Types of legacy port-based security policy rules to convert
to application-based rules after a month of monitoring production
After 30 days of monitoring production
traffic, you can safely begin to convert the rest of the port-based
rules to App-ID based rules and clean up the rulebase. A good place
to start is with cleaning up unused rules to reduce the attack surface.
After that, start converting rules to App-ID at the perimeter with
your outbound internet access (port 80/443) rule, because that rule
likely sees more traffic with more applications than any other rule,
which also means it’s the rule that carries the most risk.
Install the latest Content Updates before
you begin converting rules to ensure you have the latest application
signatures on your PAN-OS appliance.
Policy Optimizer provides many intuitive ways to sort, filter,
and prioritize which rules to convert first. After you remove unused
rules and convert the web access rule to App-ID, the rules you choose
to prioritize depend on your business and security requirements.
The following sections provide ideas and methods for using simple
yet powerful sorting and filtering options to identify and prioritize
rules to convert after the first 30 days: