Add Apps Directly to a Rule with Policy Optimizer
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Add Apps Directly to a Rule with Policy Optimizer
You can add App-ID Cloud Engine (ACE, and/or content-provided
App-IDs) App-IDs directly to a cloned or existing rule with Policy Optimizer. However,
consider using Application Filters to
automate adding ACE App-IDs to Security policy as they arrive at the
firewall instead of adding them manually.
ACE provides
App-IDs for applications that were previously identified as ssl
or web-browsing.
- Go to PoliciesSecurity and then select Policy OptimizerNew App Viewer.If the firewall or Panorama has downloaded ACE App-IDs, a number displays next to New App Viewer in the left navigation window. The screen displays the Security policy rules that match downloaded cloud App-IDs.Click the number in Apps Seen for a Security policy rule to see the cloud-delivered applications that matched the rule in the Applications & Usage dialog.Select the applications that you want to add to an existing or cloned Security policy rule.You can sort and filter the applications in Apps Seen by subcategory, risk, amount of traffic seen over the last 30 days, or when the application was first or last seen.Select Applications from Create Cloned Rule or Add to Existing Rule, depending on how you want to handle the applications.The maximum number of applications you can clone using Create Cloned Rule is 1,000 applications. If there are more than 1,000 applications that you want to move to a different rule, use Add to Existing Rule instead. If you want to move the applications to a new rule, simply create the rule first (PoliciesSecurity) and then use Policy Optimizer to add them to that rule.Add the selected applications to a cloned rule or to an existing rule.Create Cloned Rule:
- Type the Name (the name for the cloned rule, which will appear in the Security policy rulebase immediately above the original rule). The cloned rule has the same action (allow or deny) as the original rule.
- Select whether to Add container app (default) or only to Add specific apps seen.When you add the container app, you also add all of the functional apps in that container, including functional apps that have not yet been seen on the firewall. For example, if you add the “facebook” container app, that also adds facebook-base, facebook-chat, facebook-posting, etc., and also any future applications added to the container. The container and its functional apps are subject to the Security policy rule that you are cloning. Selecting the container app essentially future-proofs and automates security for the container’s apps so that you don’t have to manually add new apps in that container to your Security policy.Adding only the specific apps seen means that only the applications that you selected are added to the cloned rule. If new applications in the same container app arrive at the firewall, the cloned rule doesn’t control them and you have to manually decide how to handle the new apps.
- In some cases, the applications that you want to add to a rule require (depend on) other applications to function. In those cases, the Create Cloned Rule dialog box includes Dependent Applications, where you can select whether to add those applications to the cloned rule. Add the dependent applications to the rule to ensure that the selected applications function properly.
- Click OK to add the applications to the cloned rule.
- Commit the changes.
Add Apps to Existing Rule:- Select the Name of the existing rule to which you want to add the selected applications.
- As with cloning the rule to add applications, you can choose whether to Add container app or Add specific apps seen. Adding the container app adds all the functional apps in the container and any future apps added to that container. Adding only the specific apps only adds the specific selected apps.
- As with cloning the rule, in some cases, the applications that you want to add to a rule require (depend on) other applications to function. In those cases, the Add Apps to Existing Rule dialog box includes Dependent Applications, where you can select whether to add those applications to the cloned rule. Add the dependent applications to the rule to ensure that the selected applications function properly.
- Click OK to add the applications to the existing rule.
- Commit the changes.