Knowing You Are Properly Configured: Panorama Configuration Heat Maps<\/strong><\/h3>\nOne thing we learned the more we performed our prevention posture assessment<\/a>\u00a0was a need to provide \u201cfactual\u201d data to back up our prevention assessment assertions. For this reason, we created a family of Panorama configuration-parser heat maps intended to do exactly that.<\/p>\nThe following heat maps provide different visual representations of actual prevention capability configurations on the Palo Alto Networks Next-Generation Security Platform. Together, they help us measure the extensible configuration for all areas of architecture we previously explained<\/a>.<\/p>\nFigure 1 shows a view of capabilities and their configurations based on device group. Notice that we list the prevention platform capabilities across the top. The capability configuration adoption is provided below each capability. All of these configurations are based on \u201cenable allow\u201d rules configured on the platform, along with profiles that are activated on the rules. Don\u2019t be discouraged by the color-coding. \u201cRed\u201d does not mean bad. Our goal with the heat maps is to determine if the IT and security teams configured the platform as intended. The color code can be of your choosing, and we ask customers to change it often to suit their needs.<\/p>\n
This is a high-level heat map because it is limited to the device\u2019s overall configuration without any detailed understanding of individual rules and capability profiles. However, it is still powerful because it helps IT and security professionals collaborate on how they are using the platform to protect and control their perimeter locations and data center locations.<\/p>\n
![\"readiness_3_1\"]()
<\/span><\/div><\/a><\/p>\nFigure 1: Prevention capability adoption by device group example<\/em><\/p>\nThe second heat map, in Figure 2, gets much more granular in the platform configuration by showing specific zones. In fact, we noticed from practice, that most organizations have an intent of providing full protection and control for internet access points, but don\u2019t really consider enabling protection on internal traffic. This trend is clear in the zone example.<\/p>\n
From a prevention readiness perspective, we reiterate that it isn\u2019t enough just to protect perimeter rules. Going through the capabilities using this view allows us to manage expectations with new customers and existing customers about making sure we confirm that the platform is configured and operating as intended in all zones. This builds confidence that customers get the most prevention capability possible from their investment, and it ensures we build continuous operational rigor around reporting prevention readiness.<\/p>\n
![\"readiness_3_2\"]()
<\/span><\/div><\/a><\/p>\nFigure 2: Prevention capability adoption by zone example<\/em><\/p>\nOur third heat map, in Figure 3, is based on tagging, and this is where things get really interesting. If you use tagging, you\u2019ll like this view as a complement to the other heat maps. If you don\u2019t use tagging, reach out to one of our representatives and work with them to build and implement a tagging strategy. It will be well worth your time to make sure you\u2019re doing all you can to fully use the platform prevention capabilities.<\/p>\n
The following heat maps provide different visual representations of actual prevention capability configurations on the Palo Alto Networks Next-Generation Security Platform. Together, they help us measure the extensible configuration for all areas of architecture we previously explained<\/a>.<\/p>\n Figure 1 shows a view of capabilities and their configurations based on device group. Notice that we list the prevention platform capabilities across the top. The capability configuration adoption is provided below each capability. All of these configurations are based on \u201cenable allow\u201d rules configured on the platform, along with profiles that are activated on the rules. Don\u2019t be discouraged by the color-coding. \u201cRed\u201d does not mean bad. Our goal with the heat maps is to determine if the IT and security teams configured the platform as intended. The color code can be of your choosing, and we ask customers to change it often to suit their needs.<\/p>\n This is a high-level heat map because it is limited to the device\u2019s overall configuration without any detailed understanding of individual rules and capability profiles. However, it is still powerful because it helps IT and security professionals collaborate on how they are using the platform to protect and control their perimeter locations and data center locations.<\/p>\n Figure 1: Prevention capability adoption by device group example<\/em><\/p>\n The second heat map, in Figure 2, gets much more granular in the platform configuration by showing specific zones. In fact, we noticed from practice, that most organizations have an intent of providing full protection and control for internet access points, but don\u2019t really consider enabling protection on internal traffic. This trend is clear in the zone example.<\/p>\n From a prevention readiness perspective, we reiterate that it isn\u2019t enough just to protect perimeter rules. Going through the capabilities using this view allows us to manage expectations with new customers and existing customers about making sure we confirm that the platform is configured and operating as intended in all zones. This builds confidence that customers get the most prevention capability possible from their investment, and it ensures we build continuous operational rigor around reporting prevention readiness.<\/p>\n Figure 2: Prevention capability adoption by zone example<\/em><\/p>\n Our third heat map, in Figure 3, is based on tagging, and this is where things get really interesting. If you use tagging, you\u2019ll like this view as a complement to the other heat maps. If you don\u2019t use tagging, reach out to one of our representatives and work with them to build and implement a tagging strategy. It will be well worth your time to make sure you\u2019re doing all you can to fully use the platform prevention capabilities.<\/p>\n![\"readiness_3_1\"](\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/11\/Readiness_3_1.png\")
<\/span><\/div><\/a><\/p>\n![\"readiness_3_2\"](\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/11\/Readiness_3_2.png\")
<\/span><\/div><\/a><\/p>\n
![\"readiness_3_3\"](\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/11\/Readiness_3_3.png\")
<\/span><\/div><\/a><\/p>\n![\"readiness_3_4\"](\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/11\/Readiness_3_4.png\")
<\/span><\/div><\/a><\/p>\n