PAN-OS Web Interface Reference
    : Applications and Usage
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. PAN-OS Web Interface Reference
    4. Policies
    5. Policies > Security
    6. Applications and Usage
    Download PDF

    PAN-OS Web Interface Reference

    Applications and Usage

    Table of Contents
    End-of-Life (EoL)

    Applications and Usage

    • Policies > Security > Policy Optimizer > No App Specified > Compare (or click the number in Apps Seen)
    • Policies > Security > Policy Optimizer > Unused Apps > Compare (or click the number in Apps Seen)
    • Policies > Security and click the number in Apps Seen
    On the Usage tab of the Security policy rule, you can also Compare Applications & Applications Seen to access tools that help you to migrate from port-based Security policy rules to application-based Security policy rules and to eliminate unused applications from rules in Applications & Usage.
    Field
    Description
    Timeframe
    The time period for the application information:
    • Anytime—Displays applications seen over the lifetime of the rule.
    • Past 7 days—Displays only applications seen over the last 7 days.
    • Past 15 days—Displays only applications seen over the last 15 days.
    • Past 30 days—Displays only applications seen over the last 30 days.
    Apps on Rule
    The applications configured on the rule or Any if no specific applications are configured on the rule. You can Browse, Add, and Delete applications as needed, and applications are configured on a rule, the circled number next to Apps on Rule indicates how many. Adding applications from this location is the same as adding applications on the Security policy rule Application tab.
    Apps Seen
    All applications seen and allowed on the firewall that matched the rule. The circled number next to Apps Seen indicates how many applications were seen on the rule.
    • Applications—The applications seen on the rule. For example, if a rule allows web-browsing traffic (Apps on Rule), you may see many applications in the list because there are many web-browsing applications.
    • Subcategory—The subcategory of the application.
    • Risk—The risk rating of the application.
    • First Seen—The first day the application was seen on the network.
    • Last Seen—The most recent day the application was seen on the network.
      The granularity of measurement for First Seen and Last Seen is one day, so on the day you define a rule, the First Day and Last Day are the same day.
    • Traffic (30 days)—The amount of traffic in bytes seen during the last 30-day period.
      A longer time period would result in the oldest rules remaining at the top of the list because they are likely to have the most cumulative traffic. This can result in newer rules being listed below older rules even if the newer rules see heavy traffic.
    Apps Seen Actions
    Actions you can perform on Apps Seen:
    • Create Cloned Rule—Clones the current rule. When migrating from port-based rules to application-based rules, clone the port-based rule first and then edit the clone to create the application-based rule that allows the traffic. The cloned rule is inserted above the port-based rule in the policy list. Use this migration method to ensure that you don’t inadvertently deny traffic that you want to allow—if the cloned rule doesn’t allow all the applications you need, the port-based rule that follows allows them. Monitor the port-based rule and adjust the (cloned) application-based rule as needed. When you’re sure the application-based rule allows the traffic you want and only unwanted traffic filters through to the port-based rule, you can safely remove the port-based rule.
    • Add to This Rule—Adds applications from Apps Seen to the rule. Adding applications to the rule transforms a rule configured to match Any application (a port-based rule) to an application-based rule that allows the applications you specify (the new application-based rule replaces the port-based rule). Any applications that you don’t add to the rule are denied, just as with any other application-based rule. Be sure to identify all applications you want to allow and add them to the rule so you don’t accidentally deny an application.
    • Add to Existing Rule—Adds applications from Apps Seen to an existing application-based (App-ID) rule. This enables you to clone an App-ID-based rule from a port-based rule, then add more applications seen on port-based rules to the App-ID rule later.
    • Match Usage—Moves all Apps Seen into the rule (they are listed under Apps on Rule after you Match Usage). If you are certain that the rule should allow all listed applications, Match Usage is very convenient. However, you must be certain that all listed applications are applications you want to allow on your network. If many applications have been seen on the rule (for example, on a rule that allows web-browsing), it’s better to clone the rule and transition to an application-based rule. Match Usage works well for simple rules with well-known applications. For example, if a port-based rule for port 22 has only seen SSH traffic (and that’s all it should see), it’s safe to Match Usage.
    Clone dialog
    Add to This Rule dialog
    Add Apps to Existing Rule dialog
    When you select applications from Apps Seen and Create Cloned Rule or Add to Rule that have related applications, these dialogs list:
    • Name (Clone and Add Apps to Existing Rule dialogs only).
      • Clone: Enter the name of the new cloned rule.
      • Add Apps to Existing Rule: Select the rule to which to add applications from the drop-down menu or enter the name of the rule.
    • Applications:
      • Add container app (default): Selects the checkboxes of all the container apps, the apps seen on the rule, and the apps in the container that have not been seen on the rule.
      • Add specific apps seen: Selects only the apps that have actually been seen on the rule and deselects everything else. (You can manually select container apps and other apps.)
    • Application:
      • The selected applications that were seen on the rule, highlighted green.
      • Container apps, highlighted gray, with their individual applications listed below.
      • Individual applications in a container that have been seen on the rule but were not selected in Applications & Usage(normal text).
      • Individual applications in a container that have not been seen on the rule (italics).
      • The date applications were Last Seen on the rule.
    • Dependent Applications:
      • The checkbox for adding application dependencies is checked by default because these applications are required for the selected application to run.
      • Depends On—The list of dependent applications for the selected applications. The applications you selected require these dependent applications to run.
      • Required By—Lists the application that requires the dependent application (Depends On). (Sometimes a dependent application in turn requires another dependent application.)
    The Clone, Add to Rule, and Add Apps to Existing Rule dialogs help to ensure that applications don’t break and enable you to future-proof the rule by including relevant individual applications that are related to the applications you’re cloning or adding to a rule.

    © 2024 Palo Alto Networks, Inc. All rights reserved.