Convert Rules With Few Apps Seen Over a Time Period
Convert legacy port-based security policy rules that have seen the fewest applications to application-based rules.
Rules with relatively few Apps Seen and with no new applications seen over a long enough time period may be easy to convert and relatively stable, and you can use filters to identify those rules.
- In PoliciesSecurityPolicy OptimizerNo App Specfied, filter the
rules to display only rules with a low number of Apps Seen and
that have seen no applications over the desired time period.This examples filters for rules that have seen three or fewer applications (apps seen count leq ‘3’) and for which no applications have been seen for at least 30 days (days no new app count geq ‘30’).
- Select a rule to convert and click the number in its Apps Seen column.
- In the Applications & Usage dialog,
decide whether you want to allow all of the applications and if
they should be in the same rule—that is, decide whether the applications
require similar treatment in terms of access and security.If you want to allow all of the applications and they require similar treatment, you can Match Usage and replace the port-based rule with the new App-ID based rule.If you want to allow all of the applications but they require different treatment, clone the rule for each set of applications that requires different treatment. For example, if a port-based rule allows three applications and two of them are email applications and one is an infrastructure application, you may want to clone one rule for the email applications and another for the infrastructure application.If you want to allow some applications and deny others:
- Clone one or more rules for the applications you want to keep and monitor the original port-based rule to ensure that the applications you don’t want to keep are the only ones that match that rule. When enough time has passed to feel confident that no applications you want to allow match the port-based rule, you can disable or delete it. Steps 4-7 in Convert the Internet Access Rules show how to create a cloned rule.
- If you’re confident you know which applications you want to allow and which applications you want to block:
- If the applications you want to allow require similar treatment, use Add to Rule to replace the port-based rule with an application-based rule that allows only the applications you added to the rule. The applications you don’t add to the rule are blocked unless you allow them in another rule.
- If the applications you want to allow require different treatment, clone application-based rules for the applications you want to allow from the port-based rule. If you’re still confident it’s OK to block the remaining applications, you can disable (or delete) the port-based rule.
Convert the Web Access Rule Using Subcategories
Convert legacy port-based HTTP/HTTPS (port 80/443) internet access rules to application-based rules. ...
Migrate Port-Based to App-ID Based Security Policy Rules
Policy Optimizer converts port-based Security policy rules to app-based rules without compromising app availability to safely enable applications. ...
Migrate to Application-Based Policy Using Policy Optimizer
Convert legacy port-based Security policy rules to application-based rules to gain visibility into and control over applications. ...
Rule Cloning Migration Use Case: Web Browsing and SSL Traffic
Example of migrating port-based Security policy rules for web browsing and SSL traffic to app-based rules without affecting application availability. ...
Convert the Most Stable Rules
Convert legacy port-based security policy rules that have seen no new applications for a period of time to application-based rules. ...
Applications and Usage Policies > Security > Policy Optimizer > No App Specified > Compare (or click the number in Apps Seen) Policies > Security ...
Convert Rules with the Most Traffic
Convert legacy port-based security policy rules that have seen the largest amount of traffic in bytes over the past 30 days to application-based rules. ...
Rules to Begin Converting After 30 Days
Types of legacy port-based security policy rules to convert to application-based rules after a month of monitoring production traffic. ...
Convert Simple Rules with Few Well-Known Applications
Convert legacy port-based security policy rules that control a small number of well-known applications after one week of monitoring production traffic. ...