Security Policy Rule Optimization
Migrate port-based Security rules to app-based rules,
remove unused apps from rules, and safely enable apps without compromising
availability.
Policy Optimizer provides a simple workflow
to migrate your legacy Security policy rulebase to an App-ID based
rulebase, which improves your security by reducing the attack surface
and gaining visibility into applications so you can safely enable
them. Policy Optimizer identifies port-based rules so you can convert
them to application-based allow rules or add applications from a
port-based rule to an existing application-based rule without compromising
application availability. It also identifies over-provisioned App-ID
based rules (App-ID rules configured with unused applications).
Policy Optimizer helps you prioritize which port-based rules to
migrate first, identify application-based rules that allow applications
you don’t use, and analyze rule usage characteristics such as hit
count.
Converting port-based rules to application-based
rules improves your security posture because you select the applications
you want to allow and deny all other applications, so you eliminate
unwanted and potentially malicious traffic from your network. Combined
with restricting application traffic to its default ports (set the
Service to application-default), converting
to application-based rules also prevents evasive applications from
running on non-standard ports.
You can use this feature on:
Firewalls that run PAN-OS version 9.0 and have App-ID
enabled.
Panorama running PAN-OS version 9.0. You don’t have to upgrade
firewalls that Panorama manages to use the
Policy Optimizer capabilities.
However, to use the
Rule Usage capabilities
(
Monitor Policy Rule Usage), managed
firewalls must run PAN-OS 8.1 or later. If managed firewalls connect
to Log Collectors, those Log Collectors must also run PAN-OS version
9.0. Managed PA-7000 Series firewalls that have a Log Processing
Card (LPC) can also run PAN-OS 8.1 (or later).
For Strata Logging Service compatibility, Panorama running PAN-OS 10.0.3 or later with the
Cloud Services plugin 2.0 Innovation or later installed.
Cloud Managed Prisma Access and Panorama Managed Prisma Access in PAN-OS 10.2.4
or later with Cloud Service Plugin 5.0 or later.
PA-7000 Series Firewalls support two logging cards, the
PA-7000 Series Firewall Log Processing Card (LPC) and the high-performance
PA-7000 Series Firewall Log Forwarding Card (LFC). Unlike the LPC,
the LFC does not have disks to store logs locally. Instead, the
LFC forwards all logs to one or more external logging systems, such
as Panorama or a syslog server. If you use the LFC, the application
usage information for Policy Optimizer does not display on the firewall
because traffic logs aren’t stored locally. If you use the LPC,
the traffic logs are stored locally on the firewall, so the application
usage information for Policy Optimizer displays on the firewall.
Use this feature to:
- Migrate port-based rules to application-based rules—Instead
of combing through traffic logs and manually mapping applications
to port-based rules, use Policy Optimizer to identify port-based
rules and list the applications that matched each rule, so you can
select the applications you want to allow and safely enable them.
Converting your legacy port-based rules to application-based allow
rules supports your business applications and enables you to block
any applications associated with malicious activity.
- Identify over-provisioned application-based rules—Rules
that are too broad allow applications you don’t use on your network,
which increases the attack surface and the risk of inadvertently
allowing malicious traffic.
Remove unused
applications from Security policy rules to reduce the attack surface
and keep the rulebase clean. Don’t allow applications that nobody
uses on your network.
Add App-ID Cloud Engine (ACE) applications to Security
policy rules—If you have a
SaaS Security Inline subscription,
you can use Policy Optimizer’s
New App Viewer to manage
cloud-delivered App-IDs in Security policy. The
ACE documentation describes
how to use Policy Optimizer to gain visibility into and control
cloud-delivered App-IDs.
The Policy Optimizer examples
in this section do not show the New App Viewer because they depict
firewalls that do not have a SaaS Security Inline subscription.
You can’t sort Security policy rules in because sorting would
change the rule order in the rulebase. However, under , Policy Optimizer
provides sorting options that don’t affect the rule order, so you
can sort rules to prioritize which rules to convert or clean up
first. You can sort rules by the amount of traffic during the past
30 days, the number of applications seen on the rule, the number of
days with no new applications, and the number of applications allowed
(for over-provisioned rules).
You can use Policy Optimizer in other ways as well, including
validating pre-production rules and troubleshooting existing rules.
Note that Policy Optimizer honors only Log at Session End and
ignores Log at Session Start to avoid counting
transient applications on rules.
Due to resource constraints, VM-50 Lite virtual firewalls
don’t support Policy Optimizer.