: Convert Simple Rules with Well-Known Apps After One Week
Focus
Focus

Convert Simple Rules with Well-Known Apps After One Week

Table of Contents

Convert Simple Rules with Well-Known Apps After One Week

Convert legacy port-based security policy rules that control a small number of well-known applications after one week of monitoring production traffic.
After a week of monitoring production traffic, you can safely begin to convert simple port-based rules to App-ID based rules. Good candidates include rules for which only one or a small number of well-known applications should legitimately use the port because it’s fairly easy to determine which applications you want to allow on a simple rule. Examples include port 21 (FTP), port 22 (SSH), and port 53 (DNS).
Install the latest Content Updates before you begin converting rules to ensure you have the latest application signatures on your PAN-OS appliance. This example shows you how to sort port-based rules to find candidates for safe conversion and the options for converting those port-based rules directly to App-ID based rules.
  1. In
    Policies
    Security
    Policy Optimizer
    No App Specified
    , select
    Apps Seen
    and
    Sort Ascending
    (or click
    Apps Seen
    to reverse the current display order) to find the port-based rules that have seen the fewest applications.
    The port-based rules that have seen the fewest applications are at the top of the
    No App Specified
    display. You can safely convert rules for specific services, such as SSH, directly to application-based rules and you can examine rules that have seen few applications to see if you can safely convert them.
    The port-based rule intended to allow Server Message Block (SMB) traffic has seen only three applications since migrating the configuration to the PAN-OS appliance and therefore is a candidate for conversion.
  2. Click the
    Apps Seen
    number or
    Compare
    to examine the applications seen on the rule.
    Applications & Usage
    shows the applications actually seen in the traffic that match the rule.
  3. Evaluate whether you want to allow all, some, or none of the applications seen on the rule and select the applications you want to allow.
    You can match the exact usage of the rule, future-proof the rule by adding the container apps, or select individual applications to add to the rule.
    • If you want the rule to allow all applications exactly as matched on the rule:
      1. Select all
        Applications
        in
        Apps Seen
        ).
      2. Click
        Match Usage
        .
      3. Click
        OK
        to convert the port-based rule to an App-ID based rule.
      4. Set the
        Service
        to
        application-default
        so that no evasive, malicious applications can use the port.
    • If you want to allow all or some of the applications seen on the rule or future-proof the rule by adding their container applications (so all applications within each container are allowed and applications added to the container app later are automatically allowed):
      1. Select all the applications and then
        Add to This Rule
        .
        The gray-shaded applications are the container apps. The green-shaded applications are the applications seen on the rule. The unshaded applications belong to the same container app but have not been seen on the rule.
        By default,
        Add container app
        is selected, so all of the applications in the container are also selected by default.
      2. If you only want the rule to include the applications that matched the rule, select
        Add container app
        . Only applications seen on the rule are added to the rule. The container app and the applications on the rule that have not matched the rule are not selected. Click
        OK
        to select just the applications seen on the rule.
        If you want to include the container app and all of its applications in the rule, leave the selection as
        Add container app
        and then click
        OK
        . Only the container apps appear in
        Apps on Rule
        because they include (allow) all of the applications they contain, which also “future proofs” the rule by allowing applications added to the container in the future:
      3. Click
        OK
        on the
        Usage
        tab to convert the rule.
      4. Set the
        Service
        to
        application-default
        so that no evasive, malicious applications can use the port.
    • If you want to select the applications to allow within a container app, select those applications and then click
      Add to This Rule
      . For example, if you decide not to allow msrpc-base and select only ms-ds-smbv2 and ms-ds-smbv3 and
      Add to Rule
      , Policy Optimizer shows you the related applications in the container app (ms-ds-smb, shaded gray) and provides the opportunity to future-proof the rule by adding those applications:
      1. Select the applications you want to allow and then click
        Add to This Rule
        .
        For example, if you decide not to allow msrpc-base and select only ms-ds-smbv2 and ms-ds-smbv3 and
        Add to This Rule
        , Policy Optimizer shows you the related applications in the container app (ms-ds-smb, shaded gray) and provides the opportunity to future-proof the rule by the container app with all of its current and future applications:
        The green-shaded applications are the applications seen on the rule. The unshaded applications belong to the same container app but have not been seen on the rule.
      2. You can allow all of the applications or select which applications to allow.
        To allow all the container app and all of its current and future applications, click
        OK
        .
        Apps on Rule
        shows the selected applications. Click
        OK
        to convert the rule.
        To allow only selected applications, deselect the undesired applications. If you deselect an application in a container, the container app is also deselected so that it doesn’t automatically allow its child apps.
      3. Click
        OK
        .
        Apps on Rule
        shows the selected applications.
      4. Click
        OK
        to convert the rule.
      5. Set the
        Service
        to
        application-default
        so that no evasive, malicious applications can use the port.

Recommended For You