{"id":104808,"date":"2020-01-03T06:00:07","date_gmt":"2020-01-03T14:00:07","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=104808"},"modified":"2020-01-28T13:33:10","modified_gmt":"2020-01-28T21:33:10","slug":"network-panorama-plugin","status":"publish","type":"post","link":"https:\/\/www2.paloaltonetworks.com\/blog\/2020\/01\/network-panorama-plugin\/","title":{"rendered":"Better Security Policy Enforcement with Panorama Plugin for Cisco TrustSec"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">Palo Alto Networks customers can now use Panorama, our network security management tool, for even greater network visibility, with a new plugin for Cisco TrustSec.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Enterprise networks have become increasingly vulnerable to advanced threats because of fundamental shifts in the way diverse groups of users access the network from multiple endpoints. Once an adversary breaches their way into the network through any of these endpoints, they move laterally to gain access to sensitive data. <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/resources\/videos\/importance-of-segmentation\"><span style=\"font-weight: 400;\">Segmenting the network<\/span><\/a><span style=\"font-weight: 400;\"> is an effective security strategy in reducing the risks and impacts of these breaches. With <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/cyberpedia\/what-is-network-segmentation\"><span style=\"font-weight: 400;\">segmentation<\/span><\/a><span style=\"font-weight: 400;\">, it\u2019s easier to confine an adversary breaking into your network. However, network segmentation modeled on IP addresses alone is inefficient and complex to maintain, and can be exploited by adversaries.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Since our commitment is to provide the best security possible, we integrate with third parties so our customers can have security in heterogeneous environments. One example is our Panorama plugin integration. The Cisco Identity Services Engine (ISE) is designed to provide rich user device details when a user connects to the network. After the device is classified, Cisco TrustSec, which is configured on top of ISE, associates security group tags (SGTs) to the user\u2019s endpoints. Other network components such as switches, routers, WLAN controllers and firewalls also utilize SGTs to enforce access control security policies. As a Palo Alto Networks customer, you can now leverage <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/network-security\/panorama\"><span style=\"font-weight: 400;\">Panorama<\/span><\/a><span style=\"font-weight: 400;\">TM<\/span><span style=\"font-weight: 400;\"> to get visibility into this data to further enforce security across your network.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">With the new <\/span><a href=\"https:\/\/docs.paloaltonetworks.com\/vm-series\/9-0\/vm-series-deployment\/endpoint-monitoring-for-cisco-trustsec.html\"><span style=\"font-weight: 400;\">Panorama plugin for Cisco TrustSec<\/span><\/a><span style=\"font-weight: 400;\">, your enterprise IT teams can create a security policy for your TrustSec environment using <\/span><a href=\"https:\/\/docs.paloaltonetworks.com\/pan-os\/9-0\/pan-os-admin\/policy\/monitor-changes-in-the-virtual-environment\/use-dynamic-address-groups-in-policy\"><span style=\"font-weight: 400;\">dynamic address groups<\/span><\/a><span style=\"font-weight: 400;\"> (DAGs). The Panorama plugin is designed to monitor changes in IP addresses and tags in the <\/span><a href=\"https:\/\/www.cisco.com\/c\/en\/us\/products\/security\/pxgrid.html#~stickynav=1\" rel=\"nofollow,noopener\" ><span style=\"font-weight: 400;\">Cisco ISE\/Platform Exchange Grid (pxGrid) service<\/span><\/a><span style=\"font-weight: 400;\"> and register that data into Panorama. It <\/span><span style=\"font-weight: 400;\">processes the endpoint information and converts it to a set of tags that you can use as match criteria for placing IP addresses in dynamic address groups. Allowing you to create policies that automatically adapt to change.\u00a0<\/span><\/p>\n<p><b>Use Case: Leverage Security Tags in Your Healthcare Environment<\/b><\/p>\n<p><span style=\"font-weight: 400;\">I talked with a customer recently who has a few hundred biomedical devices deployed on a network. An important part of the customer\u2019s security policy is to segment these devices from the internal network for compliance, ensuring the availability of patient care and data security. Because the customer has a lot of external vendors, these devices also need to support remote VPN.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">This customer plans to adopt the Security Group Tag framework to classify and segment these biomedical devices. This will help prevent any lateral movement from the biomedical devices to the internal network that contains sensitive data.<\/span><\/p>\n<p><b>How it Works<\/b><\/p>\n<p><span style=\"font-weight: 400;\">The new Panorama plugin consumes session objects from the ISE pxGrid service. Each session object contains a TrustSec SGT and the IP address of the device. The plugin then pushes the IP and SGT mapping to the firewalls. This improves on previous approaches because customers can use the tags to configure DAGs for security policy enforcement. With the new Panorama plugin, you can now use these tags in the Palo Alto Networks Next-Generation Firewall security policy and enforce segmentation and access.<\/span> <span style=\"font-weight: 400;\"><br \/>\n<\/span><\/p>\n<p><b>Ready to Install Now? <\/b><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">The plugin requires Panorama with version 9.0 or later and is capable of supporting both PA-Series physical appliances and the VM-Series virtualized firewalls. Since the plugin is optional and not built-in, you must install or upgrade it on Panorama to enable functionality.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">If you do not have a Panorama, we have an alternative open source solution <\/span><a href=\"https:\/\/github.com\/PaloAltoNetworks\/gridmeld\/blob\/master\/doc\/admin-guide.rst\" rel=\"nofollow,noopener\" ><span style=\"font-weight: 400;\">gridMeld<\/span><\/a><span style=\"font-weight: 400;\">. Feel free to check out the above link to get integration with Cisco TrustSec.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Read more in our TechDocs article: <\/span><a href=\"https:\/\/docs.paloaltonetworks.com\/vm-series\/9-0\/vm-series-deployment\/endpoint-monitoring-for-cisco-trustsec.html\"><span style=\"font-weight: 400;\">Endpoint Monitoring for Cisco TrustSec.\u00a0<\/span><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Since our commitment is to provide the best security possible, we designed our Panorama plugin for security in heterogeneous environments.<\/p>\n","protected":false},"author":630,"featured_media":104064,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6765],"tags":[6970,1171,80,6971,613,6972],"coauthors":[6728],"class_list":["post-104808","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-secure-the-enterprise","tag-cisco-trustsec","tag-dynamic-address-groups","tag-network-segmentation","tag-network-visibility","tag-panorama","tag-security-group-tags"],"jetpack_featured_media_url":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/11\/Image-1.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/104808","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/630"}],"replies":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=104808"}],"version-history":[{"count":5,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/104808\/revisions"}],"predecessor-version":[{"id":105702,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/104808\/revisions\/105702"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/104064"}],"wp:attachment":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=104808"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=104808"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=104808"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=104808"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}