Example of migrating port-based Security policy rules
for web browsing and SSL traffic to app-based rules without affecting
application availability.
A port-based rule that allows web access on
TCP ports 80 (HTTP web-browsing) and 443 (HTTPS SSL) provides no
control over which applications use those open ports. There are
many web applications, so a general rule that allows web traffic
allows thousands of applications, many of which you don’t want on
your network.
This use case shows how to migrate a port-based
policy that allows all web applications to an application-based
policy that allows only the applications you want, so you can safely
enable the applications you choose to allow. For rules that see
a lot of applications, cloning the original port-based rule is safer
than adding applications to the rule because adding replaces the
port-based rule, so if you inadvertently forget to add a critical
application, you affect application availability. And if you Match
Usage, which also replaces the port-based rule, you
allow all of the applications the rule has seen, which could be
dangerous, especially with web browsing traffic.
Cloning
the rule retains the original port-based rule and places the cloned
rule directly above the port-based rule in the rulebase, so you
can monitor the rules. Cloning also allows you to split rules that
see a lot of different applications—such as a port-based web traffic
rule—into multiple application-based rules so you can treat different
groups of applications differently. When you’re sure you’re allowing
all the applications you need to allow in the cloned rule (or rules),
you can remove the port-based rule.
This example clones a
port-based web traffic rule to create an application-based rule
for social networking traffic (a subset of the application traffic
seen on the port-based rule).