Map Applications to Business Goals for a Simplified Rulebase

• Create application groups for each set of sanctioned applications—Create application groups that explicitly include only sets of your sanctioned applications. Application groups simplify the administration of your policy because they enable you to add and remove sanctioned applications without modifying individual Security policy rules. Generally, if the applications that map to the same goal have the same access requirements (for example, they all have a destination address that points to the internet, they all allow access to any known user, and you want to enable them only on their default ports), you add them to the same application group.

  Tag all sanctioned applications with the predefined Sanctioned tag. Panorama and firewalls consider applications without the Sanctioned tag as unsanctioned applications.
• Create an application filter to allow each type of general application—In addition to applications you officially sanction, you need to decide which additional applications you want to allow users to access. Application filters allow you to safely enable certain categories of applications based on tags, category, subcategory, technology, risk factor, or characteristic. Separate different types of applications based on business and personal use. Create separate filters for each type of application to make it easier to understand each policy rule.