Convert Internet Access Rules

Convert legacy port-based HTTP/HTTPS (port 80/443) internet access rules to application-based rules.
An internet access rule controls traffic on port 80 (HTTP) and port 443 (HTTPS). This rule usually sees the largest number of applications and the greatest amount of traffic in bytes. A port-based internet access rule may allow applications you don’t want on your network and expose it to attacks. Control and safely enable the applications you allow on those ports by converting the port-based internet access rule to a set of application-based rules. To do this, you need to understand which applications your company sanctions for business use and which applications your company tolerates for other purposes.
A good conversion method is to group applications that require similar treatment in the same rule instead of creating separate rules for each application to help prevent rulebase bloat. Use Policy Optimizer to sort the applications seen on a rule by application subcategory so you can see all the applications on a rule for a particular subcategory, select the applications your business uses, and then clone a rule to control those applications. Policy Optimizer offers many sorting and filtering options to organize and analyze applications seen on a rule.
Clone the rule instead of directly converting it to ensure application availability. Cloning a rule retains the original port-based rule and places the cloned application-based rule directly above the port-based rule in the Security rulebase. Create different internet access rules from the original port-based rule for groups of applications you want to treat differently, without risking application availability. Easily see which applications match the cloned rule and which applications filter through to the original port-based rule and then adjust the rules as needed. When no applications you want to allow match the port-based rule for a long enough period of time to be confident that you’ve accounted for all the applications the business requires, you can disable (or delete) the port-based rule, which finishes the conversion without risking application availability.
Use the same method to convert other rules that have seen more than a few well-known applications. Use
Policies
Security
Policy Optimizer
No App Specified
information to help prioritize which rules to convert after you convert the internet access rules. For example, you could prioritize based on a combination of most
Apps Seen
and most traffic over the last 30 days (
Traffic (Bytes, 30 days)
) to convert the most-used rules, or you could look at
Days with No New Apps
and the
Modified
date to find rules that have seen many applications but are also more stable.
This example shows you how to clone an application-based rule that controls general business applications from a port-based internet access rule. Use the same cloning process to create application-based rules safely for different subcatgories and individual applications seen on any port-based rule.
  1. Navigate to
    Policies
    Security
    Policy Optimizer
    No App Specfied
    and find the port-based rule(s) that control internet access.
    Use the filter
    (service/member eq ‘service-http’) and (service/member eq ‘service-https’)
    to find the port-based rule(s) configured with
    service-http
    and
    service-https
    , which is the internet access rule (or rules).
  2. Click
    Compare
    or the number of
    Apps Seen
    to open the
    Applications & Usage
    dialog.
  3. Sort
    Apps Seen
    by application subcategory to group similar applications that may be appropriate to control in the same Security policy rule.
    Sort by
    Subcategory
    to group the applications seen on the rule:
    You can also filter by a particular subcategory to see only the applications that belong to that subcategory. In this example, to create an App-ID based rule to control general-business applications, filter to view only the general business applications seen on the rule:
  4. Select the applications you want to allow and then
    Create Cloned Rule
    to clone the new application-based rule from the port-based rule.
    In this example, the company uses four of the applications but has not used one of the applications for a long period of time, which you can see in the
    Last Seen
    and
    Traffic (30 Days)
    columns. Based on usage and company-sanctioned applications, the company chooses not to allow the application that it isn’t using.
  5. In the
    Clone
    dialog, select the applications associated with each container app that you want to allow.
    Give the new rule a
    Name
    that describes its purpose—in this example, general-business-apps. Decide if you want to allow only specific applications from each container app or if you want to allow the container app. Allowing the container app allows all of the applications in the container. This future-proofs the rule by automatically allowing new applications if they are added to the container app, which helps ensure application availability. By default, all of the applications are selected. The container apps are shaded gray, applications that have been seen on the rule are shaded green, and applications in the container app that haven’t been seen on the rule are italicized and not shaded.
    In this example’s illustration, you can see the gray-shaded container apps “adobe-creative-cloud” and “windows-azure”, applications seen on the rule in green (“adobe-creative-cloud-base” and “windows-azure-base”), and two applications that have not been seen on the rule in italics (“adobe-creative-cloud-uploading” and “azure-log-analytics”). The example shows that the application “adobe-creative-cloud-uploading” is deselected, which also automatically deselects its container app (“adobe-creative-cloud”) while all of the “windows-azure” applications remain selected, so the “windows-azure” container app remains selected.
    Deselect an application if you don’t want users to have access to that particular application. However, if new applications are added to the “adobe-creative-cloud” container app, the firewall will not automatically allow them because the container app is deselected. Conversely, if new applications are added to the “windows-azure” container app, the firewall will automatically allow them, which future-proofs the rule.
  6. Click
    OK
    to return to the Security policy rule Usage tab and then click
    OK
    again to create the rule. The firewall places the rule above the port-based rule in the Security policy rulebase (
    Policies
    Security
    ).
    If you select a container app, Policy Optimizer adds only the container app to the rule because the container app includes all of the applications. The red gear for “adobe-creative-cloud-base” indicates that it is an individual application, not a container app.
  7. Click the rule
    Name
    or a
    Service
    and change the
    Service
    to
    application-default
    to prevent evasive applications from gaining access on a non-standard port.
  8. Whenever you need to allow other sanctioned general business applications, add them to the general-business-apps rule, and remove applications from the rule if you no longer use them.

Recommended For You