Next Steps to Adopt Security Best Practices
Continue to improve network security after you convert legacy port-based rules to application-based rules.
After you finish your first pass at converting port-based rules to application-based rules, consider the following steps to strengthen your Security policy rulebase and improve network security:
- Run the Best Practice Assessment (BPA) regularly to measure progress toward achieving your App-ID adoption goal and to identify additional weaknesses. When you reach your goal, use the BPA to identify areas where you can continue to improve adoption and further safeguard your network.
- Policy Optimizer converts port-based rules to App-ID based rules but doesn’t change anything else about the rules. After you convert legacy rules to App-ID based rules, tighten the rules to reduce the attack surface and increase visibility:
- Set theServicetoapplication-defaultto prevent applications from using non-standard ports. For internal custom applications, define default ports and then applyapplication-default.
- Configure Log Forwarding to centralize the logs from multiple PAN-OS appliances, to send email alerts to specific administrators or groups for specific alerts, and to preserve logs for historical analysis.
- Maintain the App-ID deployment. As you add rules for new applications, including internal custom applications, create App-ID based rules that help keep your network safe. Don’t revert to using port-based rules that don’t give you visibility into application traffic or allow you to inspect and control it. Learn more about App-ID in the PAN-OS Administrator’s Guide.
If you need help migrating your legacy device configuration to Palo Alto Networks appliances, contact the Palo Alto Networks’ Professional Services group, which has a wealth of migration experience you can leverage to achieve a successful migration and a successful conversion to App-ID.
Recommended For You
Recommended videos not found.