Step 4: Create the Temporary Tuning Rules

The temporary tuning rules are explicitly designed to help you monitor the initial best practice rulebase for gaps and alert you to alarming behavior. For example, you will create temporary rules to identify traffic that is coming from unknown user or applications running on unexpected ports. By monitoring the traffic matching on the temporary rules you can also gain a full understanding of all of the applications in use on your network (and prevent applications from breaking while you transition to a best practice rulebase). You can use this information to help you fine tune your whitelist, either by adding new whitelist rules to allow applications you weren’t aware were needed or to narrow your whitelist rules to remove application filters and instead allow only specific applications in a particular category. When traffic is no longer hitting these rules you can Remove the Temporary Rules.
Some of the temporary tuning rules must go above the rules to block bad applications and some must go after to ensure that targeted traffic hits the appropriate rule, while still ensuring that bad traffic is not allowed onto your network.
  1. Allow web-browsing and SSL on non-standard ports for known users to determine if there are any legitimate applications running on non-standard ports.
    Why do I need this rule?
    Rule Highlights
    • This rule helps you determine if you have any gaps in your policy where users are unable to access legitimate applications because they are running on non-standard ports.
    • You must monitor all traffic that matches this rule. For any traffic that is legitimate, you should tune the appropriate allow rule to include the application, and creating a custom application where appropriate.
    • Unlike the whitelist rules that allow applications on the default port only, this rule allows web-browsing and SSL traffic on any port so that you can find gaps in your whitelist.
    • Because this rule is intended to find gaps in policy, limit it to known users on your network. See Create User Groups for Access to Whitelist Applications.
    • Make sure you also explicitly allow SSL as an application here if you want to allow users to be able to browse to HTTPS sites that aren’t decrypted (such as financial services and healthcare sites).
    • You must add this rule above the application block rules or no traffic will hit this rule.
    bp-unexpected-port.png
  2. Allow web-browsing and SSL traffic on non-standard ports from unknown users to highlight all unknown users regardless of port.
    Why do I need this rule?
    Rule Highlights
    • This rule helps you determine whether you have gaps in your User-ID coverage.
    • This rule also helps you identify compromised or embedded devices that are trying to reach the internet.
    • It is important to block non-standard port usage, even for web-browsing traffic, because it is usually an evasion technique.
    • While the majority of the application whitelist rules apply to known users or specific user groups, this rule explicitly matches traffic from
      unknown
      users.
    • This rule must go above the application block rules or traffic will never hit it.
    • Because it is an allow rule, you must attach the best practice security profiles to scan for threats.
    bp-unknown-user.png
  3. Allow all applications on the application-default port to identify unexpected applications.
    Why do I need this rule?
    Rule Highlights
    • This rule provides visibility into applications that you weren’t aware were running on your network so that you can fine-tune your application whitelist.
    • Monitor all traffic matching this rule to determine whether it represents a potential threat, or whether you need to modify your whitelist rules to allow the traffic.
    • Because this rule allows all applications, you must add it after the application block rules to prevent bad applications from running on your network.
    • If you are running PAN-OS 7.0.x or earlier, to appropriately identify unexpected applications, you must create an application filterthat includes all applications, instead of setting the rule to allow
      any
      application.
    bp-unexpected-traffic.png
  4. Allow any application on any port to identify applications running where they shouldn’t be.
    Why do I need this rule?
    Rule Highlights
    • This rule helps you identify legitimate, known applications running on unknown ports.
    • This rule also helps you identify unknown applications for which you need to create a custom application to add to your application whitelist.
    • Any traffic matching this rule is actionable and requires that you track down the source of the traffic and ensure that you are not allowing any unknown tcp, udp or non-syn-tcp traffic.
    • Because this is a very general rule that allows any application from any user on any port, it must come at the end of your rulebase.
    • Enable logging for traffic matching this rule so that you can investigate for misuse of applications and potential threats on your network or identify legitimate applications that require a custom application.
    bp-unexpected-port-usage.png

Related Documentation