Use Policy Optimizer to add apps seen on a port-based
Security policy rule to an existing application-based rule.
In some cases, you may want to add applications
learned (seen) on a port-based rule to a rule that already exists.
For example, an administrator may create a cloned application-based
rule for general business web applications from a port-based rule
that allows internet access (a port 80/443 rule). Later, the administrator
notices that the port-based internet access rule has seen more general
business applications and wants to add some or all of them to the
cloned application-based rule (cloning another application-based
rule for the same type of application would create an unnecessary
rule and complicate the rulebase).
This example assumes that
an application-based Security policy rule to control general business
traffic already exists or was cloned from a port-based internet
access rule, similarly to the
Rule Cloning Migration Use Case: Web Browsing and SSL Traffic. In that example,
we cloned an application-based rule from the port-based internet
access rule and changed the new rule’s Service to application-default
to prevent web-based applications from using non-standard ports.
In
addition to adding applications to an existing application-based
rule, you can add applications to an existing port-based rule. This
converts the port-based rule to an application-based rule for the
applications you add to the rule. If you do this, go to the rule
and change the Service to application-default to prevent the applications
from using non-standard ports (also, the Service configured on the
rule may not match the application).