1. Home
    2. Best Practices
    3. Internet Gateway Best Practice Security Policy
    4. Best Practice Internet Gateway Security Policy
    5. Define the Initial Internet Gateway Security Policy
    6. Step 2: Create the Application Whitelist Rules
    End-of-Life (EoL)

    Step 2: Create the Application Whitelist Rules

    After you Identify Whitelist Applications you are ready to create the next part of the best practice internet gateway security policy rulebase: the application whitelist rules. Every whitelist rule you create must allow traffic based on application (not port) and, with the exception of certain infrastructure applications that require user access before the firewall can identify the user, must only allow access to known users. Whenever possible, Create User Groups for Access to Whitelist Applications so that you can limit user access to the specific users or user groups who have a business need to access the application.
    When creating the application whitelist rules, make sure to place more specific rules above more general rules. For example, the rules for all of your sanctioned and infrastructure applications would come before the rules that allow general access to certain types of business and personal applications. This first part of the rulebase includes the allow rules for the applications you identified as part of your application whitelist:
    • Sanctioned applications you provision and administer for business and infrastructure purposes
    • General business applications that your users may need to use in order to get their jobs done
    • General applications you may choose to allow for personal use
    Every application whitelist rule also requires that you attach the best practice security profiles to ensure that you are scanning all allowed traffic for known and unknown threats. If you have not yet created these profiles, then Create Best Practice Security Profiles for the Internet Gateway. And, because you can’t inspect what you can’t see, you must also make sure you have configured the firewall to Decrypt Traffic for Full Visibility and Threat Inspection.
    1. Allow access to your corporate DNS servers.
      Why do I need this rule?
      Rule Highlights
      • Access to DNS is required to provide network infrastructure services, but it is commonly exploited by attackers.
      • Allowing access only on your internal DNS server reduces your attack surface.
      • Because this rule is very specific, place it at the top of the rulebase.
      • Create an address object to use for the destination address to ensure that users only access the DNS server in your data center.
      • Because users will need access to these services before they are logged in, you must allow access to any user.
    2. Allow access to other required IT infrastructure resources.
      Why do I need this rule?
      Rule Highlights
      • Enable the applications that provide your network infrastructure and management functions, such as NTP, OCSP, STUN, and ping.
      • While DNS traffic allowed in the preceding rule is restricted to the destination address in the data center, these applications may not reside in your data center and therefore require a separate rule.
      • Because these applications run on the default port, allow access to any user (users may not yet be a known-user because of when these services are needed), and all have a destination address of any, contain them in a single application group and create a single rule to enable access to all of them.
      • Users may not have logged in yet at the time they need access to the infrastructure applications, so make sure this rule allows access to any user.
    3. Allow access to IT sanctioned SaaS applications.
      Why do I need this rule?
      Rule Highlights
      • With SaaS applications, your proprietary data is in the cloud. This rule ensures that only your known users have access to these applications (and the underlying data).
      • Scan allowed SaaS traffic for threats.
    4. Allow access to IT provisioned on-premise applications.
      Why do I need this rule?
      Rule Highlights
      • Business-critical data center applications are often leveraged in attacks during the exfiltration stage, using applications such as FTP, or in the lateral movement stage by exploiting application vulnerabilities.
      • Many data center applications use multiple ports; setting the Service to application-default safely enables the applications on their standard ports. You should not allow applications on non-standard ports because it is often associated with evasive behavior.
    5. Allow access to applications your administrative users need.
      Why do I need this rule?
      Rule Highlights
      • Because administrators often need access to sensitive account data and remote access to other systems (for example RDP), you can greatly reduce your attack surface by only allowing access to the administrators who have a business need.
      • This rule restricts access to users in the IT_admins group.
      • Create a custom application for each internal application or application that runs on non-standard ports so that you can enforce them on their default ports rather than opening additional ports on your network.
      • If you have different user groups for different applications, create separate rules for granular control.
    6. Allow access to general business applications.
      Why do I need this rule?
      Rule Highlights
      • Beyond the applications you sanction for use and administer for your users, there are a variety of applications that users may commonly use for business purposes, for example to interact with partners, such as WebEx, Adobe online services, or Evernote, but which you may not officially sanction.
      • Because malware often sneaks in with legitimate web-based applications, this rule allows you to safely allow web browsing while still scanning for threats. See Create Best Practice Security Profiles for the Internet Gateway.
    7. (
      Optional
      ) Allow access to personal applications.
      Why do I need this rule?
      Rule Highlights
      • As the lines blur between work and personal devices, you want to ensure that all applications your users access are safely enabled and free of threats.
      • By using application filters, you can safely enable access to personal applications when you create this initial rulebase. After you assess what applications are in use, you can use the information to decide whether to remove the filter and allow a smaller subset of personal applications appropriate for your acceptable use policies.
    8. Allow general web browsing.
      Why do I need this rule?
      Rule Highlights
      • Use the same best practice security profiles as the other rules, except the Best Practice Internet Gateway File Blocking Profile profile, which is more stringent because general web browsing traffic is more vulnerable to threats.
      • Allow only known users, to prevent devices with malware or embedded devices from reaching the internet.
      • Use application filters to allow access to general types of applications.
      • Explicitly allow SSL as an application to allow users to browse to HTTPS sites that are excluded from decryption.
      • Set the Service to
        service-http
         and
        service-https
         to allow decrypted SSL traffic on TCP port 443.
        This allows web browsing (decrypted SSL traffic in cleartext) on TCP port 443, which is why you need tight URL Filtering and File Blocking profiles in addition to the other strict best practice Security profiles.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo