As conditions in your data center change, update the
Security policy rulebase accordingly. Modify rules to control new
and modified applications, protect new servers and other devices,
and account for user feedback about application availability.
Applications constantly evolve, so your application
whitelist needs to evolve with them. Because the best practice rules
leverage policy objects to simply administration, adding support
for a new application or removing an application from your whitelist
typically means modifying the corresponding application group or
application filter accordingly.
Installing new and modified
App-IDs included in a content release version can also cause changes in
policy enforcement for those applications. Before installing a new
content release, review the policy impact for new and modified App-IDs
and stage any necessary policy updates. Assess the treatment an application
receives both before and after you install the new content update.
new and modified App-IDs from a downloaded content release, modify
existing Security policy rules to accommodate the App-ID changes.
This enables you to simultaneously update your security policy rules
and install new content so that the shift in policy enforcement
is seamless. Alternatively, you can choose to disable new and modified
App-IDs when installing a new content release version; this enables
protection against the latest threats, while giving you the flexibility
to enable those App-IDs after you've had the chance to prepare any
Other ways to maintain the best practice rulebase
User feedback about applications they can no longer access
may identify gaps in the rulebase or risky applications that were
in use on your network before positive enforcement prevented their
Compare the asset inventory list you created when you assessed
you data center to the assets themselves and ensure that those assets
are protected appropriately.
Use Palo Alto Networks logging and monitoring tools such as the Application Command Center (ACC) to find
and investigate unexpected activity, which may indicate a misconfigured
or missing rule. Run reports periodically to check that the
level of security you want to apply is applied.
Disabling new App-IDs allows you to benefit immediately
from protection against the latest threats while having the flexibility
to enable App-IDs later, after preparing necessary policy updates.
You can disable all App-IDs introduced in a content release, set
scheduled content updates to automatically disable new App-IDs,
or disable App-IDs for specific applications.
Prepare policy updates to account for
App-ID changes included in a content release or to add new sanctioned
applications to or remove applications from your whitelist rules.