Security Policy Rule Optimization
Migrate port-based Security rules to app-based rules,
remove unused apps from rules, and safely enable apps without compromising
availability.
Policy Optimizer provides a simple workflow
to migrate your legacy Security policy rulebase to an App-ID based
rulebase, which improves your security by reducing the attack surface
and gaining visibility into applications so you can safely enable
them. Policy Optimizer identifies port-based rules so you can convert them
to application-based allow rules or add applications from a port-based
rule to an existing application-based rule without compromising
application availability. It also identifies over-provisioned App-ID
based rules (App-ID rules configured with unused applications).
Policy Optimizer helps you prioritize which port-based rules to migrate
first, identify application-based rules that allow applications
you don’t use, and analyze rule usage characteristics such as hit
count.
Converting port-based rules to application-based
rules improves your security posture because you select the applications
you want to allow and deny all other applications, so you eliminate
unwanted and potentially malicious traffic from your network. Combined
with restricting application traffic to its default ports (set the Service
to application-default), converting to application-based
rules also prevents evasive applications from running on non-standard ports.
You can use this feature on:
- Firewalls that run PAN-OS version 9.0 and have App-ID enabled.
- Panorama running PAN-OS version 9.0. You don’t have to upgrade
firewalls that Panorama manages to use the Policy Optimizer capabilities.
However, to use the Rule Usage capabilities (Monitor Policy Rule Usage),
managed firewalls must run PAN-OS 8.1 or later. If managed firewalls
connect to Log Collectors, those Log Collectors must also run PAN-OS
version 9.0. Managed PA-7000 Series firewalls that have a Log Processing
Card (LPC) can also run PAN-OS 8.1 (or later).
PA-7000 Series Firewalls support two logging cards, the
PA-7000 Series Firewall Log Processing Card (LPC) and the high-performance
PA-7000 Series Firewall Log Forwarding Card (LFC). Unlike the LPC,
the LFC does not have disks to store logs locally. Instead, the
LFC forwards all logs to one or more external logging systems, such
as Panorama or a syslog server. If you use the LFC, the application usage
information for Policy Optimizer does not display on the firewall
because traffic logs aren’t stored locally. If you use the LPC,
the traffic logs are stored locally on the firewall, so the application
usage information for Policy Optimizer displays on the firewall.
Use this feature to:
- Migrate port-based rules to application-based rules—Instead
of combing through traffic logs and manually mapping applications
to port-based rules, use Policy Optimizer to identify port-based rules
and list the applications that matched each rule, so you can select
the applications you want to allow and safely enable them. Converting
your legacy port-based rules to application-based allow rules supports
your business applications and enables you to block any applications
associated with malicious activity.
- Identify over-provisioned application-based rules—Rules that
are too broad allow applications you don’t use on your network,
which increases the attack surface and the risk of inadvertently
allowing malicious traffic.
Remove unused
applications from Security policy rules to reduce the attack surface
and keep the rulebase clean. Don’t allow applications that nobody
uses on your network.
You can’t sort Security policy rules in because sorting would change
the rule order in the rulebase. However, under ,
Policy Optimizer provides sorting options that don’t affect the
rule order to help you prioritize which rules to convert or clean
up first. You can sort rules by the amount of traffic during the
past 30 days, the number of applications seen on the rule, the number
of days with no new applications, and the number of applications
allowed (for over-provisioned rules).
You can use Policy Optimizer in other ways as well, including
validating pre-production rules and troubleshooting existing rules.
Note that Policy Optimizer honors only Log at Session
End and ignores Log at Session Start to
avoid counting transient applications on rules.
Due to resource constraints, VM-50 Lite virtual firewalls
don’t support Policy Optimizer.