Use Temporary Rules to Tune the Allow List
Expand all | Collapse all
Use Temporary Rules to Tune the Allow List
The end goal of application-based Security policy is to explicitly allow the application traffic
you want to allow and implicitly deny the traffic you don't want. However, the initial
rulebase requires some temporary rules, which ensure that you have full visibility into
all applications on your network so that you can properly tune policy. The initial
rulebase needs the following types of rules:
Allow rules for applications you officially sanction and deploy for business purposes.
Allow rules for safely enabling access to tolerated applications you want to allow per your
acceptable use policy.
Block rules that block applications with no legitimate use case. These rules prevent malicious
traffic from entering your network while the temporary rules discover
applications that your policy rulebase doesn't account for yet.
Temporary allow rules to give you visibility into all of
the applications running on your network so that you can tune the
rulebase.
Temporary rules:
-
Provide visibility into applications you didn't know were on your network.
-
Prevent legitimate applications you didn't know about from getting blocked.
-
Identify unknown users, unknown applications, and applications running on
non-standard ports (attackers commonly use standard applications on non-standard
ports as an evasion technique for malicious activity).
Identify legitimate applications running on non-standard ports (for example, internally developed
applications) so that you can either modify the ports the application uses or
create a custom application to use in policy.
If you have
Application Override policy rules that you
created to define custom session timeouts for a set of ports, convert the
application override policies to application-based policies by configuring
service-based session timeouts to maintain
the custom timeout for each application. Then migrate each rule to an
application-based rule. Application override policies are port-based and don't
provide application visibility into traffic, so you don't know or control which
applications use the ports. Service-based session timeouts achieve custom timeouts
while maintaining application visibility.