Best Practices for Migrating to Application-Based Policy
    : Remove Unused Rules
    Focus
    Download PDF
    Focus
    1. Home
    2. Best Practices
    3. Best Practices for Migrating to Application-Based Policy
    4. Best Practices for Migrating to Application-Based Policy
    5. Migrate to Application-Based Policy Using Policy Optimizer
    6. Rules to Begin Converting After 30 Days
    7. Remove Unused Rules
    Download PDF

    Best Practices for Migrating to Application-Based Policy

    Remove Unused Rules

    Table of Contents
    End-of-Life (EoL)

    Remove Unused Rules

    To reduce the attack surface, get rid of rules you don’t use.
    The migrated rulebase often contains rules that aren’t in use because no application traffic matches those rules. Unused rules clutter the rulebase and offer avenues of attack to adversaries. Remove these rules to clean up the rulebase and reduce the attack surface, or modify them so they apply to application traffic and serve a legitimate purpose in the rulebase.
    Unused rules may exist for a number of reasons. Rules governing services and applications that the business once used but replaced with other applications may be in the rulebase. A rule that precedes an unused rule may control the applications that would otherwise match the unused rule. In some cases, unused rules are old rules created by administrators who are no longer with the company and no current administrators know the rule’s intent.
    View rules over any
    Timeframe
     you choose (
    Policies
    Security
    Policy Optimizer
    Rule Usage
    ). Set the
    Usage
     to
    Unused
     to filter out rules that have seen application traffic.
    1. Identify unused rules.
      In
      Policies
      Security
      Policy Optimizer
      Rule Usage
      , set the
      Timeframe
       to
      All time
      , set the
      Usage
       to
      Unused
       (to display only rules with a Hit Count of zero), and
      Exclude rules reset during the last 30 days
       (to prevent displaying recently reset rules that may not have seen traffic over the last few days but that may see traffic over a longer time period). The result is a list of rules that have not seen application traffic over the selected
      Timeframe
      .
    2. Evaluate rules that have seen no traffic and determine if they are needed or if you can disable them.
      In this example, the business used Tsunami file transfer in the past, but investigation shows that the business no longer uses Tsunami, so there is no reason to allow Tsunami application traffic on the network.
    3. Disable
       or
      Delete
       the rule.
      In
      Policies
      Security
      , select the Tsunami file transfer rule and either
      Disable
       or
      Delete
       the rule.
      Disabling the rule is safer in case it turns out that your business needs the application, even though it hasn’t seen any traffic. (This may happen if you don’t take quarterly and annual events into account when investigating whether the business uses an application or if the application is required for a contractor or partner whose traffic only accesses the network periodically.) After a reasonable period of time, delete unused rules that you disabled earlier.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.