Maintain the Data Center Best Practice Rulebase

As conditions in your data center change, update the Security policy rulebase accordingly. Modify rules to control new and modified applications, protect new servers and other devices, and account for user feedback about application availability.
Applications constantly evolve, so your application whitelist needs to evolve with them. Because the best practice rules leverage policy objects to simply administration, adding support for a new application or removing an application from your whitelist typically means modifying the corresponding application group or application filter accordingly.
Installing new and modified App-IDs included in a content release version can also cause changes in policy enforcement for those applications. Before installing a new content release, review the policy impact for new and modified App-IDs and stage any necessary policy updates. Assess the treatment an application receives both before and after you install the new content update. Before you install new and modified App-IDs from a downloaded content release, modify existing Security policy rules to accommodate the App-ID changes. This enables you to simultaneously update your security policy rules and install new content so that the shift in policy enforcement is seamless. Alternatively, you can choose to disable new and modified App-IDs when installing a new content release version; this enables protection against the latest threats, while giving you the flexibility to enable those App-IDs after you've had the chance to prepare any policy changes.
Other ways to maintain the best practice rulebase include:
  • Use Palo Alto Networks Assessment and Review Tools to identify gaps in security coverage.
  • User feedback about applications they can no longer access may identify gaps in the rulebase or risky applications that were in use on your network before positive enforcement prevented their use.
  • Compare the asset inventory list you created when you assessed you data center to the assets themselves and ensure that those assets are protected appropriately.
  • Use Palo Alto Networks logging and monitoring tools such as the Application Command Center (ACC) to find and investigate unexpected activity, which may indicate a misconfigured or missing rule. Run reports periodically to check that the level of security you want to apply is applied.
  1. Before installing a new content release version, review new and modified App-IDs to determine if there is policy impact.
  2. Either modify the existing security policy rules to accommodate the App-ID changes in a content release or disable the new App-IDs introduced in the content release.
    Disabling new App-IDs allows you to benefit immediately from protection against the latest threats while having the flexibility to enable App-IDs later, after preparing necessary policy updates. You can disable all App-IDs introduced in a content release, set scheduled content updates to automatically disable new App-IDs, or disable App-IDs for specific applications.
  3. Prepare policy updates to account for App-ID changes included in a content release or to add new sanctioned applications to or remove applications from your whitelist rules.

Related Documentation