Convert the Most Stable Rules
Convert legacy port-based security policy rules that have seen no new applications for a period of time to application-based rules.
Convert port-based rules that have not seen new applications for a reasonable period of time, which means the rules have stabilized and you’re less likely to see new applications on them. Clone these rules to ensure that if more applications match the rule later, the port-based rule remains in the rulebase as long as necessary as a safety net.
Take applications used only for quarterly, annual, and other periodic events into account when you evaluate whether you think new applications may match the rule.
- In PoliciesSecurityPolicy OptimizerNo App Specfied, sort the rules
(descending) to show the rules with highest number of Days
with No New Apps at the top of the list.The first three rules have seen no new applications for fairly long periods of time and are candidates for conversion to App-ID. Convert Simple Rules with Well-Known Apps After One Week covers converting rules with few Apps Seen such as the smb rule, so this example focuses on the allow apps rule.Also check the Modified date. Rules that haven’t been modified for a long time are also likely to be more stable. Rules that have been modified recently may not have seen all the applications that could match the rule.Because more than a few applications have been seen on the rule, clone the rule instead of converting it directly to an App-ID based rule.
- Click the number in the Apps Seen column to open the Applications & Usage dialog.
- Sort and filter the Apps Seen on
the rule to determine how to handle the applications.Sorting or filtering by subcategory helps you understand the traffic seen on a rules that see more than a few applications. For example, you can filter by the infrastructure subcategory to see all the infrastructure applications and clone an App-ID based rule to control them.
- Follow Steps 4-7 in Convert the Internet Access Rules to create a cloned rule to control each subcategory (or related subcategories) of applications you want to treat similarly.
Convert the Web Access Rule Using Subcategories
Convert legacy port-based HTTP/HTTPS (port 80/443) internet access rules to application-based rules. ...
Convert Rules with the Most Traffic
Convert legacy port-based security policy rules that have seen the largest amount of traffic in bytes over the past 30 days to application-based rules. ...
Rules to Begin Converting After 30 Days
Types of legacy port-based security policy rules to convert to application-based rules after a month of monitoring production traffic. ...
Convert Rules With Few Apps Seen Over a Time Period
Convert legacy port-based security policy rules that have seen the fewest applications to application-based rules. ...
Migrate to Application-Based Policy Using Policy Optimizer
Convert legacy port-based Security policy rules to application-based rules to gain visibility into and control over applications. ...
Migrate Port-Based to App-ID Based Security Policy Rules
Policy Optimizer converts port-based Security policy rules to app-based rules without compromising app availability to safely enable applications. ...
Convert Simple Rules with Few Well-Known Applications
Convert legacy port-based security policy rules that control a small number of well-known applications after one week of monitoring production traffic. ...
Identify Security Policy Rules with Unused Applications
Policy Optimizer finds Security policy rules that specify applications not seen on your network so you can remove the unused apps to reduce the attack ...
Applications and Usage Policies > Security > Policy Optimizer > No App Specified > Compare (or click the number in Apps Seen) Policies > Security ...