I am a pretty excited about this release of Network Configuration Manager! This is the first time that our Network Insight feature includes awesome capabilities from NCM, Network Performance Monitor (NPM), and NetFlow Traffic Analyzer (NTA)! This very special Network Insight for Palo Alto® firewalls provides users with visual insights into their policies, traffic conversations across policies, and VPNs! In addition, NCM is introducing an easier to use config change diff, additional vendor support for Firmware Upgrade, and many other improvements!
Network Insight for Palo Alto
In this release we dive head first into your Palo Altos security policies providing you context into their configuration, changes, and impact to your network. We have included many of the features seen in our previous Network Insight for Cisco ASA, as well as added some new ones specifically addressing the workflow on a Palo Alto device.
- Complete list view of security policies
- Detail view into each policy and its change history
- Gain insight into the traffic characterization for each individual policy, when deployed with NPM + NTA and NetFlow is enabled on the Palo Alto
- Usage of a policy across other Palo Alto nodes managed by NCM
- Policy config snippets
- Interface config snippets
- Information on the Applications, Addresses, and Services
- Site to Site and Remote Access (Global Protect) VPNs, when deployed with NPM
In v8.0 we incorporated feedback that many of you provided and optimized the policy list view to reduce information clutter and improve readability. Now we display only what you need to see as a summary: the policy name, action, source and destination zones, and when the last change was recorded. We also made sure that for firewalls with a large number of policies you can search and filter through the list.
Once you drill down into an individual policy, you can quickly and easily drill into the details to view or verify if the policy is configured correctly. This includes information such as the zones, applications, services, tags, and more.
We have also added some brand-new widgets that give you greater context into the impact of your policies on your traffic and if a policy is being utilized by other Palo Alto firewalls in network.
For this Network Insight NTA contributed the ability to correlate a policy to the live conversations occurring across that policy. While monitoring and managing policies is critical to controlling how your firewall is handling your traffic, it is a critical necessity to observe the conversations that are impacted by that policy. In this view, we're looking at all of the conversations that are based on applications defined in the policy. For an administrator considering changes at the policy level, this is a valuable tool to understand how those rules apply immediately to production services and what kinds of impacts changes to them will have.
Some policies are meant to extend across multiple firewalls and without a view to see this, context can be lost about the effectiveness of your policy usage. With NCM v8.0 it scans the configs of each Palo Alto firewall to identify common security policies and display their nodes status. As an administrator, this gives you the ability to confirm if your policies are being correctly applied across the network and to take action if they are not.
Updated Config Diff
In an effort to reduce the amount of time you commit to spotting changes in a config diff, we are introducing a simpler and easier to use Config Diff based on what you may have already seen in Server Config Monitor (SCM). It highlights the changes +/- 5 lines above the changes and collapses any unchanged lines, giving you immediate context of the change.
Additional Vendor Support for Firmware Upgrade
NCM v8.0 adds Juniper and Lenovo Switches support to our Firmware Upgrade feature, as new out of the box templates. Now you can easily execute firmware upgrades against these vendors devices, ensuring that your device stay up to date and protected from any fixes the vendors provide.
We have been working hard to bring these wonderful new features to you in NCM, so be sure to visit your customer portal to download the RC and review the release notes and system requirements. We are also not the only ones with a release candidate available, be sure to check out the rest of the network management portfolio for other great content ranging from IP request form improvements, IPv6 traffic support, CUBE monitoring, and more!
If there is anything you think that we should consider in a future release please be sure to go create new feature request to let me know about the additional functionality you would like to see!