Maintain the Rulebase
Because applications are always evolving, your application whitelist also needs to evolve. Each time you make a change in what applications you sanction, you must make a corresponding policy change. As you do this, instead of just adding a new rule as you would do with a port-based policy, identify and modify the rule that aligns with the application’s business use case. Because the best practice rules leverage policy objects for simplified administration, adding support for a new application or removing an application from your whitelist typically means modifying the corresponding application group or application filter accordingly.
On Panorama or an individual firewall, use the policy rule hit counter to analyze changes to the rulebase. For example, when you add a new application, before you allow that application’s traffic on the network, add the allow rule to the rulebase. If traffic hits the rule and increments the counter, it indicates traffic that matches the rule may already be on the network even though you haven’t activated the application, or that you may need to tune the rule. Follow up by checking the ACCThreat ActivityApplications Using Non Standard Ports and the ACCThreat ActivityRules Allowing Apps On Non Standard Ports widgets to see if traffic on non-standard ports caused the unexpected rule hits.
The key to using the policy rule hit counter is to reset the counter when you make a change, such as introducing a new application or changing a rule’s meaning. Resetting the hit counter ensures that you see the result of the change, not results that include the change and events that happened before the change.
If you use Panorama to manage firewalls, you can monitor firewall health to compare devices to their baseline performance and to each other to identify deviations from normal behavior.
Palo Alto Networks sends content updates that you should download automatically and schedule for installation on firewalls as soon as possible. Most content updates contain updates to threat content (antivirus, vulnerabilities, anti-spyware, etc.) and may contain modified App-IDs. On the third Tuesday of each month, the content update also contains new App-IDs. You can set separate thresholds to delay installing regular content updates and to delay installing the once-a-month update that contains new App-IDs for a specified period of time after the download. Delaying installation enables you to install content updates that don’t include new App-IDs as quickly as possible to get the latest threat signatures, while also providing more time to examine new App-IDs before installing them.
The content updates on the third Tuesday of each month that contain new App-IDs may cause changes in Security policy enforcement. Before you install new or modified App-IDs, review the policy impact, stage updates to test impact, and modify existing Security policy rules if necessary. The most efficient way to control downloading and installing content updates on firewalls is loading them on and pushing them from Panorama if you use Panorama.
Follow the general content update best practices, but keep in mind that on internet gateways, security is critical because any traffic could attempt to gain entrance to your network from the internet, so you want to roll out content updates as fast as possible:
- Quickly test content updates in a safe area of the network before you install them on an internet gateway.
- For content updates that don’t contain new App-IDs, set the installation threshold to no more than two hours after the automatic download and conduct testing within that period.
- For content updates that contain new App-IDs, set the installation threshold no more than eight hours after the automatic download and conduct testing within that period.
- Configure Log Forwarding for all content updates.
- Before installing a new content update, review new and modified App-IDs to determine if there is policy impact.
- If necessary, modify existing Security policy rules to accommodate the App-ID changes. You can disable selected App-IDs if some App-IDs require more testing and install the rest of the new App-IDs. Finish testing and any necessary policy revisions before the next monthly content release with new App-IDs arrives (third Tuesday of each month) to avoid overlap.
- Prepare policy updates to account for App-ID changes included in a content release or to add new sanctioned applications to or remove applications from your whitelist rules.
Maintain the Data Center Best Practice Rulebase
As conditions in your data center change, update the Security policy rulebase accordingly. Modify rules to control new and modified applications, protect new servers and ...
See the New and Modified App-IDs in a Content Release
See the New and Modified App-IDs in a Content Release For both downloaded and installed content updates, you can see a list of the new ...
Disable and Enable App-IDs
Disable and Enable App-IDs You can disable all App-IDs introduced in a content release if you want to immediately benefit from the latest threat prevention, ...
Ensure Critical New App-IDs are Allowed
Ensure Critical New App-IDs are Allowed New App-IDs can cause a change in policy enforcement for traffic that is newly-identified as belonging to a certain ...
Manage New App-IDs Introduced in Content Releases
Manage New and Modified App-IDs New and modified App-IDs are delivered to the firewall as part of Applications and Threat Content Updates Applications and Threats ...
Best Practices for Content Updates—Mission-Critical
Follow these best practices to deploying content updates in a mission-critical network, where application availability is top priority. ...
Ensure Critical New App-IDs are Allowed
Create a security policy rule that allows critical App-IDs (like authentication or software development applications) as they’re installed. This gives you the flexibility to get ...
See How New and Modified App-IDs Impact Your Security Polic...
See How New and Modified App-IDs Impact Your Security Policy Newly-categorized and modified App-IDs can change the way the firewall enforces traffic. Perform a content ...
Workflow to Best Incorporate New and Modified App-IDs
Workflow to Best Incorporate New and Modified App-IDs Refer to this master workflow to first set up Application and Threat content updates, and then to ...