Businesses and applications evolve, so your Security policy rulebase also needs to
evolve. When your sanctioned applications change, make corresponding changes to
existing policy rules that align with the application's business use case whenever
possible instead of adding new rules. Often, the change is as simple as adding a new
application to an application group or removing a deprecated application from an
application group.
On Panorama or standalone firewalls, use the
policy rule hit counter to analyze
changes to the rulebase. For example, when you add a new application, before you
allow that application’s traffic on the network, add the allow rule to the
rulebase. If traffic hits the rule and increments the counter, either traffic
that matches the rule is already on the network even though you haven’t
activated the application, or you might need to tune the rule. Follow up by
checking the and the widgets to see if traffic on non-standard ports caused the
unexpected rule hits.
The key to using the policy rule hit counter is to
reset the counter when you make a change, such as introducing a
new application or changing a rule’s meaning. Resetting the hit
counter ensures that you see the result of the change, not results
that include the change and events that happened before the change.
If you use Panorama to manage firewalls,
monitor firewall health to compare
devices to their baseline performance and to each other to identify deviations
from normal behavior.
Set Palo Alto Networks content updates to download automatically and schedule
installation on firewalls as soon as possible.
Applications and Threats content updates
occur whenever Security profile signatures need updating. The content updates sent
on the third Tuesday of each month also contain new and modified App-IDs
(application updates; in rare cases, an application update might be delayed one or
two days). Evaluate how new and modified App-IDs affect your Security policy
rulebase in a non-production environment and modify rules as needed.