<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2975524&amp;fmt=gif">
BLOG

Tips for Security Appliance Migration & Deployment

September 20, 2018

shutterstock_574000213-LR

Complete network visibility starts by using a network visibility fabric comprised of network TAPs and packet brokers, rather than relying on SPAN ports as your access method. Your monitoring and security tools like an APM or IDS are a significant investment for your organization, and they will only perform up to the quality of the traffic that is sent to them.

With SPAN ports you are relying on your production switch to duplicate traffic and output the traffic to a SPAN port. As the switch gets busy, it will start dropping packets to the SPAN port because it treats the SPAN port as a very low priority. So I always recommend building a strong foundation with Network TAPs to ensure you see every packet off the wire.


Best practices for installing a Palo Alto Networks NGFW

Something I hear all the time from customers who are looking to install an inline security device is, how is this going to affect my network uptime? The best practice is to deploy a bypass TAP in parallel with your Palo Alto device. This reduces any downtime in your network and helps to manage the entire lifecycle of the inline device.

From proof of concept (POC) to validation stage, and from normal operations and maintenance stage to eventual replacement, utilizing a bypass TAP facilitates the management of the inline security tool, and ensures 100% network uptime; that the NGFW will not be the point of network failure.

 

Watch the On-Demand Tips for Security Appliance Deployment Webinar Now!

 

Palo Alto Network's Migration Tool

Palo Alto has provided a free download from their website available for VMWare ESxi and VMWare Player/Workstations, which converts firewall configurations from other vendors to Palo Alto. This tool brings in all of the configuration rules you had previously assigned to an old firewall from another vendor and apply those to your new PAN NGFW in the correct format required by the firewall. This is a great tool to use alongside a network TAP to get the configurations you may already have in place over to PAN, without having to re-enter everything manually.

Utilizing a TAP you can check and validate the configuration settings of the firewall to make sure that traffic is behaving as expected. Should something not migrate over correctly, with the click of a button on the GUI interface for the bypass TAP, you can move the firewall offline and make any additional changes to the configuration, all the while having your traffic route back through the old firewall, ensuring your network remains protected.

Having tools and applications like a bypass TAP and the PAN migration tool, assist with making the deployment and migration of a firewall easier and without causing any network issues. But if you’re looking to partner with an expert in cybersecurity, GuidePoint Security provides innovative and valuable cybersecurity solutions and expertise to create safer IT environments for organizations.

[Want to learn more? Watch the Garland Technology + GuidePoint Security on-demand webinar: Tips for Security Application Deployment and Migration today]

See Everything. Secure Everything.

Contact us now to secure and optimized your network operations
Contact Us

Heartbeats Packets Inside the Bypass TAP

If the inline security tool goes off-line, the TAP will bypass the tool and automatically keep the link flowing. The Bypass TAP does this by sending heartbeat packets to the inline security tool. As long as the inline security tool is on-line, the heartbeat packets will be returned to the TAP, and the link traffic will continue to flow through the inline security tool.

If the heartbeat packets are not returned to the TAP (indicating that the inline security tool has gone off-line), the TAP will automatically 'bypass' the inline security tool and keep the link traffic flowing. The TAP also removes the heartbeat packets before sending the network traffic back onto the critical link.

While the TAP is in bypass mode, it continues to send heartbeat packets out to the inline security tool so that once the tool is back on-line, it will begin returning the heartbeat packets back to the TAP indicating that the tool is ready to go back to work. The TAP will then direct the network traffic back through the inline security tool along with the heartbeat packets placing the tool back inline.

Some of you may have noticed a flaw in the logic behind this solution!  You say, “What if the TAP should fail because it is also in-line? Then the link will also fail!” The TAP would now be considered a point of failure. That is a good catch – but in our blog on Bypass vs. Failsafe, I explained that if a TAP were to fail or lose power, it must provide failsafe protection to the link it is attached to. So our network TAP will go into Failsafe mode keeping the link flowing.

Glossary

  1. Single point of failure: a risk to an IT network if one part of the system brings down a larger part of the entire system.

  2. Heartbeat packet: a soft detection technology that monitors the health of inline appliances. Read the heartbeat packet blog here.

  3. Critical link: the connection between two or more network devices or appliances that if the connection fails then the network is disrupted.

NETWORK MANAGEMENT | THE 101 SERIES