Config Validations: PAN-OS¶
Validation skillets allow for assessment of the config files or system state with pass/fail outputs based on validation skillet test rules. Each test result is mapped to its respective section in the Visual Guide for manual review and remediation.
The following validations are provided with IronSkillet
Full Configuration Assessment¶
View validation test file: [ 9.0 | 9.1 ]
Looks at a firewall xml configuration file to determine what elements recommended by IronSkillet are missing from the analyzed config file. Types of validation tests include the following based on IronSkillet recommendations:
- telemetry enabled
- dynamic updates configured
- use of snmpv3
- dns and ntp configured
- login banner configured
- timezone set to UTC
- auto acquire commit lock enabled
- X-Forward-For settings
- http range disabled
- inspection queue related settings
- max rows for CSV export
- API key lifetime
- admin attempts, timeout, and lockout
- Wildfire file size limits configured
- enable application block page
- disable log suppression
- prevent TCP evasions
- configure password complexity
- recommended zone protection profile
- inclusion of IronSkillet named profiles and groups
- logging configuration
- EDL block rules
- reference no-decrypt rules for cert checks
- address objects
- report and email scheduler related configuration
Upgrade to Newer Release Deltas¶
View validation test file: [ 9.0 | 9.1 ]
Looks at a firewall xml configuration file to determine what elements recommended by IronSkillet are missing from a recently upgraded PAN-OS version to 9.x. Types of validation tests include the following based on IronSkillet recommendations:
- addition of panw-bulletproof-ip-list to the EDL block rules
- API key lifetime configured
- WF file size limits for script
- IPv4 sinkhole address object is using FQDN
- default-paloalto-cloud is used for the DNS security service setting in the anti-spyware profile
- new URL categories such as newly-registered-domain, grayware and cryptocurrency have been added