Complete network visibility starts by using a network visibility fabric comprised of network TAPs and packet brokers, rather than relying on SPAN ports as your access method. Your monitoring and security tools like an APM or IDS are a significant investment for your organization, and they will only perform up to the quality of the traffic that is sent to them.
With SPAN ports you are relying on your production switch to duplicate traffic and output the traffic to a SPAN port. As the switch gets busy, it will start dropping packets to the SPAN port because it treats the SPAN port as a very low priority. So I always recommend building a strong foundation with Network TAPs to ensure you see every packet off the wire.
Best practices for installing a Palo Alto Networks NGFW
Something I hear all the time from customers who are looking to install an inline security device is, how is this going to affect my network uptime? The best practice is to deploy a bypass TAP in parallel with your Palo Alto device. This reduces any downtime in your network and helps to manage the entire lifecycle of the inline device.
From proof of concept (POC) to validation stage, and from normal operations and maintenance stage to eventual replacement, utilizing a bypass TAP facilitates the management of the inline security tool, and ensures 100% network uptime; that the NGFW will not be the point of network failure.
Palo Alto Network's Migration Tool
Palo Alto has provided a free download from their website available for VMWare ESxi and VMWare Player/Workstations, which converts firewall configurations from other vendors to Palo Alto. This tool brings in all of the configuration rules you had previously assigned to an old firewall from another vendor and apply those to your new PAN NGFW in the correct format required by the firewall. This is a great tool to use alongside a network TAP to get the configurations you may already have in place over to PAN, without having to re-enter everything manually.
Utilizing a TAP you can check and validate the configuration settings of the firewall to make sure that traffic is behaving as expected. Should something not migrate over correctly, with the click of a button on the GUI interface for the bypass TAP, you can move the firewall offline and make any additional changes to the configuration, all the while having your traffic route back through the old firewall, ensuring your network remains protected.
Having tools and applications like a bypass TAP and the PAN migration tool, assist with making the deployment and migration of a firewall easier and without causing any network issues. But if you’re looking to partner with an expert in cybersecurity, GuidePoint Security provides innovative and valuable cybersecurity solutions and expertise to create safer IT environments for organizations.
[Want to learn more? Watch the Garland Technology + GuidePoint Security on-demand webinar: Tips for Security Application Deployment and Migration today]