Safely Enable Applications Using a Phased Transition
Migrate to App-ID based Security policy in stages to
reduce the attack surface and improve network security.
The glaring weaknesses of port-based Security policy
are well known: you can’t see which applications use a port, so
any malicious application can gain access to your network on open
ports such as port 80 (HTTP) or port 53 (DNS). This makes it easier
for attackers to install malware, move laterally through the network,
exfiltrate data, and compromise your network because you have no
visibility into the applications on your network and no ability
to prevent the threats that their traffic conceals.
In contrast, application-based Security policy using App-ID™ provides visibility
into applications regardless of port, protocol, encryption (SSL
or SSH), or evasive tactics, so you know exactly which applications
are on your network and you can inspect their traffic for threats.
Application-specific policies enable safe access because you can
configure Security policy rules that allow only the right users
to access the right applications in the right places and you can
apply threat prevention profiles to those rules. Using App-ID to
classify applications reduces the attack surface because you allow
only the applications required to support your business on the network
and automatically block unwanted applications. Allowing what you
want and blocking everything else is much easier and safer than
the endless task of attempting to block all the individual applications
you don’t want.
Migrate to App-ID in phases:
Use Expedition to
import a legacy rulebase, clean it up, and achieve a like-for-like
migration to a Palo Alto Networks next-generation firewall or Panorama
appliance. Expedition is distributed as a virtual machine (VM).
Run the PAN-OS firewall or appliance in your network production
environment so it can learn and categorize the applications on your
network.
After at least one week of logging traffic, run the Best
Practice Assessment (BPA) to set a baseline, and then use Policy Optimizer to
begin safely converting port-based rules to application-based rules
and securing your network. (You can convert some simple rules that
allow well-known applications after about a week; for other rules
that see many applications, such as a general outbound internet
access rule, wait at least 30 days to gather application information.) Take
a phased approach to safely convert the rules based on your business
needs and priorities.
(Optional)
After you use Policy Optimizer convert
the rulebase to App-ID, reimport the configuration in to Expedition
and use the Rule Enrichment features to further simplify and refine
the rulebase.
Maintain the App-ID deployment as you introduce new applications
to your network. Run the BPA after the first conversion pass through
the port-based rules and periodically thereafter to measure progress
and discover other areas to improve security.
Policy Optimizer is available starting with PAN-OS 9.0.
If you use Panorama to manage your next-generation firewalls, you
don’t have to upgrade managed firewalls to PAN-OS 9.0 to use Policy
Optimizer. You only need to upgrade Panorama to PAN-OS 9.0, send
traffic logs from the managed firewalls to Panorama or Log Collectors
running PAN-OS 9.0, and push policy from Panorama to the firewalls.
Managed firewalls need to run PAN-OS 8.1 or later, and if they connect
to Log Collectors, the Log Collectors must run PAN-OS 9.0. This
provides a fast path for qualification so you can use Policy Optimizer
to adopt policy based on App-ID quickly.
Strata Logging Service
supports Policy Optimizer for Panorama devices that run PAN-OS
10.0.4 or later with Cloud Services plugin 2.0 or later.
PA-7000
Series Firewalls support two logging cards, the PA-7000 Series Firewall
Log Processing Card (LPC) and the high-performance PA-7000 Series
Firewall Log Forwarding Card (LFC). Unlike the LPC, the LFC does
not have disks to store logs locally. Instead, the LFC forwards
all logs to one or more external logging systems, such as Panorama
or a syslog server. If you use the LFC, the application usage information
for Policy Optimizer does not display on the firewall because traffic
logs aren’t stored locally. If you use the LPC, the traffic logs
are stored locally on the firewall, so the application usage information
for Policy Optimizer displays on the firewall. In both cases, the
PA-7000 firewall can run PAN-OS 8.1 (or later) as long as the Log
Collectors and Panorama run PAN-OS 9.0 or later.