1. Home
    2. Best Practices
    3. Data Center Best Practice Security Policy
    4. Data Center Best Practice Security Policy
    5. Log and Monitor Data Center Traffic
    6. Monitor Data Center Block Rules and Tune the Rulebase

    Monitor Data Center Block Rules and Tune the Rulebase

    Monitor traffic that you explicitly block so that you can investigate potential attacks and evaluate whether you should allow any of the blocked traffic.
    Developing a best practice security policy is an iterative process. As soon as you Create Data Center Traffic Block Rules, start monitoring traffic that matches the block rules designed to identify policy gaps, unexpected behaviors, and potential attacks. Tune your application allow rules to account for traffic that matches the block rules but should be allowed and investigate traffic that may indicate an attack.
    Reports on blocked traffic contain valuable information you can use to investigate potential issues. Keep the block rules in the rulebase to protect your valuable data center assets and provide that information when traffic matches a block rule.
    Follow content update best practices to keep your firewall protection up-to-date. Maintain the Data Center Best Practice Rulebase includes specific best practices for data center firewalls.
    1. Create custom reports to monitor traffic that matches the block rules designed to identify policy gaps and potential attacks.
      1. Select
        Monitor
        Manage Custom Reports
        .
      2. Add
         a report and give it a
        Name
         that describes the report’s purpose, in this example
        DC Best Practice Policy Tuning
        .
      3. Set the
        Database
         to
        Traffic Summary
        . This also changes the
        Available Columns
         options.
      4. From
        Available Columns
        , add
        Source Zone
        ,
        Destination Zone
        ,
        Sessions
        ,
        Bytes
        ,
        Application
        ,
        Risk of App
        ,
        Rule
        , and
        Threats
         to the
        Selected Columns
         list. If there are other types of information you want to monitor, select those as well.
      5. Select the
        Scheduled
         box.
      6. Set the desired
        Time Frame
        ,
        Sort By
        , and
        Group By
         values. In this example we set the
        Time Frame
         to
        Last 7 Days
        , the
        Sort By
         to
        Apps
        , and the
        Group By
         to
        App Sub Category
        .
      7. Define the query to match traffic hitting the rules designed to find policy gaps and potential attacks. You can create a single report for traffic that matches any of the rules using the
        or
         operator, or create individual reports to monitor each rule. In the
        Query Builder
        , specify the name of each rule you want to include in the report. This example uses the six blocking rules and uses the
        Or
         operator to include information about traffic that matches any of the rules:
        • (rule eq ‘Discover-Unknown-Users’)
        • (rule eq ‘Block-Bad-Apps’)
        • (rule eq ‘Unexpected-App-from-User-Zone’)
        • (rule eq ‘Unexpected-App-from-Any-Zone’)
        • (rule eq ‘Unexpected-User-App-Any-Port’)
        • (rule eq ‘Unexpected-App-Any-Port’)
    2. Review the report (or reports) regularly to make sure you understand why traffic matches each block rule and either update policy to include legitimate applications and users, or use the information to assess the risk of traffic that matches the rules.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo