Falco is a firewall configuration management service specialized for Palo Alto Networks firewalls
Digital Scepter has extensive experience installing, configuring and managing Palo Alto Networks next generation firewalls (Strata). Falco applies this expertise to monitor your firewall configurations and report on the security posture of your entire firewall fleet. You’ll receive regular easy-to-read reports which give you important information at a glance, along with a trend to show how your configurations are improving. It’s easy to make a plan of attack to improve your firewall security posture with the built in remediation recommendations. Upgrade to Falco or Falco Plus to access the world renowned Digital Scepter help desk and use a monthly ticket quota to work on improving your firewall or for assistance with maintenance issues.
Falco is a monitoring service for Palo Alto Networks firewalls. Honed by Digital Scepter experience and informed by industry best-practices, Falco delivers a powerful monitoring and security auditing solution for your Palo Alto Networks Firewalls. Falco verifies your firewall settings to assure you that your devices are up-to-date, correctly configured and maximizing your investment.
You already have the best firewall, now take advantage of it.
Even the best technology is worthless if it isn’t configured right. Maintaining a secure firewall configuration is an ongoing requirement for your security and to satisfy compliance requirements. Falco will monitor your firewalls and alert you if there are any issues to fix.
A cost-effective solution to improve your security posture.
During initial onboarding, Falco conducts a thorough manual review of the existing configurations based on best-practices and your unique requirements. The configuration will be monitored regularly to detect unauthorized changes. Device system logs will be monitored with real-time alerts for the most urgent needs. Falco maintains backups of your configuration should a disaster occur. This information is then processed by multiple automated correlation checks developed by the Digital Scepter team to provide answers to questions such as:- Is your PAN-OS system up to date? - Is App-ID properly configured? - Are your subscriptions properly utilized? - Are all policies properly configured?
Firewall Configuration Audit Reports
Traditionally, performing a health check is a manual process that doesn’t scale. Falco hones in on the most important settings that need to be tracked and make it easy for you to plan out how to make improvements.
The reports are run automatically via your firewall or panorama API and are then emailed to you on a regular basis. The reports include configuration health trends and actionable remediation advice.
Configuration Regression Alerting
When a check that was previously passing fails the Falco service can optionally send you a regression notification email. In the email, you’ll find details of exactly what changed along with a full report at the time of the regression.
In addition to connecting directly to firewalls, Falco can connect to Panoramas and scan all connected devices. As firewalls are added and removed from Panorama, so will they be added and removed from your reports.
If you are providing firewalls as a service, Falco can optionally treat all VSYS on a firewall as separate devices. This allows you to send a report to the operators of each VSYS that only contains information relevant to them.
Falco comes by default with up to two tickets per month. These can be used to have more immediate access to experts that can fix your firewall problems quickly to minimize unplanned outages. They can also be used for configuration changes, planning, OS upgrades and more. The service agreement has complete details on the ticket entitlements.
PAN-OS Vulnerability Scanning
One of the most critical maintenance tasks is patching infrastructure to stay ahead of the latest known vulnerabilities, and firewalls are no different. Palo Alto publishes a list of all known vulnerabilities for the PAN-OS platform but determining which affect your firewalls is left up to you.
With Falco outstanding vulnerabilities are just anothe check. When a vulnerability that affects one of your devices is published you’ll get a regression email from the Falco service with all the details. You’ll never have to manually cross-reference your firewall versions with the vulnerability database ever again.
Hourly Configuration Backups
Every time there is a change to the configuration on a firewall or Panorama a new config version is created and saved. Every hour Falco will download all the configuration versions it can, keeping the latest one hundred revisions.
In the event of a hardware failure you can quickly restore a replacement device or an on-site-spare with the config backups we keep.
Managed EDL Service
External Dynamic List, or EDLs, or a powerful tool in your Palo Alto Networks firewall. Our EDL service maintains external dynamic lists which you can use to make your ruleset more dynamic. For example, track infrastructure IPs from google, AWS, Microsoft and more.
Falco can customize which Palo Alto alerts are sent to your hip to make it easier for you to take action when needed.
SSL Decryption Setup
Falco Plus customers can take advantage of our vast experience getting SSL Decryption running. We have a tried-and-true SSL Decryption project plan that can be customized for your organization.
Falco Plus customers can customize a firewall management schedule to deploy regular skilled engineer time on your firewall.
|Falco Lite||Falco||Falco Plus|
|Automated PAN Configuration Audits|
|Emailed Configuration Reports||Monthly||Weekly||Weekly|
|Config Scan Interval||Weekly||Hourly||Hourly|
|PAN-OS Version Upgrade Review|
|PAN-OS Vulnerability Scanning|
|Email Notifications for Config Regressions|
|2 Tickets/Month Entitlement *|
|Hourly Config Backups †|
|Scheduled Report Setup|
|Access to 160+ pre-built lists using our EDL Service|
|SSL Decryption Setup|
|Customized Digital Scepter involvement with your firewall management team|
Open up to two tickets per month with Digital Scepter's support engineers (see terms and conditions), can be used for remote threat support, PAN-OS upgrades, configuration assistance or support questions, User-ID environment reviews, change reviews and more. Tickets are limited to four hours per ticket.
*This is in addition to your Palo Alto Networks Support account. Where appropriate, Digital Scepter can be added to your PANW support account to assist with tickets. See Falco Service Agreement for SLA.
† We retain the latest 100 configuration versions for each device
‡ See service description in Falco Service Agreement