Rules to Begin Converting After 30 Days

Types of legacy port-based security policy rules to convert to application-based rules after a month of monitoring production traffic.
After 30 days of monitoring production traffic, you can safely begin to convert the rest of the port-based rules to App-ID based rules and clean up the rulebase. A good place to start is with cleaning up unused rules to reduce the attack surface. After that, start converting rules to App-ID at the perimeter with your outbound internet access (port 80/443) rule, because that rule likely sees more traffic with more applications than any other rule, which also means it’s the rule that carries the most risk.
Install the latest Content Updates before you begin converting rules to ensure you have the latest application signatures on the PAN-OS device.
Policy Optimizer provides many intuitive ways to sort, filter, and prioritize which rules to convert first. After removing unused rules and converting the web access rule to App-ID, the rules you choose to prioritize depend on your business and security requirements. The following sections provide ideas and methods for using the simple yet powerful sorting and filtering options to identify and prioritize rules to convert after the first 30 days:

Related Documentation