Amazon Web Services - Automated Palo Alto deployment
As part of an Agile development project, we worked closely with our client to integrate a Palo Alto firewall deployment into their Amazon Web Services (AWS) project.
This firewall was bootstrapped entirely from code and could be deployed (via Jenkins and CloudFormation) in a matter of a few minutes, ensuring that it did not add much overhead onto their development and deployment timelines.
All Internet ingress and egress traffic was routed through the Palo Alto firewall so that the firewall provided a secure network perimeter, further enhancing the security AWS already provides in the form of Security Groups and Network Access Control Lists by providing the additional functionality that a Next Generation Firewall can bring - including network level application inspection, URL filtering, anti-virus, and anti-malware.
Network Test Lab Automation
Working with a global bank's network testing facility, we implemented automation technologies to cut down the cost and effort of repeatable testing.
An automated testing facility was created using a combination of the following technologies:
- Spirent iTest
- Spirent Velocity
- MRV Layer 1 Switches
- TCL Scripting
- Python Scripting
This had numerous benefits for the bank:
- Building a sample branch was as simple as clicking some buttons. By drawing a topology in a web interface and running some pre-written scripts, a full branch replica could be built to a specific configuration, with each device having a specified software version. This total build took around 45 minutes, compared to around 2 weeks of man hours before.
- All devices were permanently cabled to the Layer 1 MRV switches, and then connected together as required in software. This facilitated remote working, and reduced cost - no more broken cables due to over use, no more staff spending hours running cables to design specific topologies.
- The test engineers were provided training sessions on how to design their own test cases, to facilitate future adaptations to the lab.
Palo Alto Firewall Migration
A global marketing company engaged with us to assist with a firewall migration project, to replace their ageing Check Point firewalls with Next Generation Palo Alto firewalls in their data centre.
After working with the client to assess the requirements we discovered that they required approximately 120 Virtual Routing and Forwarding (VRF) tables migrating to the new firewalls, on an individual basis to minimise service disruption and risk. We identified that these VRF's were all configured in a standard way, and developed some scripts using Python to automate the creation of the migration scripts.
Using the scripts we could analyse the configuration of each VRF and output a script to perform the necessary infrastructure changes to the switches, routers and firewalls in a few minutes - this would previously have taken an engineer approximately 1 day each.
We then developed a website using the Python Django Web Framework to import and manipulate and filter the rules and objects from the Check Point firewalls, to assist with the analysis of the existing rules and output configuration commands to add the relevant rules to the Palo Alto firewalls. This substantially reduced the amount of time spent analysing the rules.
Finally, we carried out the initial part of the migration work, whilst delivering training to the client's engineers so that they could carry out the migration effectively.
Internet Service Provider Configuration
We were engaged to design and build a new Internet Service Provider service for a Professional Services company in Leeds.
After meeting with the client to gather their exact requirements, we came up with a detailed design including Low Level Design (LLD) diagrams.
We then wrote secure configuration templates and applied the configuration to the devices, and worked closely with the client to stand up the equipment and perform functional testing.
The documentation pack delivered to the client included details on the configuration of the environment, detailed design diagrams, and configuration snippets to enable the clients engineers to easily add customers to the service.
Check Point Firewall Upgrade
Our client asked us to assist them with upgrading four Check Point firewall clusters across two data centres, from R71 to R77.
We wrote detailed change plans, including using R75 as a staging version as per Check Point's recommended upgrade path.
The Security Manager Server (SMS), and all four High Availability clusters were then upgraded in sequence, with minimal service disruption to the data centres.