Convert Simple Rules with Well-Known Apps After One Week

Convert legacy port-based security policy rules that control a small number of well-known applications after one week of monitoring production traffic.
After a week of monitoring production traffic, you can safely begin to convert simple port-based rules to App-ID based rules. Good candidates include rules for which only one or a small number of well-known applications should legitimately use the port because it’s fairly easy to determine which applications you want to allow on a simple rule. Examples include port 21 (FTP), port 22 (SSH), and port 53 (DNS).
Install the latest Content Updates before you begin converting rules to ensure you have the latest application signatures on your PAN-OS appliance. This example shows you how to sort port-based rules to find candidates for safe conversion and the options for converting those port-based rules directly to App-ID based rules.
  1. In
    Policies
    Security
    Policy Optimizer
    No App Specified
    , select
    Apps Seen
    and
    Sort Ascending
    to find the port-based rules that have seen the fewest applications.
    filter-by-app-seen-example.png
    The port-based rules that have seen the fewest applications are at the top of the
    No App Specified
    display. You can safely convert rules for specific services, such as SSH, directly to application-based rules and you can examine rules that have seen few applications to see if you can safely convert them.
    The port-based rule intended to allow Server Message Block (SMB) traffic has seen only three applications since migrating the configuration to the PAN-OS appliance and therefore is a candidate for conversion.
  2. Click the
    Apps Seen
    number or
    Compare
    to examine the applications seen on the rule.
    Applications & Usage
    shows the applications actually seen in the traffic that match the rule.
    smb-apps-seen-for-rule-conversion.png
  3. Evaluate whether you want to allow all, some, or none of the applications seen on the rule and select the applications you want to allow.
    You can match the exact usage of the rule, future-proof the rule by adding the container apps, or select individual applications to add to the rule.
    • If you want the rule to allow all applications exactly as matched on the rule:
      1. Select all
        Applications
        in
        Apps Seen
        ).
      2. Click
        Match Usage
        .
      3. Click
        OK
        to convert the port-based rule to an App-ID based rule.
      4. Set the
        Service
        to
        application-default
        so that no evasive, malicious applications can use the port.
    • If you want to allow all of the applications seen on the rule and future-proof the rule by adding their container applications (so all applications within each container are allowed and applications added to the container app later are automatically allowed):
      1. Leave all the applications selected and
        Add to Rule
        .
        smb-add-all-to-rule-container-apps.png
        The gray-shaded applications are the container apps. The green-shaded applications are the applications seen on the rule. The unshaded applications belong to the same container app but have not been seen on the rule.
      2. Click
        OK
        . Only the container apps appear in
        Apps on Rule
        because they include (allow) all of the applications they contain:
        smb-container-apps-added-to-rule.png
      3. Click
        OK
        to convert the rule.
      4. Set the
        Service
        to
        application-default
        so that no evasive, malicious applications can use the port.
    • If you want to allow only some of the applications or if you want to select the applications to allow within a container app, select those applications and then click
      Add to Rule
      . For example, if you decide not to allow msrpc-base and select only ms-ds-smbv2 and ms-ds-smb-base and
      Add to Rule
      , Policy Optimizer shows you the related applications in the container app (ms-ds-smb, shaded gray) and provides the opportunity to future-proof the rule by adding those applications:
      1. Select the applications you want to allow and then click
        Add to Rule
        .
        For example, if you decide not to allow msrpc-base and select only ms-ds-smbv2 and ms-ds-smb-base and
        Add to Rule
        , Policy Optimizer shows you the related applications in the container app (ms-ds-smb, shaded gray) and provides the opportunity to future-proof the rule by adding those applications:
        smb-add-to-rule-future-proof.png
        The green-shaded applications are the applications seen on the rule. The unshaded applications belong to the same container app but have not been seen on the rule. In this case, you may choose to allow ms-ds-smbv3 to future-proof the rule but not to allow ms-ds-smbv1 because it’s an older protocol.
      2. You can allow all of the applications or select which applications to allow.
        To allow all of the applications, click
        OK
        .
        Apps on Rule
        shows the selected applications. Click
        OK
        to convert the rule.
        To allow only selected applications, deselect the undesired applications. If you deselect an application in a container, the container app is also deselected so it doesn’t automatically allow its child apps.
        smb-add-to-rule-deselect-child-app.png
      3. Click
        OK
        .
        Apps on Rule
        shows the selected applications.
      4. Click
        OK
        to convert the rule.
      5. Set the
        Service
        to
        application-default
        so that no evasive, malicious applications can use the port.

Recommended For You