After 30 days of monitoring production traffic, you can safely begin to convert the rest of the port-based rules to App-ID based rules and clean up the rulebase. A good place to start is with cleaning up unused rules to reduce the attack surface. After that, start converting rules to App-ID at the perimeter with your outbound internet access (port 80/443) rule, because that rule likely sees more traffic with more applications than any other rule, which also means it’s the rule that carries the most risk.

Install the latest Content Updates before you begin converting rules to ensure you have the latest application signatures on your PAN-OS appliance.

Policy Optimizer provides many intuitive ways to sort, filter, and prioritize which rules to convert first. After you remove unused rules and convert the web access rule to App-ID, the rules you choose to prioritize depend on your business and security requirements. The following sections provide ideas and methods for using simple yet powerful sorting and filtering options to identify and prioritize rules to convert after the first 30 days: