: Map Applications to Business Goals for a Simplified Rulebase
Focus
Focus

Map Applications to Business Goals for a Simplified Rulebase

Table of Contents

Map Applications to Business Goals for a Simplified Rulebase

As you inventory the applications on your network, consider your business goals and acceptable use policies and identify the applications that correspond to each. This enables you to create a goal-driven rulebase. For example, a business goal might be to allow the sales and support groups access your customer database. Create an allow rule that corresponds to each goal and group all of the applications that align with the goal into a single rule. This approach enables you to create a rulebase with a smaller number of individual rules and each rule has a clear purpose.
Because the individual rules you create align with your business goals, you can use application objects to group allowed applications to further simplify administration of the rulebase:
  • Create application groups for each set of sanctioned applications—Create application groups that explicitly include only sets of your sanctioned applications. Application groups simplify the administration of your policy because they enable you to add and remove sanctioned applications without modifying individual Security policy rules. Generally, if the applications that map to the same goal have the same access requirements (for example, they all have a destination address that points to the internet, they all allow access to any known user, and you want to enable them only on their default ports), you add them to the same application group.
    Tag all sanctioned applications with the predefined Sanctioned tag. Panorama and firewalls consider applications without the Sanctioned tag as unsanctioned applications.
  • Create an application filter to allow each type of general application—In addition to applications you officially sanction, you need to decide which additional applications you want to allow users to access. Application filters allow you to safely enable certain categories of applications based on tags, category, subcategory, technology, risk factor, or characteristic. Separate different types of applications based on business and personal use. Create separate filters for each type of application to make it easier to understand each policy rule.