Next Steps to Adopt Security Best Practices

Continue to improve network security after you convert legacy port-based rules to application-based rules.
After you finish your first pass at converting port-based rules to application-based rules, consider the following steps to strengthen your Security policy rulebase and improve network security:
  • Use Expedition’s Rule Enrichment capability, which uses machine learning to examine and consolidate your policy configuration.
  • Run the Best Practice Assessment (BPA) regularly to measure progress toward achieving your App-ID adoption goal and to identify additional weaknesses. When you reach your goal, use the BPA to identify areas where you can continue to improve adoption and further safeguard your network.
  • Policy Optimizer converts port-based rules to App-ID based rules but doesn’t change anything else about the rules. After you convert legacy rules to App-ID based rules, tighten the rules to reduce the attack surface and increase visibility:
    • Set the
      Service
      to
      application-default
      to prevent applications from using non-standard ports. For internal custom applications, define default ports and then apply
      application-default
      .
    • At the perimeter (internet gateway), for web applications, use URL Filtering categories to prevent access to risky websites.
    • Configure User-ID to control who has access to applications.
    • Configure Log Forwarding to centralize the logs from multiple PAN-OS appliances, to send email alerts to specific administrators or groups for specific alerts, and to preserve logs for historical analysis.
    • Configure best practice Security profiles for Antivirus, Anti-Spyware, Vulnerability Protection, File Blocking, and WildFire Analysis, and apply them to App-ID Security policy rules.
    • Consider using Iron-Skillet templates, available on GitHub, to get started and bootstrap your initial best practice configuration.
  • Maintain the App-ID deployment. As you add rules for new applications, including internal custom applications, create App-ID based rules that help keep your network safe. Don’t revert to using port-based rules that don’t give you visibility into application traffic or allow you to inspect and control it. Learn more about App-ID in the PAN-OS Administrator’s Guide.
  • As you tighten up the Security policy rulebase, consider applying other protections to your network, such as best practices for decrypting traffic and for DoS and Zone protection.
If you need help migrating your legacy device configuration to Palo Alto Networks appliances, contact the Palo Alto Networks’ Professional Services group, which has a wealth of migration experience you can leverage to achieve a successful migration and a successful conversion to App-ID.

Recommended For You