Palo Alto in HA Cluster Active/Passive Robust Implementation on Azure for Leading Bank

Citrus Consulting FZ LLC had been engaged by one of leading Bank in Dubai to Design & Implement Palo Alto Networks Next-Generation Firewall in active-passive high availability for both their Production and DR site with best practices as per industry standards to help them effectively monitor, secure extremely sensitive IT resources placed in their new Azure environment.

Citrus Consulting Services Implements Palo Alto in HA Cluster Active/Passive Robust Design on Azure with traffic flowing through Azure Express-route for Leading Bank in UAE.

• Customer wished to migrate their On-Prem sensitive banking resources and applications on Azure Cloud.
• Secure Migration from On-Prem Atm Monitoring Solution and other sensitive core banking solutions to Azure.
• Ensure only traffic flow required to communicate as per business requirement is allowed and others are blocked.
• Foremost requirement was the security of the data at rest and transit.
• Ensure timely traffic and all event logs are pushed to SIEM for monitoring and threat prevention purpose.
• All traffic from V-Net to On-Prem and reverse should only flow through Palo Alto only and Palo Alto should inspect the traffic and forward only legitimate traffic to On-Prem and reverse through Azure Express Route.
• Gap Analysis for development phase.
• Policy building, management and enabling advance security services through next gen Palo Alto firewall.
• Ensure Optimum Security measures are taken, and dynamic threat updates are up-to date.

• Configuration of VM series of Palo Alto Networks VM-300 Next-Generation Firewall (NGF) virtual appliances in High Availability in [Active / Passive].
• Ensure Minimum downtime during failover.
• Implementing Security Policies based on zero trust concept and allowing only traffic from specific source to specific destination as per business need.
• Ensure resources in private subnet are not open to the world.
• Implementing dynamic updates and threat updates.
• Attaching IDS/IPS policies to the security policies further enhancing the security of traffic.
• Integrating syslog server with PA to push traffic, incidents, event, threat logs to syslog server which is later parsed for monitoring on Azure SIEM.
• Integrating syslog server with PA to push traffic, incidents, event, threat logs to syslog server which is later parsed for monitoring on Azure SIEM.
• Ensure only specific network and application ports are allowed for business related communications.
• Configure device hostname and time synchronization with On-Prem so security events can be co-related accordingly.

• Firewall providing secure communication between on-prem and cloud using appropriate encryption levels and using security profiles (for different types of attacks like spyware, anti-virus, dos etc.) build using best practice & PCI compliance.
• End to End configuration and troubleshooting support of cloud hosted firewall by in-house security experts.
• Configurations in sync with the best practices of industry standards.
• Review of each security policy and configuration to ensure it meets the pen-test standards
• Embedded Inline threat and IPS/IDS into core banking application.
• Session, Config and Updates Sync between the HA pair of firewalls.
• Automated and Manual Endpoint Detection and Response to protect the critical infrastructure was implemented
• Auto updates to ensure that minimum human efforts are required and at the same time updated latest versions.
• Adhering to strict timelines to ensure smooth completion of the project.
• Achieved 100% successful alpha, beta, user-acceptance and stress test scenarios and subsequent cases.
• Achieved 0% penetration points for the application and infrastructure.