Why
Do I Need a Best Practice Internet Gateway Security Policy?
A best practice security policy allows you to enable applications safely by classifying all
traffic, across all ports, all the time, including encrypted traffic. Determine the
business use case for each application to create Security policy rules that allow and
protect access to relevant applications. A best practice security policy leverages the
next-generation technologies—App-ID, Content-ID, User-ID, and Device-ID (for
IoT Security, which is beyond the scope of this book)—on the
Palo Alto Networks enterprise security platform and:
Identifies applications regardless of port, protocol, evasive tactic or encryption.
Identifies and control users regardless of IP address, location, or device.
Protects against known and unknown application-borne threats.
Provides fine-grained visibility and policy control over application access and
functionality.
-
A best practice security policy uses a layered approach to ensure that you safely enable
sanctioned applications while blocking applications with no legitimate use case. To
mitigate the risk of breaking applications when you move from port-based enforcement to
application-based enforcement, the best-practice rulebase includes temporary Security
policy rules that identify gaps in the rulebase, detect alarming activity and potential
threats, ensure applications don't break during the transition, and enable you to
monitor application usage so you can craft appropriate rules. Some applications that a
legacy port-based policy allowed might be applications that you don't want to allow or
that you want to limit to a more granular set of users.
A best-practice security policy is easier to administer and maintain because each rule meets a
specific business goal and allows access to an application or group of applications for
a specific user group or users. Each rule's application and user match criteria make it
easier to understand what traffic the rule enforces. A best-practice security policy
rulebase also leverages tags and objects to make the rulebase easier to scan and easier
to keep synchronized with your changing environment.