A best practice security policy allows you to enable applications safely by classifying all traffic, across all ports, all the time, including encrypted traffic. Determine the business use case for each application to create Security policy rules that allow and protect access to relevant applications. A best practice security policy leverages the next-generation technologies—App-ID, Content-ID, User-ID, and Device-ID (for IoT Security, which is beyond the scope of this book)—on the Palo Alto Networks enterprise security platform and:

A best practice security policy uses a layered approach to ensure that you safely enable sanctioned applications while blocking applications with no legitimate use case. To mitigate the risk of breaking applications when you move from port-based enforcement to application-based enforcement, the best-practice rulebase includes temporary Security policy rules that identify gaps in the rulebase, detect alarming activity and potential threats, ensure applications don't break during the transition, and enable you to monitor application usage so you can craft appropriate rules. Some applications that a legacy port-based policy allowed might be applications that you don't want to allow or that you want to limit to a more granular set of users.

A best-practice security policy is easier to administer and maintain because each rule meets a specific business goal and allows access to an application or group of applications for a specific user group or users. Each rule's application and user match criteria make it easier to understand what traffic the rule enforces. A best-practice security policy rulebase also leverages tags and objects to make the rulebase easier to scan and easier to keep synchronized with your changing environment.