Use Policy Optimizer to add apps seen on a port-based
Security policy rule to an existing application-based rule.
In some cases, you may want to add applications
learned (seen) on a port-based rule to a rule that already exists.
For example, an administrator may create a cloned application-based
rule for general business web applications from a port-based rule
that allows internet access (a port 80/443 rule). Later, the administrator
notices that the port-based internet access rule has seen more general
business applications and wants to add some or all of them to the
cloned application-based rule (cloning another application-based
rule for the same type of application would create an unnecessary
rule and complicate the rulebase).
This example assumes that
an application-based Security policy rule to control general business
traffic already exists or was cloned from a port-based internet
access rule, similarly to the
Rule Cloning Migration Use Case: Web Browsing and SSL Traffic. In that example,
we cloned an application-based rule from the port-based internet
access rule and changed the new rule’s Service to application-default
to prevent web-based applications from using non-standard ports.
In
addition to adding applications to an existing application-based
rule, you can add applications to an existing port-based rule. This converts
the port-based rule to an application-based rule for the applications
you add to the rule. If you do this, go to the rule and change the
Service to application-default to prevent the applications from
using non-standard ports (also, the Service configured on the rule
may not match the application).
This example
does not apply to using the
New App Viewer to add
App-ID Cloud Engine (ACE) applications to an existing rule (see
the
ACE documentation for
examples of how to do this); ACE requires a
SaaS Security Inline license.