Falco Configuration Monitoring
In-depth Palo Alto Networks configuration audits coupled with quick access to subject matter experts.Request A Demo
Improve the Hygiene of Your Security Rulebase
Identify Misconfigurations and Vulnerabilities Before Attackers Do
Secure Workflows Throughout Your Organization
Choose The Tier That's Right For Your Org
- Automated PAN Config Audits
- Panorama Support
- PAN-OS Vulnerability Scanning
Everything in the Lite tier plus:
- Email Notifications for Config Regressions
- Per-VSYS Reporting
- 2 Tickets/Month Entitlement*
- Hourly Config Backups
- Scheduled Report Setup
Everything in the Standard tier plus:
- Access to 160+ pre-built lists using our EDL Service
- SSL Decryption Setup
- Customized Digital Scepter involvement with your team
Explore plans in more detail
|Automated PAN Configuration Audits
|Emailed Configuration Reports
|Config Scan Interval
|PAN-OS Version Upgrade Review
|PAN-OS Vulnerability Scanning
|Email Notifications for Config Regressions
|2 Tickets/Month Entitlement *
|Hourly Config Backups †
|Scheduled Report Setup
|Access to 160+ pre-built lists using our EDL Service
|Critical System Log Monitoring
|SSL Decryption Setup ‡
|Customized Digital Scepter involvement with your firewall management team
* Open up to two tickets per month with Digital Scepter's support engineers (see terms and conditions), can be used for remote threat support, PAN-OS upgrades, configuration assistance or support questions, User-ID environment reviews, change reviews and more. Tickets are limited to four hours per ticket.
† We retain the latest 100 configuration versions for each device
‡ See service description in Falco Service Agreement
|< 8 hours
|< 8 hours
|< 2 days
|< 2 days
|< 4 days
|< 4 days
|Case Severity Levels
|Product is down and critically affects your production environment
|There is something broken, but production systems are not impacted to the extent of a critical issue
Why Choose Falco?
Over a decade of experience
Digital Scepter has extensive experience installing, configuring and managing Palo Alto Networks next generation firewalls (Strata). Falco applies this expertise to monitor your firewall configurations and report on the security posture of your entire firewall fleet. You’ll receive regular easy-to-read reports which give you important information at a glance, along with a result history chart to show how your configurations are improving. It’s easy to make a plan of attack to improve your firewall security posture with the built in remediation recommendations. Upgrade to Falco or Falco Plus to access the world renowned Digital Scepter support service and use your monthly ticket quota to work on improving your firewall or for assistance with maintenance issues.
You already have the best firewall, now take advantage of it
Even the best technology is worthless if it isn’t configured right. Maintaining a secure firewall configuration is a continuous process of review and revision in order to meet your unique security and availability needs. Falco's detailed reports allow you to maximize the value of the hardware and licenses you've already purchased.
Firewall Configuration Audit Reports
Traditionally, performing a detailed health check is a manual process that doesn’t scale past a few devices. Falco can scan you entire configuration in under a second and immediately highlight the most important issues that need addressing.
The service continuously monitors your firewall configuration via the built-in API and sends you detailed reports on a regular basis. The report structure mirrors the UI layout on the firewalls to aid reviewers with remediation efforts.
Configuration Regression Alerting
When a check that was previously passing fails the Falco service can optionally send you a regression notification email. In the email, you’ll find details of exactly what changed along with a full report at the time of the regression. Often times misconfigurations can go undetected for a long time until they cause trouble. With regression emails enabled you'll be alerted if the configuration change you just made introduced a potential issue.
In addition to connecting directly to firewalls, Falco can connect to Panoramas and scan all connected devices. As firewalls are added and removed from Panorama, they will be automatically added and removed from your reports. Falco also has a series of Panorama-specific checks to make sure your Panorama is configured correctly.
If you are providing firewalls as a service, Falco can optionally treat all VSYS on a firewall as separate devices. This allows you to send a report to the operators of each VSYS that only contains information relevant to them. Each report will contain only the checks that are relevant to that VSYS. Configuration regression notifications are also per-VSYS capable.
First Class Support
Falco comes by default with up to two tickets per month. These can be used to have more immediate access to experts that can fix your firewall problems quickly to minimize unplanned outages. They can also be used for configuration changes, planning, OS upgrades and more. The service agreement has complete details on the ticket entitlements.
PAN-OS Vulnerability Scanning
One of the most critical maintenance tasks is patching infrastructure to stay ahead of the latest known vulnerabilities, and firewalls are no different. Palo Alto publishes a list of all known vulnerabilities for the PAN-OS platform but determining which affect your firewalls is left up to you.
With Falco, outstanding vulnerabilities are just another check. When a vulnerability that affects one of your devices is published you’ll get a regression email from the Falco service with all the details. You’ll never have to manually cross-reference your firewall versions with the vulnerability database ever again.
Hourly Configuration Backups
Every time there is a change to the configuration on a firewall or Panorama a new config version is created and saved. Every hour Falco will download all the configuration versions it can, keeping the latest one hundred revisions. In the event of a hardware failure you can quickly restore a replacement device or an on-site-spare with the config backups we keep.
These backups are optional, and can be disabled if you'd prefer to handle this yourself.
Managed EDL Service
External Dynamic Lists, or EDLs, or a powerful tool in your Palo Alto Networks firewall that allow you to use a list hosted on an external server as an object in your rulebase. Our EDL service tracks many of the most popular cloud services and allows you to easily block or allow these in your rulebase. Gone are the days of manually maintaining address groups with hundreds or thousands of networks that frequently change.
SSL Decryption Setup
Decryption is the bread and butter of the Palo Alto Networks platform. Without it traffic visibility is severely limited which in turn means that you can't get the most out of your investment. Falco Plus customers can take advantage of our vast experience getting SSL Decryption running. We have a tried-and-true SSL Decryption project plan that can be customized for your organization.
Falco Plus customers can customize a firewall management schedule to deploy regular skilled engineer time on your firewall. Whether you want a once a monthly review meeting or a weekly work session we can make it happen.