Step 2: Create the Application Allow Rules
After you Identify
Your Application Allow List you are ready to create the next
part of the best practice internet gateway security policy rulebase:
the application allow rules. Every allow rule you create must allow
traffic based on application (not port) and, with the exception
of certain infrastructure applications that require user access
before the firewall can identify the user, must only allow access
to known users. Whenever possible, Create
User Groups for Access to Allowed Applications so that you
can limit user access to the specific users or user groups who have
a business need to access the application.
To convert
port-based rules to application-based rules, use Policy Optimizer, which
provides an intuitive way to view the applications on port-based
rules and convert them to application-based rules so you can safely
enable applications. Best Practices for Migrating
to Application-Based Policy shows you how to use Expedition to perform
a like-for-like migration from a legacy (port-based) firewall to
a Palo Alto Networks firewall (or Panorama) and then use Policy
Optimizer to convert the port-based policy to an application-based
policy.
When creating the application allow rules,
make sure to place more specific rules above more general rules.
For example, the rules for all of your sanctioned and infrastructure
applications would come before the rules that allow general access
to certain types of business and personal applications. This first
part of the rulebase includes the allow rules for the applications
you identified as part of your application allow list:
- Sanctioned applications you provision and administer for business and infrastructure purposes
- General business applications that your users may need to use in order to get their jobs done
- General applications you may choose to allow for personal use
Tag all sanctioned applications with the
predefined
Sanctioned
tag. Panorama and firewalls consider
applications without the Sanctioned tag as unsanctioned applications.Every
application allow rule also requires that you attach the best practice
security profiles to ensure that you are scanning all allowed traffic
for known and unknown threats. If you have not yet created these
profiles, then Create
Best Practice Security Profiles for the Internet Gateway.
And, because you can’t inspect what you can’t see, you must also
make sure you have configured the firewall to Decrypt
Traffic for Full Visibility and Threat Inspection.
- Allow access to your corporate DNS servers.Allow traffic only to sanctioned DNS servers. Use the DNS Security service to prevent connections to malicious DNS servers.Why do I need this rule?Rule Highlights
- Access to DNS is required to provide network infrastructure services, but it is commonly exploited by attackers.
- Allowing access only on your internal DNS server reduces your attack surface.
- Because this rule is very specific, place it at the top of the rulebase.
- Create an address object to use for the destination address to ensure that users only access the DNS server in your data center.
- Because users will need access to these services before they are logged in, you must allow access to any user.
- Allow access to other required IT infrastructure resources.Why do I need this rule?Rule Highlights
- Enable the applications that provide your network infrastructure and management functions, such as NTP, OCSP, STUN, and ping.
- While DNS traffic allowed in the preceding rule is restricted to the destination address in the data center, these applications may not reside in your data center and therefore require a separate rule.
- Because these applications run on the default port, allow access to any user (users may not yet be a known-user because of when these services are needed), and all have a destination address of any, contain them in a single application group and create a single rule to enable access to all of them.
- Users may not have logged in yet at the time they need access to the infrastructure applications, so make sure this rule allows access to any user.
- Allow access to IT sanctioned SaaS applications.Why do I need this rule?Rule Highlights
- With SaaS applications, your proprietary data is in the cloud. This rule ensures that only your known users have access to these applications (and the underlying data).
- Scan allowed SaaS traffic for threats.
- Create an application group to group all sanctioned SaaS applications.
- SaaS applications should always run on the application default port.
- Restrict access to your known users. See Create User Groups for Access to Allowed Applications.
- Allow access to IT provisioned on-premise applications.Why do I need this rule?Rule Highlights
- Business-critical data center applications are often leveraged in attacks during the exfiltration stage, using applications such as FTP, or in the lateral movement stage by exploiting application vulnerabilities.
- Many data center applications use multiple ports; setting the Service to application-default safely enables the applications on their standard ports. You should not allow applications on non-standard ports because it is often associated with evasive behavior.
- Create an application group to group all data center applications.
- Create an address group for your data center server addresses.
- Restrict access to your known users. See Create User Groups for Access to Allowed Applications.
- Allow access to applications your administrative users need.Why do I need this rule?Rule Highlights
- To reduce your attack surface, Create User Groups for Access to Allowed Applications.
- Because administrators often need access to sensitive account data and remote access to other systems (for example RDP), you can greatly reduce your attack surface by only allowing access to the administrators who have a business need.
- This rule restricts access to users in the IT_admins group.
- Create a custom application for each internal application or application that runs on non-standard ports so that you can enforce them on their default ports rather than opening additional ports on your network.
- If you have different user groups for different applications, create separate rules for granular control.
- Allow access to general business applications.Why do I need this rule?Rule Highlights
- Beyond the applications you sanction for use and administer for your users, there are a variety of applications that users may commonly use for business purposes, for example to interact with partners, such as WebEx, Adobe online services, or Evernote, but which you may not officially sanction.
- Because malware often sneaks in with legitimate web-based applications, this rule allows you to safely allow web browsing while still scanning for threats. See Create Best Practice Security Profiles for the Internet Gateway.
- Restrict access to your known users. See Create User Groups for Access to Allowed Applications.
- For visibility, Create an application filter for each type of application you want to allow.
- Attach the best practice security profiles to ensure that all traffic is free of known and unknown threats. See Create Best Practice Security Profiles for the Internet Gateway.
- (Optional) Allow access to personal applications.Why do I need this rule?Rule Highlights
- As the lines blur between work and personal devices, you want to ensure that all applications your users access are safely enabled and free of threats.
- By using application filters, you can safely enable access to personal applications when you create this initial rulebase. After you assess what applications are in use, you can use the information to decide whether to remove the filter and allow a smaller subset of personal applications appropriate for your acceptable use policies.
- Restrict access to your known users. See Create User Groups for Access to Allowed Applications.
- For visibility, create an application filter for each type of application you want to allow.
- Scan all traffic for threats by attaching your best practice security profile group. See Create Best Practice Security Profiles for the Internet Gateway.
- Allow general web browsing.Why do I need this rule?Rule Highlights
- While the previous rule allowed access to personal applications (many of them browser-based), this rule allows general web browsing.
- General web browsing is more risk-prone than other types of application traffic. You must Create Best Practice Security Profiles for the Internet Gateway and attach them to this rule in order to safely enable web browsing.
- Because threats often hide in encrypted traffic, you must Decrypt Traffic for Full Visibility and Threat Inspection if you want to safely enable web browsing.
- Use the same best practice security profiles as the other rules, except the Best Practice Internet Gateway File Blocking Profile profile, which is more stringent because general web browsing traffic is more vulnerable to threats, and the URL Filtering profile, which you should tighten as much as possible.
- Allow only known users, to prevent devices with malware or embedded devices from reaching the internet.
- Use application filters to allow access to general types of applications.
- Explicitly allow SSL as an application to allow users to browse to HTTPS sites that are excluded from decryption.
- Set the Service toapplication-default
