Use Dynamic Address Groups in Firewall Policy

-
This is one of the best feature which can be used by Network and security adminitrators.
Today Firewall administrator deal with major challenege of  Auto Removal of Servers which are not part of  current policy . Because that server is decommisioned and because of any xyz reason not informed to security team . Problem occurs when the server with the same IP address is used by other application and because the secuirty admin is not aware of the same . The same old policy which is actually not required can be used by new application.

This will also solve the problem of administrator adding or deleting 1000 of ipswhich ae vulnerable.

As per my knowledge there are few firewall who uses the concept of Dynamic address grup. This is mainly usefull for VM environment wehre we use the concept of Tagging.

This feature is best used in PaloAlto Firewall + VM environment.

You can refer the below link to check the same.....

https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/policy/monitor-changes-in-the-virtual-environment/use-dynamic-address-groups-in-policy

https://www.juniper.net/documentation/en_US/release-independent/spotlight-secure/topics/reference/general/secure-connector-dynamic-address-group-overview.html



NEXT BLOG WE WILL BE COVERING THE (ACI  + PALOALTO)  INTEGRATION FOR DYNAMIC EPGS (VIRTUAL + PHYSICAL ENVIRONMENT). 

Comments

Post a Comment

Popular posts from this blog

Traffic Shaping With Fortigate

-
FortiGate v4.0 Description This article describes the Traffic Shaping features that have been implemented in FortiOS 4.0 In FortiOS version 4.0, the traffic shaping has been enhanced. Diagnose commands allowing to verify each traffic shaper's usage and giving more configuration flexibility. See also the related articles at the end of this page for additional information. Solution Summary 1- Traffic shaping configuration is dissociated from the Firewall policies allowing multiple policies to use common configurations 2- Possibility to use independent configurations in policies for forward and reverse traffic directions 3- The P2P shaping capabilities are now defined at the application control level 4- Troubleshooting packet loss with statistics on traffic shaping configurations 5- Troubleshooting packet loss with the debug flow diagnose commands 6- Session list details with dual traffic shaper (forward and reverse traffic) 1- Traffic shaping configuration is di
Read more

DIAGNOSE FORTIGATE HIGH CPU PROBLEM

-
#diagnose system top 5 10. Use this command to display: • up time (Run Time) • current total processor and memory usage • current free memory • a list of the top most resource-intense currently running system processes and daemons, with respect to their memory (RAM) and processor (CPU) usage The first two lines of the display indicate the up time, and the processor and memory usage. Processor and memory usages on the second line have abbreviated labels, highlighted below in bold. Run Time: 0 days, 21 hours and 3 minutes 0U, 4S, 95I; 1035792T, 646920F Table 10: Abbreviations for processor and memory usage Letter Description U User CPU usage (%) S System CPU usage (%) I Idle CPU usage (%) T Total memory (KB) F Free memory (KB) The remaining lines contain the process list, which has the following columns. Table 11: Process list columns Column 1
Read more