Policy Optimizer identifies all applications seen on any legacy Security policy rule and provides an easy workflow for selecting the applications you want to allow on that rule. Additionally, it helps you remove unused applications from overprovisioned application-based rules. This simplified workflow allows you to migrate a legacy rule gradually and natively to an application-based rule so you can safely enable applications in your environment and improve your security posture.

(Beginning with PAN-OS^® 9.0.2) Policy Optimizer also gives you the option to select applications in a legacy Security policy rule and add applications to an existing rule so that you can leverage pre-existing App-ID™ based rules and eliminate the need to continually create new rules. You can also now choose between container app and specific apps seen so that the web interface clearly displays which applications have been seen on a rule and which ones were added as part of the container but that have not, yet, been seen on that rule.

You can now safely enable applications running over HTTP/2, without any additional configuration on the firewall. As more websites continue to adopt HTTP/2, the firewall can enforce security policy and detect and prevent threats on a per-stream basis. This visibility into HTTP/2 traffic enables you to secure web servers that provide services over HTTP/2, and allow your users to benefit from the speed and resource efficiency gains that HTTP/2 provides.