Focus

Rule Cloning Migration Use Case: Web Browsing and SSL Traffic

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

Migrate Port-Based to App-ID Based Security Policy Rules

Add Applications to an Existing Rule

Rule Cloning Migration Use Case: Web Browsing and SSL Traffic

Example of migrating port-based Security policy rules for web browsing and SSL traffic to app-based rules without affecting application availability.

A port-based rule that allows web access on TCP ports 80 (HTTP web-browsing) and 443 (HTTPS SSL) provides no control over which applications use those open ports. There are many web applications, so a general rule that allows web traffic allows thousands of applications, many of which you don’t want on your network.

This use case shows how to migrate a port-based policy that allows all web applications to an application-based policy that allows only the applications you want, so you can safely enable the applications you choose to allow. For rules that see a lot of applications, cloning the original port-based rule is safer than adding applications to the rule because adding replaces the port-based rule, so if you inadvertently forget to add a critical application, you affect application availability. And if you Match Usage, which also replaces the port-based rule, you allow all of the applications the rule has seen, which could be dangerous, especially with web browsing traffic.

Cloning the rule retains the original port-based rule and places the cloned rule directly above the port-based rule in the rulebase, so you can monitor the rules. Cloning also allows you to split rules that see a lot of different applications—such as a port-based web traffic rule—into multiple application-based rules so you can treat different groups of applications differently. When you’re sure you’re allowing all the applications you need to allow in the cloned rule (or rules), you can remove the port-based rule.

This example clones a port-based web traffic rule to create an application-based rule for social networking traffic (a subset of the application traffic seen on the port-based rule).

Navigate to PoliciesSecurityPolicy OptimizerNo App Specified to view the port-based rules.
Click Compare for the rule you want to migrate.
In this example, the port-based rule that allows web access is named Traffic to internet.
Use the sorting options to review and select the applications you want to allow from Apps Seen.

The number of Apps Seen is updated approximately every hour, so if you don’t see as many applications as you expect, check again after about an hour. Depending on the firewall’s load, it may take longer than one hour for these fields to update.

For example, click Subcategory to sort the applications, scroll to the social-networking subcategory, and then select the applications you want to allow.
Click Create Cloned Rule.
Create Cloned Rule shows the selected applications shaded green, the container apps shaded gray, individual applications in the container that haven’t been seen on the rule in italics, and individual applications that have been seen on the rule in normal text font. Scrolling through Applications shows all the container apps and their individual applications.

Create Cloned Rule also shows the application dependencies of the selected applications. Because we selected social applications but not web-browsing or ssl, web-browsing and ssl are among the listed application dependencies.
Name the cloned rule (in this example, the name will be Social Networking Apps).
Select the applications you want in the cloned rule.
For applications you don’t want to include, uncheck the corresponding box, which also unchecks the container app. If you don’t include the container app, then when new apps are added to the container, they won’t automatically be added to the rule.
If you uncheck the container app, all the individual applications in the container are unchecked and you must select the apps you want to add manually.
Click OK to create the cloned rule.
In PoliciesSecurity, the cloned rule (Social Networking Apps) is inserted in the rulebase above the original port-based rule (Traffic to internet).
Click the rule name to edit the cloned rule, which inherits the properties of the original port-based rule.
On the Service/URL Category tab, delete service-http and service-https from Service.
This changes the Service to application-default, which prevents applications from using non-standard ports and further reduces the attack surface.

If business needs require you to allow applications (for example, internal custom applications) on non-standard ports between particular clients and servers, restrict the exception to only the required application, sources, and destinations. Consider rewriting custom applications so they use the application default port.
On the Source, User, and Destination tabs, tighten the rule to apply to only the right users in only the right locations (zones, subnets).
For example, you may decide to limit social media activity to certain marketing, public relations, sales, and executive groups.
Click OK.
Commit the configuration.
Repeat the process for other application categories in the port-based web access rule until your application-based rules allow only the applications you want to allow on your network.
When traffic you want to allow stops hitting the original port-based rule for a sufficient amount of time to be confident that the port-based rule is no longer needed, you can remove the port-based rule from the rulebase.