Focus
Focus
Table of Contents

Maintain the Rulebase

Businesses and applications evolve, so your Security policy rulebase also needs to evolve. When your sanctioned applications change, make corresponding changes to existing policy rules that align with the application's business use case whenever possible instead of adding new rules. Often, the change is as simple as adding a new application to an application group or removing a deprecated application from an application group.
On Panorama or standalone firewalls, use the policy rule hit counter to analyze changes to the rulebase. For example, when you add a new application, before you allow that application’s traffic on the network, add the allow rule to the rulebase. If traffic hits the rule and increments the counter, either traffic that matches the rule is already on the network even though you haven’t activated the application, or you might need to tune the rule. Follow up by checking the ACCThreat ActivityApplications Using Non Standard Ports and the ACCThreat ActivityRules Allowing Apps On Non Standard Ports widgets to see if traffic on non-standard ports caused the unexpected rule hits.
The key to using the policy rule hit counter is to reset the counter when you make a change, such as introducing a new application or changing a rule’s meaning. Resetting the hit counter ensures that you see the result of the change, not results that include the change and events that happened before the change.
If you use Panorama to manage firewalls, monitor firewall health to compare devices to their baseline performance and to each other to identify deviations from normal behavior.
Set Palo Alto Networks content updates to download automatically and schedule installation on firewalls as soon as possible. Applications and Threats content updates occur whenever Security profile signatures need updating. The content updates sent on the third Tuesday of each month also contain new and modified App-IDs (application updates; in rare cases, an application update might be delayed one or two days). Evaluate how new and modified App-IDs affect your Security policy rulebase in a non-production environment and modify rules as needed.
Follow content update best practices, install updates as soon as you can to protect your internet gateway, and configure Log Forwarding for all content updates.
  1. Before installing a new content update, review new and modified App-IDs to determine if the changes impact policy.
  2. If necessary, modify existing Security policy rules to accommodate the App-ID changes. You can disable selected App-IDs if some App-IDs require more testing and install the rest of the new and modified App-IDs. Finish testing and any necessary policy revisions before the next monthly content release with new App-IDs arrives (third Tuesday of each month) to avoid overlap.
  3. Prepare policy updates to account for App-ID changes included in a content release, to add new sanctioned applications, to or remove applications from your allow rules.