Secure Your Hybrid Cloud: Panorama Supports Multiple IP-Tag Sources

Sep 01, 2020
4 minutes
... views

Palo Alto Networks customers can now simultaneously monitor multiple cloud infrastructures and enable consistent security across your hybrid cloud. Panorama™, our network security management solution, offers plugins that collect metadata about workloads and assets from a variety of cloud services for policy creation and enforcement. Palo Alto Networks customers can now retrieve IP-tag mapping from multiple plugins simultaneously, allowing them to create and enforce consistent network security policies across multiple clouds through Panorama – a single pane of glass. This eases unified policy enforcement, reduces the attack surfaces and offers peace of mind.

Organizations are deploying applications in hybrid cloud infrastructures, leveraging the advantages of both the public and private cloud. However, under these circumstances, consistent security visibility and enforcement become more important, especially as these deployments become scattered across the network. Enterprise networks tend to utilize multiple cloud services for their business operations and needs. Our commitment to customers is to provide them with continuous innovations to help better their security posture through visibility and enforcement. 

Now, Panorama can monitor multiple cloud orchestrators simultaneously for rich asset data, to enforce policies that adapt to changes in assets and workload. Our Next-Generation Firewalls (NGFWs) enforce these policies as points of segmentation for your network using Dynamic Address Groups (DAGs) that are composed of IP addresses and dynamic tags. Customers can automate tag updates for different firewalls to keep up with workload updates, auto-scale events, region changes and the deployment of new applications and services. 


Use Case: Leverage Multi-Plugin Support Within Your Hybrid Cloud Environment

Recently, a customer told me about the interconnected nature of their broad network footprint. Their IoT devices (managed using TrustSec) and public cloud deployments (deployed in AWS and Azure) accessed applications and data from their private data center (deployed in NSX). Their data center needed visibility and context into the IoT assets and all public cloud workloads for comprehensive network security. 

The truth is that networks – especially hybrid cloud environments – are constantly changing and complex to secure, and security teams have a difficult time managing dynamic workloads and IoT assets. To reduce complexity for their small security team, they leveraged Panorama, our centralized management solution. Since Panorama was already deployed, all they had to do to gain the visibility and context they needed was follow three simple steps: 

  1. Upgrade PAN-OS to 10.0. 
  2. Configure the free plugins (Trustsec, AWS, Azure and NSX).
  3. Create comprehensive Layer 7 security policies. 

Without spending another dollar or touching the NGFWs, the customer automated the monitoring and enforcement of assets across multiple cloud infrastructures – all managed centrally through Panorama.


How It Works: Supporting Multiple IP-Tag Sources

Customers can simply connect the environment of their choice to retrieve IP-tag mappings via the associated Panorama plugin. Then specify which Device Groups of firewalls will receive the IP-tag mappings from each plugin. Now organizations can implement granular security policies within their hybrid cloud deployment based on any of the workloads in their dynamic environment.

Panorama’s plugin infrastructure will listen to updates from all enabled plugins, associate the updates to DAGs and push the updates to respective groups of firewall devices. Because each cloud environment experiences a different rate of workload or asset changes, the rate at which a plugin updates mappings can be independently configured based on your business needs. Security policies that use the DAGs will automatically adapt to any mapping changes from the plugins.


Get Started Now!

If you are a large enterprise utilizing multiple cloud infrastructures, consistent security across those infrastructures should be a priority. Increase your multi hybrid cloud security so you can focus on prevention rather than trying to deal with a breach after it occurs. One of the best methods to start your journey is to use Panorama and its multi-plugin support for easy management and configuration. This multi-plugin support requires Panorama with PAN-OS 10.0 or later, and it is available for PA-Series physical appliances, VM-Series virtualized firewalls and CN-Series containerized firewalls. Take advantage of the awesome free feature and learn more about multiple plugin support for Panorama.

Subscribe to Network Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.