Convert the Internet Access Rules

Convert legacy port-based HTTP/HTTPS (port 80/443) internet access rules to application-based rules.
An internet access rule controls traffic on port 80 (HTTP) and port 443 (HTTPS). This rule usually sees the largest number of applications and the greatest amount of traffic in bytes. A port-based internet access rule could allow applications you don’t want on your network and expose it to attacks, so you need to control and safely enable the applications allowed to use those ports.
When you convert internet access rules from port-based rules to application-based rules, you need to understand which applications your company sanctions for business use and which applications your company tolerates for other purposes.
A good method of converting an internet access rule is to group applications that require similar treatment in the same rule instead of creating separate rules for each application, which helps prevent rulebase bloat. Use Policy Optimizer to sort the applications seen on a rule by application subcategory so you can see all the applications on a rule for a particular subcategory, select the applications your business uses, and then clone a rule to control those applications. Policy Optimizer offers many sorting and filtering options to organize and analyze applications seen on a rule.
Clone the rule instead of directly converting it to ensure application availability. Cloning a rule retains the original port-based rule and places the cloned application-based rule directly above the port-based rule in the Security rulebase. This enables you to create different internet access rules from the original port-based rule for groups of applications you want to treat differently, without risking application availability. You can easily see which applications match the cloned rule and which applications filter through to the original port-based rule and adjust the rules accordingly over time. When no applications you want to allow match the port-based rule for a long enough period of time to be confident you’ve accounted for all the applications the business requires, you can disable (or delete) the port-based rule, which finishes the conversion without risking application availability.
You can use the same method to convert other rules that have seen more than a few well-known applications. Use PoliciesSecurityPolicy OptimizerNo App Specified information to help prioritize which rules to convert after you convert the internet access rules. For example, you could prioritize by a combination of most Apps Seen and most traffic over the last 30 days (Traffic (Bytes, 30 days)) to convert the most-used rules, or you could look at Days with No New Apps and the Modified date to find rules that have seen many applications but are also more stable.
This example shows you how to clone an application-based rule that controls email applications from a port-based internet access rule. You can use the same cloning process to create application-based rules safely for different subcatgories and individual applications seen on any port-based rule.
  1. Navigate to PoliciesSecurityPolicy OptimizerNo App Specfied and find the port-based rule(s) that control internet access.
    Use the filter (service/member eq ‘service-http’) and (service/member eq ‘service-https’) to find the port-based rule(s) configured with service-http and service-https, which are the internet access rule(s).
    web-access-rule-service-filter.png
  2. Click Compare or the number in Apps Seen to open the Applications & Usage dialog.
  3. Sort Apps Seen by application subcategory to group similar applications that may be appropriate to control in the same Security policy rule.
    Sort by Subcategory to group the applications seen on the rule:
    sort-by-subcat-apps-and-usage.png
    You can also filter by a particular subcategory to see only the applications that belong to that subcategory. In this example, to create an App-ID based rule to control email applications, filter to view only the email applications seen on the rule:
    filter-by-email-apps-and-usage.png
  4. Select the applications you want to allow and then Create Cloned Rule to clone the new application-based rule from the port-based rule.
    For example, if your company sanctions Gmail and Outlook for corporate use and tolerates Yahoo email for personal use, but chooses not to allow GMX mail or Hotmail:
    create-cloned-rule-email-apps-and-usage.png
  5. In the Clone dialog, select the applications associated with each application that you want to allow.
    email-apps-allowed-rule.png
    Give the new rule a Name that describes its purpose. Decide if you want to allow only specific capabilities for each email application or if you want to allow the container app. If you allow the container app, you allow all of the applications in the container. This future-proofs the rule by automatically allowing new applications if they are added to the container app and helps ensure application availability.By default, all of the applications are selected. The container app for each application is shaded gray, applications that have been seen on the rule are shared green, and applications in the container app that haven’t been seen on the rule are italicized and not shaded.
    If you choose not to allow some applications in a container app, the container app is also deselected and the rule only includes the specific applications you select.
    email-some-apps-allowed-rule.png
    Deselecting the gmail-call-phone and gmail-posting applications also deselected the gmail container app.
  6. Click OK to create the rule, which is placed above the port-based rule in the Security policy rulebase (PoliciesSecurity).
    If you select the container apps, Policy Optimizer adds only the container apps to the rule because they include all of the applications.
    email-app-based-rule-with-container-apps.png
    If you selected individual applications from the Clone dialog instead of the container apps, Policy Optimizer adds only the selected applications to the new App-ID based rule.
    email-app-based-rule-without-container-apps.png
  7. Click the rule Name or a Service and change the Service to application-default to prevent evasive applications from gaining access on a non-standard port.

Related Documentation