Ensuring Reliability and Heightened Security of Palo Alto Networks devices during COVID-19
The COVID-19 pandemic remains a health and humanitarian crisis. It is exerting a profound impact on the global economy and our daily lives. Businesses are responding to the crisis by following the guidance of our government and public health experts to ensure the safety and well-being of their employees. They are rapidly adjusting to the changing needs of their people and customers and many organizations have rolled out mandatory work-from-home policies amid the spread of coronavirus.
Virtual Private Network (VPN) usage has surged in response to increased remote workers and this sudden increase is stressing IT infrastructure everywhere. These VPN devices have experienced unprecedented load in the last few weeks and IT teams are working harder than ever to maintain business continuity. To ensure maximum reliability, Indeni continuously assesses Palo Alto Networks device health by comparing expectations of device capacity against current load. The ability to proactively alert administrators of capacity limits is key to keeping these devices up and running.
Indeni has automated best practices for Palo Alto Networks firewalls to deliver predictive and actionable insights that help you prevent costly disruptions during this challenging time. We have provided a quick snapshot of some of them below.
1) Tracking number of connections
Indeni continuously assesses the number of concurrent connections against automatically-learned limits for the Palo Alto Networks device. It is important that we track the number of users at all times to maintain stability. As connections are approaching the device limit, we proactively notify users before the service is impacted.
We recently announced a new feature to show the actual number of connections against the maximum number of connections limit in response to the COVID-19 crisis.
2) Performance and availability of VPN services
It is now more important than ever that IT teams capture metrics about the performance and availability of VPN services. Indeni continuously assesses device health by comparing expectations of device configuration against the reality of current status. You will be proactively notified of performance issues that could become bigger problems.
- VPN tunnels status – checking for VPN issues due to authentication error or decryption errors?
- Check for network connectivity to ensure VPN availability – BGP peer(s) down, is the next hop accessible?
- Connectivity to key services such as Panorama, logging servers, LDAP servers, WildFire, URL cloud, etc.
- SSL decryption is a common cause of performance issues. Each model has a limit of concurrent SSL decryption sessions. It is important to know when the model is reaching capacity before impacting your VPN service.
Click here for more information about our SSL decryption capability.
3) Auto-Triage issues immediately to reduce the IT burden
At times like this, you are going to need all the help you can get. You can leverage Auto-Triage to help reduce the burden on IT. For example, a high number of routes may have a negative impact on the device. When Indeni detects a high number of routes, Indeni will automatically investigate the problem, without human intervention, and present details of the triage step by step leading to faster resolution.
4) VPN Vulnerabilities
Many cybersecurity industry alerts have been published recently on the topic of VPN security. For example, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (DHS CISA) is encouraging organizations to adopt a heightened state of cybersecurity for VPN services. It is important that the VPN service is patched and up-to-date as attackers are targeting these VPN devices.
Often, security analysts spend a lot of time collecting data about security vulnerability issues. During a time of crisis, checking vulnerability alert feeds manually is both overwhelming and time-consuming. Indeni automates this process for you. We leverage our community of experts to help prioritize these vulnerability issues. We identify these firewalls running versions with known vulnerabilities. The following is a sample list of security vulnerabilities:
- Command injection vulnerabilities
- Denial of Service against GlobalProtect
- Device management authentication bypass
- Insecure server configuration
- Kernel vulnerabilities
- OpenSSL vulnerabilities
- ROBOT attack again PAN-OS
- Unauthenticated buffer overflow in GlobalProtect/SSL VPN web interface
- Unauthenticated command injection in management web interface
- Vulnerability in PAN-OS and Panorama on management interface
- Vulnerability in the PAN-OS DNS Proxy
- Web interface privilege escalation
- Web interface denial of service
- XML external entity
- Cross-site scripting
5) Validate best practices
Indeni continuously assesses devices for alignment with configuration recommendations from vendors and seasoned practitioners. Implementing best practices means outages happen less often. This is a sample list of best practices:
- GlobalProtect Clientless VPN content update schedule is not following best practices
- GlobalProtect Data File update schedule is not following best practices
- Last configured security policy not set to block any/any
- One or more vulnerability profile is not following best practices
- Password complexity not meeting best practices
- Security policies allowing traffic do not meet baselines
- Security rule with source and destination zones set to any
- Service setting of ANY configured on security policy
For more details on Palo Alto Networks best practice compliance with Indeni, click here.
6) Valid licensing
Indeni identifies upcoming licenses expirations and proactively notifies you. If you are taking advantage of the vendor’s offer by obtaining special licenses during the COVID-19 pandemic, rest assured that Indeni can help you manage these ongoing maintenance tasks.
7) SSL Certificate Expiration
An expired SSL certificate would cause a variety of problems:
- Failure of HTTPS requests
- Failure of SSL/TLS web traffic inspection
- Failure of X.509 certificate-based VPN tunnels
Yet, this is one of those often forgotten maintenance tasks and this would be the worst time to encounter this problem. Indeni alerts you in advance if the certificate is about to expire.
We encourage existing customers to upgrade to versions 7.1.5 or later. Those who are not currently using Indeni, but would benefit from these capabilities, can download Indeni from our website or reach out directly to us at firstname.lastname@example.org. Indeni is committed to helping however can during this crisis.