On behalf of the firewall team, I would like to give everyone an update on the next steps for the Palo Alto firewall migration project
Our main migration from Cisco ASAs to Palo Alto appliances was completed at the end of October. Since then, we have continued development work on the fw.noc application to manage some of the new Palo Alto features. We have also been working through some bugs on the platform, which we are resolving through a series of code updates that we expect to complete by the end of January.
Phase 2 of this project includes new features we plan to implement over time. These new features include:
- Migrating NAT firewalls from ASAs to Palo Altos. We have a few firewalls that are performing NAT operations for security or regulatory compliance. The Palo Altos do this differently than Cisco, so it is taking some extra time to prepare.
- Implementing Security Profiles for intra-campus traffic. This feature includes Antivirus, Anti-spyware, and Vulnerability Protection: aka Intrusion Prevention. We have had these features running on our campus border for some time, and have had them set to send alerts for intra-campus traffic. This enhancement will block malicious traffic detected between campus networks.
- Implementing DoS protection features for intra-campus traffic. This protects the data plane of the appliance and will drop malicious traffic, such as a SYN flood, before it ever hits a security policy.
- Adding the ability to create new firewall rules via fw.noc that use AppID, which bases a security policy rule on the application rather than port and protocol. This can prevent malicious traffic, such as non-web traffic traversing a port intended for web only.
- Updating our firewall course as we add AppID features into fw.noc. We will also be offering a shorter refresher course for existing authorized requesters.
These new features will be rolled out over the course of Phase 2, and we will be sure to notify the campus IT community as each of these features are placed into production. Please let us know if you have any questions.
Sincerely,
The Firewall Team