Internet Gateway Best Practice Security Policy
    : Use Temporary Rules to Tune the Allow List
    Focus
    Download PDF
    Focus
    1. Home
    2. Best Practices
    3. Internet Gateway Best Practice Security Policy
    4. Best Practice Internet Gateway Security Policy
    5. Identify Your Application Allow List
    6. Use Temporary Rules to Tune the Allow List
    Download PDF

    Internet Gateway Best Practice Security Policy

    Use Temporary Rules to Tune the Allow List

    Table of Contents

    Use Temporary Rules to Tune the Allow List

    The end goal of application-based Security policy is to explicitly allow the application traffic you want to allow and implicitly deny the traffic you don't want. However, the initial rulebase requires some temporary rules, which ensure that you have full visibility into all applications on your network so that you can properly tune policy. The initial rulebase needs the following types of rules:
    • Allow rules for applications you officially sanction and deploy for business purposes.
    • Allow rules for safely enabling access to tolerated applications you want to allow per your acceptable use policy.
    • Block rules that block applications with no legitimate use case. These rules prevent malicious traffic from entering your network while the temporary rules discover applications that your policy rulebase doesn't account for yet.
    • Temporary allow rules to give you visibility into all of the applications running on your network so that you can tune the rulebase.
    Temporary rules:
    • Provide visibility into applications you didn't know were on your network.
    • Prevent legitimate applications you didn't know about from getting blocked.
    • Identify unknown users, unknown applications, and applications running on non-standard ports (attackers commonly use standard applications on non-standard ports as an evasion technique for malicious activity).
    Identify legitimate applications running on non-standard ports (for example, internally developed applications) so that you can either modify the ports the application uses or create a custom application to use in policy.
    If you have Application Override policy rules that you created to define custom session timeouts for a set of ports, convert the application override policies to application-based policies by configuring service-based session timeouts to maintain the custom timeout for each application. Then migrate each rule to an application-based rule. Application override policies are port-based and don't provide application visibility into traffic, so you don't know or control which applications use the ports. Service-based session timeouts achieve custom timeouts while maintaining application visibility.

    © 2024 Palo Alto Networks, Inc. All rights reserved.