Safely Enable Applications Using a Phased Transition

Migrate to App-ID based Security policy in stages to reduce the attack surface and improve network security.
The glaring weaknesses of port-based Security policy are well known: you can’t see which applications use a port, so any malicious application can gain access to your network on open ports such as port 80 (HTTP) or port 53 (DNS). This makes it easier for attackers to install malware, move laterally through the network, exfiltrate data, and compromise your network because you have no visibility into the applications on your network and no ability to prevent the threats that their traffic conceals.
In contrast, application-based Security policy using App-ID™ provides visibility into applications regardless of port, protocol, encryption (SSL or SSH), or evasive tactics, so you know exactly which applications are on your network and you can inspect their traffic for threats. Application-specific policies enable safe access because you can configure Security policy rules that allow only the right users to access the right applications in the right places and you can apply threat prevention profiles to those rules. Using App-ID to classify applications reduces the attack surface because you allow only the applications required to support your business on the network and automatically block unwanted applications. Allowing what you want and blocking everything else is much easier and safer than the endless task of attempting to block all the individual applications you don’t want.
Migrate to App-ID in phases:
  1. Use Expedition to import a legacy rulebase, clean it up, and achieve a like-for-like migration to a Palo Alto Networks next-generation firewall or Panorama appliance. Expedition is distributed as a virtual machine (VM).
  2. Run the PAN-OS firewall or appliance in your network production environment so it can learn and categorize the applications on your network.
  3. After at least one week of logging traffic, run the Best Practice Assessment (BPA) to set a baseline, and then use Policy Optimizer to begin safely converting port-based rules to application-based rules and securing your network. (You can convert some simple rules that allow well-known applications after about a week; for other rules that see many applications, such as a general outbound internet access rule, wait at least 30 days to gather application information.) Take a phased approach to safely convert the rules based on your business needs and priorities.
  4. (Optional)
    After you use Policy Optimizer convert the rulebase to App-ID, reimport the configuration in to Expedition and use the Rule Enrichment features to further simplify and refine the rulebase.
  5. Maintain the App-ID deployment as you introduce new applications to your network. Run the BPA after the first conversion pass through the port-based rules and periodically thereafter to measure progress and discover other areas to improve security.
Policy Optimizer is available starting with PAN-OS 9.0. If you use Panorama to manage your next-generation firewalls, you don’t have to upgrade managed firewalls to PAN-OS 9.0 to use Policy Optimizer. You only need to upgrade Panorama to PAN-OS 9.0, send traffic logs from the managed firewalls to Panorama or Log Collectors running PAN-OS 9.0, and push policy from Panorama to the firewalls. Managed firewalls need to run PAN-OS 8.1 or later, and if they connect to Log Collectors, the Log Collectors must run PAN-OS 9.0. This provides a fast path for qualification so you can use Policy Optimizer to adopt policy based on App-ID quickly.
PA-7000 Series Firewalls support two logging cards, the PA-7000 Series Firewall Log Processing Card (LPC) and the high-performance PA-7000 Series Firewall Log Forwarding Card (LFC). Unlike the LPC, the LFC does not have disks to store logs locally. Instead, the LFC forwards all logs to one or more external logging systems, such as Panorama or a syslog server. If you use the LFC, the application usage information for Policy Optimizer does not display on the firewall because traffic logs aren’t stored locally. If you use the LPC, the traffic logs are stored locally on the firewall, so the application usage information for Policy Optimizer displays on the firewall. In both cases, the PA-7000 firewall can run PAN-OS 8.1 (or later) as long as the Log Collectors and Panorama run PAN-OS 9.0 or later.

Recommended For You