part 1

The solution we developed can be rolled out in three stages. The first phase was moving the Firewall Admins away from the GUI and CLI and in Infrastructure as Code, using Structura. This enabled us to standardize the workflow across the Security team and reduce the learning curve it would typically take to adopt an IaC methodology in their practice. Object creation is as simple as dragging the resource (such as an address object) into the workspace, selecting it, and entering the required fields presented to the firewall admin. In Panorama, there is a single resource that manages the entire ruleset; so for the firewall admin to make a change to the policy, all they needed to do was open the resource and either select the rule that needed modification or create a new one, and enter in the fields as required. Typically the policy would require values for the source and destination zones, addresses, services, and applications. These Objects are all listed in the “Quick Chip” panel within Structura. A simple click and drag of these chips into the desired field would assign the object to the field in the configuration.

Once the Firewall’s Object and Policies were defined as Infrastructure as Code, we could then utilize Git for source control. Changes made in Structura could then be pushed to a repository giving the Firewall Admins insight into what was changed, who by, and when. Instead of doing the work during the change window, it could now be done ahead of time, verified by other team members asynchronously, and the push to the Panorama was a click of a button, shortening the average length of the change window and reducing human-error that could be introduced.