Juniper Migration Webinar

Migrating from Juniper to
Palo Alto Networks
Key Differences
Key Reasons to Migrate
Migration Best Practices
2 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Applications Have Changed, Firewalls Haven’t
Network security policy is enforced at the
Sees all traffic
Defines boundary
Enables access
Traditional firewalls don’t work any more
3 | ©2014, Palo Alto Networks. Confidential and Proprietary.
The Firewall as a Business Enablement Tool
 Applications: Enablement begins with
application classification by App-ID.
 Users: Tying users and devices, regardless of
location, to applications with User-ID and
 Content: Scanning content and protecting
against all threats, both known and unknown,
with Content-ID and WildFire.
4 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Controlling Applications, Content and Users
5 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Broad Range of Hardware Platforms
Firewall Throughput
Threat Prevention
24 SFP+ (10 Gig)
48 SFP (1 Gig)
72 copper gigabit
Session Capacity
System: 120 Gbps
System: 60 Gbps
NPC: 20 Gbps
NPC: 10 Gbps
20 Gbps
10 Gbps
10 Gbps
5 Gbps
5 Gbps
2 Gbps
12 copper gigabit
4 Gbps
2 Gbps
12 copper gigabit
2 Gbps
1 Gbps
12 copper gigabit
1 Gbps
500 Mbps
16 copper gigabit
500 Mbps
250 Mbps
8 copper gigabit
250 Mbps
100 Mbps
8 copper gigabit
100 Mbps
50 Mbps
4 copper gigabit
6 | ©2014, Palo Alto Networks. Confidential and Proprietary.
4 SFP+ (10 Gig)
8 SFP (1 Gig)
12 copper gigabit
4 SFP+ (10 Gig)
8 SFP (1 Gig)
12 copper gigabit
4 SFP+ (10 Gig)
8 SFP (1 Gig)
12 copper gigabit
Juniper SRX Overview
SRX = Security services gateways.
 Successor to the NetScreen/ScreenOS products
 Uses JUNOS – a high performance routing OS
 Two platform families
 Enterprise and datacenter (SRX1400 to SRX5800)
 Small, distributed enterprise (SRX100 to SRX650)
AppSecure addresses next-generation firewall features
 NGFW feature components added to Stateful inspection
 AppTrack (visibility), AppFW (id apps), AppQoS (QoS) and AppDoS (DoS)
Application identification and control are performed after an initial port-based
firewall decision is made
7 | ©2014, Palo Alto Networks. Confidential and Proprietary.
8 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Three Reasons to Migrate
Top 3 Reasons to Migrate
1. Context-based policy management
2. Positive control model?
3. APT prevention
10 | ©2014, Palo Alto Networks. Confidential and Proprietary.
application function
file type
file name
URL category
destination country
source IP
destination port
destination IP
context-based policy management
Shared Context Highlights the Value of Integration
Apps | Functions | Users | IPS | AV | AS | Malware | QoS | Files | Patterns
Safe Enablement Policies
Reporting | Logging | Forensics | Panorama
12 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Operational Efficiency: Unified Policy Control
Users/User Groups
Threat Prevention
Vulnerability Protection
URL Filtering
Single Policy for application, user and content (threat prevention)
13 | ©2014, Palo Alto Networks. Confidential and Proprietary.
AppSecure Management
Different policy
management components
AppSecure Management Challenges
Multiple management components required – Space, CLI, STRM = more work, less visibility &
control, slows responsiveness
User information is not natively integrated – requires UAC + Pulse = more work, more devices and
components to manage, less effective
14 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Application Control in the Firewall
Allow Facebook
Policy Decision
positive control
Key Difference
Single firewall policy
Less work, more secure. Administrative effort is reduced; potential
reconciliation holes eliminated.
Positive control model
Allow by policy, all else is denied. It’s a firewall.
Single log database
Less work, more visibility. Policy decisions based on complete information.
Systematically manage unknowns
Less work, more secure. Quickly identify high risk traffic and systematically
manage it.
Shared context
Less work, more secure. App, content and user are pervasive - visibility,
policy control, logging, reporting
15 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Application Control as an Add-on
tcp service
on port 80
Allow port 80
Decision #1
Decision #2
Open ports to
allow the application
Allow Facebook
Facebook allowed…what
about the other 299 apps?
Key Difference
Two separate policies
More Work. Two policies, more admin effort
Possible security holes. No policy reconciliation tools
Two separate policy decisions
Weakens the deny-all-else premise. Applications allowed by FW decision
Two separate log databases
Less visibility with more effort. Informed policy decisions require more effort ,
slows reaction time
No concept of unknown traffic
Increased risk. Unknown is found on every network = low volume, high risk
More work, less flexible. Significant effort to investigate; limited management
No shared context
More work, less knowledge, slows reaction time. Finding and correlating app,
user, content requires significant effort
16 | ©2013 Palo Alto Networks. Confidential and Proprietary.
*Based on Palo Alto Networks Application Usage and Risk Report
A Unique Approach to Protecting your Network
APT protection
 Scan ALL applications (including SSL traffic) to secure all avenues
in/out of a network, reduce the attack surface area, and provide
context for forensics
 Prevent attacks across ALL attack vectors (exploit, malware, DNS,
command & control, and URL) with content-based signatures
 Detect zero day malware & exploits using public/private cloud and
automatically creates signatures for global customer base
17 | ©2014 Palo Alto Networks. Confidential and Proprietary.
WildFire: Stopping the Unknowns
10Gbps advanced threat visibility
and prevention on all traffic, all ports
(web, email, SMB, etc.)
Global intelligence
and protection
delivered to all users
Malware run in the cloud with open
internet access to discover C2
protocols, domains, URLs and
staged malware downloads
New malware signatures
automatically created by WildFire
and delivered to customers globally
Stream-based malware engine
performs ongoing in-line
On-premises WildFire appliance
available for additional data privacy
Staged malware downloads
Host ID and data exfil
Anti-malware signatures
DNS intelligence
Malware URL database
Anti-C2 signatures
WildFire Appliance
WildFire Users
18 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Soak sites, sinkholes,
3rd party sources
Feb 2014: Continued Security Business Uncertainty
The company could cut $200 million in annual operating
costs and buy back $2.5 billion in stock immediately and an
additional $1 billion in 2015, Elliott said in a presentation of
its proposals. Juniper should also review its security and
switching businesses to streamline products, and “focus on
projects and areas where Juniper has clear competencies
and the greatest risk-adjusted return on investment,” Elliott
security commitment?
19 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Our next-generation enterprise security platform
Threat Intelligence Cloud
Next-Generation Firewall
 Gathers potential threats from network and
 Inspects all traffic
 Blocks known threats
 Analyses and correlates threat intelligence
 Sends unknown to cloud
 Disseminates threat intelligence to network
and endpoints
 Extensible to mobile & virtual networks
Advanced Endpoint Protection
 Inspects all processes and files
 Prevents both known & unknown exploits
 Integrates with cloud to prevent known &
unknown malware
Migration Best Practices
From Consulting Services
Perceived Port/Protocol/IP Migration Challenges
Cost – people and time
 Perception of workload and a lot of tedious typing to migrate from your current
 Moving configurations can seem daunting and seem to involve a lot of risk
Legacy policy
 Policies were originally created with the mindset of port / protocol / IP and not
optimized for applications and users
Lost history
 Many companies face “policy bloat” and “cruft” in their firewall configurations
22 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Performing the Migration
An effective migration requires a combination of people, process, and
technology to efficiently and effectively migrate from legacy firewalls to
Palo Alto Networks
This approach reduces potential risks and lowers cost.
The engineers performing the task need
knowledge of the current platform and Palo
Alto Networks
Migration tools can
automate the routine
conversion tasks
reducing effort (cost)
and risk.
Any migration should
follow a proven
methodology and
(audit, analyze, migrate, cutover)
23 | ©2014 Palo Alto Networks. Confidential and Proprietary.
The Spectrum of Conversion Options
Many options exist when performing the initial conversion from IP/port/protocol
to user/application-based policies
There is a spectrum of options each with pros/cons and potential risk
Less risk
Lower effort
Small reward
More risk
Higher effort
Big reward
Initial policy / object conversion options
Migrate objects and
policies “as is”
24 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Policy / object
Policy / object
“cleanup” + move
to application
Migrate to
Palo Alto Networks Firewall Migration Tool
Web 2.0 application in a VMWare image
 Parses configurations into a database backend and web UI frontend
Provides multiple options:
 Migrate objects & policies
 Migrate used or both used / unused objects
Allows “in-place” editing of PAN-OS objects, services & policies prior to
Doesn’t replace the need for people with expertise in the current technology
and PAN-OS
Goal of the tool is 85+% policy migration automation
25 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Migration Process - Walk Through
Migrate L4 to L4 (Phase I)
 Reduce amount of Rules “Combining” similar ones. By destination address for
 Clean all the unused objects. Clean disabled rules.
 Change services based on other protocols than TCP/UDP to Palo Alto Networks
App-IDs. Example: IKE, IPSEC, GRE
 Change services with ALG to Palo Alto Networks App-IDs. Example: FTP, SIP
 Review & add all NAT rules. Check the security policies to match the destination
zones when destination NAT is defined.
26 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Example: Reducing Policy Rules
Due to the simplistic nature of the security rules, we can often combine many
policies into one, especially if we can utilize App-ID
27 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Migration Process - Walk Through (Cont’d)
Migrate from L4 to L7 (Phase II)
 Put the migrated L4 policy in your Palo Alto Networks device. Connect to your
 In-line ( L3 , L2, VWire ).
 Off-line (TAP mode).
 From this moment the Palo Alto Networks device will classify all the traffic in your
network. That means it will identify all the applications and generate all the log
entries for the application traffic.
 From the current logs we can extract the applications seen by each rule and we
can start to swap from L4 Services to App-ID without to break anything.
28 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Additional Migration Considerations
Once we have changed services by App-ID, change the service to
“application-default” or leave the previous port. Reduce the surface to detect
the application to this port if it always uses the same.
Control the Unknown
 From the logs check for unknown traffic (tcp/udp/p2p) and generate custom
signatures to identify custom apps. Use Application Override when need.
 If you have URL filtering activated check for app we-browsing and the Category is
“unknown”. Generate proper App-id to identify this traffic as your custom app
instead of web-browsing. This is more efficient.
 Block all the unknown.
Threat Prevention
 Activate WildFire where the apps can transfer files (PE, PDF, Office, APK, Jar).
 Activate IPS/AV/SPY profiles to your rules. Use the migration tool to do it massively.
 Integrate with your user repository to move from static ip address to users and
groups. Improve visibility and win in mobility.
29 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Migration Tool – Juniper Caveats
Objects in Address-Books
 Check if an object was defined in many address-books (based by zone) If equal,
import only once.
 Check if the IP address/ port is different based in the zone. If different, use different
names to avoid duplicates errors.
Policies and Zones
 Reduction of policies only because we can use more than one zone by rule or use
the zone ANY. Potential for significant rule reductions here.
 Customer with 4,623 rules. Direct reduction by 3 only playing with zones.
30 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Best Practices to Make Your Migration Successful
1. Align people, process and technology
2. Understand conversion options and optimize policies (ports vs. apps)
3. Utilize migration tool to automate conversion tasks (Objects, Rule base)
4. Validation of accuracy and verification of changes
5. Post migration
 Implement custom App-IDs
 Rule cleanup - “Highlight Unused Policies” feature to cleanup post-migration
 Enable additional security features (User-ID, Content-ID, WildFire, etc…)
31 | ©2014 Palo Alto Networks. Confidential and Proprietary.
Get Your Free AVR Report
Find out which applications and threats are on your network with
a FREE assessment from Palo Alto Networks
Palo Alto Networks Application Visibility and Risk Report (AVR) :
 Request an evaluation
 Place Palo Alto Networks inside your network
 We’ll tell you what applications and threats we see in your network!
Register today at:
32 | ©2014, Palo Alto Networks. Confidential and Proprietary.