Security Policy Rule Optimization
Focus
Focus

Security Policy Rule Optimization

Table of Contents

Security Policy Rule Optimization

Migrate port-based Security rules to app-based rules, remove unused apps from rules, and safely enable apps without compromising availability.
Policy Optimizer provides a simple workflow to migrate your legacy Security policy rulebase to an App-ID based rulebase, which improves your security by reducing the attack surface and gaining visibility into applications so you can safely enable them. Policy Optimizer identifies port-based rules so you can convert them to application-based allow rules or add applications from a port-based rule to an existing application-based rule without compromising application availability. It also identifies over-provisioned App-ID based rules (App-ID rules configured with unused applications). Policy Optimizer helps you prioritize which port-based rules to migrate first, identify application-based rules that allow applications you don’t use, and analyze rule usage characteristics such as hit count.
Converting port-based rules to application-based rules improves your security posture because you select the applications you want to allow and deny all other applications, so you eliminate unwanted and potentially malicious traffic from your network. Combined with restricting application traffic to its default ports (set the Service to application-default), converting to application-based rules also prevents evasive applications from running on non-standard ports.
You can use this feature on:
  • Firewalls that run PAN-OS version 9.0 and have App-ID enabled.
  • Panorama running PAN-OS version 9.0. You don’t have to upgrade firewalls that Panorama manages to use the Policy Optimizer capabilities. However, to use the Rule Usage capabilities (Monitor Policy Rule Usage), managed firewalls must run PAN-OS 8.1 or later. If managed firewalls connect to Log Collectors, those Log Collectors must also run PAN-OS version 9.0. Managed PA-7000 Series firewalls that have a Log Processing Card (LPC) can also run PAN-OS 8.1 (or later).
  • For Strata Logging Service compatibility, Panorama running PAN-OS 10.0.3 or later with the Cloud Services plugin 2.0 Innovation or later installed.
    Policy Optimizer works with the Cloud Services plugin and Strata Logging Service for Panorama-managed firewalls only and it is not supported for use with Panorama Managed Prisma Access.
PA-7000 Series Firewalls support two logging cards, the PA-7000 Series Firewall Log Processing Card (LPC) and the high-performance PA-7000 Series Firewall Log Forwarding Card (LFC). Unlike the LPC, the LFC does not have disks to store logs locally. Instead, the LFC forwards all logs to one or more external logging systems, such as Panorama or a syslog server. If you use the LFC, the application usage information for Policy Optimizer does not display on the firewall because traffic logs aren’t stored locally. If you use the LPC, the traffic logs are stored locally on the firewall, so the application usage information for Policy Optimizer displays on the firewall.
Use this feature to:
  • Migrate port-based rules to application-based rules—Instead of combing through traffic logs and manually mapping applications to port-based rules, use Policy Optimizer to identify port-based rules and list the applications that matched each rule, so you can select the applications you want to allow and safely enable them. Converting your legacy port-based rules to application-based allow rules supports your business applications and enables you to block any applications associated with malicious activity.
  • Identify over-provisioned application-based rules—Rules that are too broad allow applications you don’t use on your network, which increases the attack surface and the risk of inadvertently allowing malicious traffic.
    Remove unused applications from Security policy rules to reduce the attack surface and keep the rulebase clean. Don’t allow applications that nobody uses on your network.
  • Add App-ID Cloud Engine (ACE) applications to Security policy rules—If you have a SaaS Security Inline subscription, you can use Policy Optimizer’s New App Viewer to manage cloud-delivered App-IDs in Security policy. The ACE documentation describes how to use Policy Optimizer to gain visibility into and control cloud-delivered App-IDs.
    The Policy Optimizer examples in this section do not show the New App Viewer because they depict firewalls that do not have a SaaS Security Inline subscription.
To migrate a configuration from a legacy firewall to a Palo Alto Networks device, see Best Practices for Migrating to Application-Based Policy.
You can’t sort Security policy rules in SecurityPolicies because sorting would change the rule order in the rulebase. However, under PolicesSecurityPolicy Optimizer, Policy Optimizer provides sorting options that don’t affect the rule order, so you can sort rules to prioritize which rules to convert or clean up first. You can sort rules by the amount of traffic during the past 30 days, the number of applications seen on the rule, the number of days with no new applications, and the number of applications allowed (for over-provisioned rules).
You can use Policy Optimizer in other ways as well, including validating pre-production rules and troubleshooting existing rules. Note that Policy Optimizer honors only Log at Session End and ignores Log at Session Start to avoid counting transient applications on rules.
Due to resource constraints, VM-50 Lite virtual firewalls don’t support Policy Optimizer.