I want to create a free application that makes everyday life much easier for as many customers as possible, together with a team of idealists. This team may very well be international.
There are commercial products that solve what I want to address, but they are broad and cover much more than what I envision here. This initiative is “narrow” and applies only to Palo Alto Networks firewalls.
The Goal
Responsibility for security is shared. When a malicious incident occurs in IT, it will impact non-IT assets. The owners of these non-IT assets MUST take greater responsibility for security. By creating a method that allows those who own the assets to control what should be permitted, responsibility is placed where it truly belongs.
Background
Through my work with Palo Alto Networks firewalls since 2012—a firewall platform that has been API-first since PAN-OS 1.0 in 2007—I see very few are taking advantage of the fantastic automation capabilities this product offers. Those who have done so have achieved truly amazing results.
At the same time, I feel a sense of frustration for all those who never get to experience these powerful possibilities.
Automation and integration will open new opportunities and dramatically increase efficiency. Time and resources saved, and better security will be achieved.
What Do I Want?
I’ve never done this before. I’m thinking open source. This is about teamwork. Are we talking Git?
The Application
This must be an application customers download and run in their own environments. How code updates are handled is something we will figure out together.
Features
What I envision as features for a tool intended for all Palo Alto Networks NGFW customers worldwide:
- It must, of course, be in English.
- A self-service portal for those who request access. This can and should be business and system owners.
- An approval portal for administrators. When a request is submitted, it must be sent to a team of administrators who review it to ensure Least Privilege and/or best practices.
- An administrator can approve by clicking a “button” that sends an API call to the firewall and implements the new rule set.
- An administrator can send the request back to the requester with instructions on what needs improvement, thereby contributing to skills development and awareness. The requester will be noticeably better prepared for the next request.
- Log visibility.
- The requester must also have access to relevant logs to see what is allowed and what may be blocked. With such a tool, firewall administrators will be significantly relieved, as the requester can make adjustments themselves.
More will come as we work on this, but I think what’s outlined here is a solid starting point.
It might be smart to include a feature wish list in Git, or something similar. Features of wish in the near future:
- Device dashboard for administrators to show devices, with software versions and more.
- The solution should be able to alert administrators via email or similar if something occurs.
- The tool should include best practice snippets customers can push to the firewall.
- The tool should have a best practice check aligned with Iron Skillet and/or Strata Cloud Manager, or similar.
- And more.
Let’s Get Started
Christmas (2025) is approaching and I suggest we start by spreading the word to form an initial group. After that, we can plan a physical meeting early in the new year.
I have a few customers who already run similar solutions and will ask whether they are willing to share some source code we can start with.
Let’s together create the next generation of strong security for as many as possible.
Leave a Reply