: Step 2: Create the Application Allow Rules
Focus
Focus

Step 2: Create the Application Allow Rules

Table of Contents

Step 2: Create the Application Allow Rules

Identify Your Application Allow List before you create application allow rules. Create allow rules based on applications, not on ports. Except for certain infrastructure applications that require user access before the firewall can identify the user, allow access only to known users. Create User Groups for Access to Allowed Applications and limit user access to only the specific users or user groups who have a business need to access each application.
To convert port-based rules to application-based rules or to migrate from a port-based firewall, follow the advice in Best Practices for Migrating to Application-Based Policy, which leverages Policy Optimizer. Policy Optimizer helps you analyze port-based rules and show you the exact applications that match those rules. It also helps you find unused rules, rules with unused applications (over-provisioned rules), and existing port-based rules.
Place specific rules above general rules in the Security policy rulebase. Otherwise, a general rule might shadow a specific rule. (Shadowing is when you place a broad rule that includes the same match criteria as a more specific rule higher in the rulebase than the specific rule, so traffic intended to match the specific rule instead matches the general rule.)
This part of the rulebase includes the allow rules for applications you identified as part of your application allow list, including:
  • Sanctioned applications you provision and administer for business and infrastructure purposes.
  • General business applications users might need to get their jobs done.
  • Tolerated applications you choose to allow for personal use.
Tag all sanctioned applications with the predefined Sanctioned tag. Panorama and firewalls consider applications without the Sanctioned tag as unsanctioned applications.
Attach best practices Security profiles to scan all allowed traffic for known and unknown threats. If you haven't created these profiles, then Create Best Practice Security Profiles for the Internet Gateway. Because you can’t inspect what you can’t see, configure the firewall to Decrypt Traffic for Full Visibility and Threat Inspection.
  1. Allow access to your corporate DNS servers.
    Allow traffic only to sanctioned DNS servers. Use the DNS Security service to prevent connections to malicious DNS servers.
    Why Do I Need This Rule?Rule Highlights
    • Access to DNS provides network infrastructure services and is commonly exploited by attackers.
    • Allowing access only on your internal DNS server reduces your attack surface.
    • Because this rule is very specific, place it near the top of the rulebase.
    • Create an address object to use for the destination address to ensure that users only access the DNS server in your data center.
    • Because users need access to these services before they log in, allow access to any user.
  2. Allow access to other required IT infrastructure resources.
    Why Do I Need This Rule?Rule Highlights
    • Enable applications that provide network infrastructure and management functions, such as NTP, OCSP, STUN, and ping.
    • The preceding rule restricts allowed DNS traffic to the destination address in the data center, these applications might not reside in your data center and therefore require a separate rule.
    • Because these applications run on the default port, allow access to any user (users might not yet be logged in and known because of when these services are needed), and have a destination address of any, add them to one application group and create one rule to enable access to all of them.
  3. Allow access to IT sanctioned SaaS applications.
    Why Do I Need This Rule?Rule Highlights
    • With SaaS applications, proprietary data resides in the cloud. This rule ensures that only known users have access to these applications (and the underlying data).
    • Scan allowed SaaS traffic for threats.
  4. Allow access to IT provisioned on-premises applications.
    Why Do I Need This Rule?Rule Highlights
    • Attacks often use business-critical data center applications such as FTP during the exfiltration stage or exploit application vulnerabilities to move laterally.
    • Many data center applications use multiple ports. Setting the Service to application-default safely enables applications on their standard ports. Don't allow applications on non-standard ports, which is often associated with evasive behavior.
  5. Allow access to applications your administrative users need.
    Why Do I Need This Rule?Rule Highlights
    • Because administrators often need access to sensitive account data and remote access to other systems (for example RDP), to reduce your attack surface, allow access only to administrators who have a business need.
    • This rule restricts access to users in the IT_admins group.
    • Create a custom application for each internal application or application that runs on non-standard ports so you can enforce them on their default ports rather than opening additional ports on your network.
    • If you have different user groups for different applications, create separate rules for granular control.
  6. Allow access to general business applications.
    Why Do I Need This Rule?Rule Highlights
    • In addition to applications you sanction and administer for users, users often need access to other business applications, such as Zoom, Adobe online services, or G Suite.
    • This rule enables you to safely allow web browsing while scanning for threats. See Create Best Practice Security Profiles for the Internet Gateway.
  7. (Optional) Allow access to personal applications.
    Why Do I Need This Rule?Rule Highlights
    • As the lines blur between work and personal devices, that all applications your users access are safely enabled and free of threats.
    • Use application filters to safely enable access to personal applications when you create this initial rulebase. After you assess the applications in use, use the information to decide whether to remove the filter and allow a smaller subset of personal applications appropriate for your acceptable use policies.
  8. Allow general web browsing.
    Why Do I Need This Rule?Rule Highlights
    • The previous rule allowed access to personal applications (many of them browser-based). This rule allows general web browsing.
    • General web browsing is more risk-prone than other types of application traffic. Create best practices Security profiles and attach them to this rule in order to safely enable web browsing.
    • Because threats often hide in encrypted traffic,decrypt traffic for full visibility and threat inspection to safely enable web browsing.
    • Use the same best practice security profiles as the other rules and tighten the URL Filtering profile as much as possible.
    • To help prevent devices with malware or embedded devices from reaching the internet, allow only known users.
    • Use application filters to allow access to general types of applications.
    • Explicitly allow SSL as an application to allow users to browse to HTTPS sites that you choose to exclude from decryption.
    • Set the Service to application-default.