: Use Temporary Rules to Tune the Allow List
Focus
Focus

Use Temporary Rules to Tune the Allow List

Table of Contents

Use Temporary Rules to Tune the Allow List

The end goal of application-based Security policy is to explicitly allow the application traffic you want to allow and implicitly deny the traffic you don't want. However, the initial rulebase requires some temporary rules, which ensure that you have full visibility into all applications on your network so that you can properly tune policy. The initial rulebase needs the following types of rules:
  • Allow rules for applications you officially sanction and deploy for business purposes.
  • Allow rules for safely enabling access to tolerated applications you want to allow per your acceptable use policy.
  • Block rules that block applications with no legitimate use case. These rules prevent malicious traffic from entering your network while the temporary rules discover applications that your policy rulebase doesn't account for yet.
  • Temporary allow rules to give you visibility into all of the applications running on your network so that you can tune the rulebase.
Temporary rules:
  • Provide visibility into applications you didn't know were on your network.
  • Prevent legitimate applications you didn't know about from getting blocked.
  • Identify unknown users, unknown applications, and applications running on non-standard ports (attackers commonly use standard applications on non-standard ports as an evasion technique for malicious activity).
Identify legitimate applications running on non-standard ports (for example, internally developed applications) so that you can either modify the ports the application uses or create a custom application to use in policy.
If you have Application Override policy rules that you created to define custom session timeouts for a set of ports, convert the application override policies to application-based policies by configuring service-based session timeouts to maintain the custom timeout for each application. Then migrate each rule to an application-based rule. Application override policies are port-based and don't provide application visibility into traffic, so you don't know or control which applications use the ports. Service-based session timeouts achieve custom timeouts while maintaining application visibility.