Step 2: Create the Application Whitelist Rules

After you Identify Whitelist Applications you are ready to create the next part of the best practice internet gateway security policy rulebase: the application whitelist rules. Every whitelist rule you create must allow traffic based on application (not port) and, with the exception of certain infrastructure applications that require user access before the firewall can identify the user, must only allow access to known users. Whenever possible, Create User Groups for Access to Whitelist Applications so that you can limit user access to the specific users or user groups who have a business need to access the application.
To convert port-based rules to application-based rules, use Policy Optimizer, which provides an intuitive way to view the applications on port-based rules and convert them to application-based rules so you can safely enable applications. Best Practices for Migrating to Application-Based Policy shows you how to use Expedition to perform a like-for-like migration from a legacy (port-based) firewall to a Palo Alto Networks firewall (or Panorama) and then use Policy Optimizer to convert the port-based policy to an application-based policy.
When creating the application whitelist rules, make sure to place more specific rules above more general rules. For example, the rules for all of your sanctioned and infrastructure applications would come before the rules that allow general access to certain types of business and personal applications. This first part of the rulebase includes the allow rules for the applications you identified as part of your application whitelist:
  • Sanctioned applications you provision and administer for business and infrastructure purposes
  • General business applications that your users may need to use in order to get their jobs done
  • General applications you may choose to allow for personal use
Tag all sanctioned applications with the predefined
Sanctioned
tag. Panorama and firewalls consider applications without the Sanctioned tag as unsanctioned applications.
Every application whitelist rule also requires that you attach the best practice security profiles to ensure that you are scanning all allowed traffic for known and unknown threats. If you have not yet created these profiles, then Create Best Practice Security Profiles for the Internet Gateway. And, because you can’t inspect what you can’t see, you must also make sure you have configured the firewall to Decrypt Traffic for Full Visibility and Threat Inspection.
  1. Allow access to your corporate DNS servers.
    Why do I need this rule?
    Rule Highlights
    • Access to DNS is required to provide network infrastructure services, but it is commonly exploited by attackers.
    • Allowing access only on your internal DNS server reduces your attack surface.
    • Because this rule is very specific, place it at the top of the rulebase.
    • Create an address object to use for the destination address to ensure that users only access the DNS server in your data center.
    • Because users will need access to these services before they are logged in, you must allow access to any user.
    bp-dns.png
  2. Allow access to other required IT infrastructure resources.
    Why do I need this rule?
    Rule Highlights
    • Enable the applications that provide your network infrastructure and management functions, such as NTP, OCSP, STUN, and ping.
    • While DNS traffic allowed in the preceding rule is restricted to the destination address in the data center, these applications may not reside in your data center and therefore require a separate rule.
    • Because these applications run on the default port, allow access to any user (users may not yet be a known-user because of when these services are needed), and all have a destination address of any, contain them in a single application group and create a single rule to enable access to all of them.
    • Users may not have logged in yet at the time they need access to the infrastructure applications, so make sure this rule allows access to any user.
    bp-required-infrastructure-internet-zone.png
  3. Allow access to IT sanctioned SaaS applications.
    Why do I need this rule?
    Rule Highlights
    • With SaaS applications, your proprietary data is in the cloud. This rule ensures that only your known users have access to these applications (and the underlying data).
    • Scan allowed SaaS traffic for threats.
    bp-it-sanctioned-saas.png
  4. Allow access to IT provisioned on-premise applications.
    Why do I need this rule?
    Rule Highlights
    • Business-critical data center applications are often leveraged in attacks during the exfiltration stage, using applications such as FTP, or in the lateral movement stage by exploiting application vulnerabilities.
    • Many data center applications use multiple ports; setting the Service to application-default safely enables the applications on their standard ports. You should not allow applications on non-standard ports because it is often associated with evasive behavior.
    bp-it-deployed-apps.png
  5. Allow access to applications your administrative users need.
    Why do I need this rule?
    Rule Highlights
    • Because administrators often need access to sensitive account data and remote access to other systems (for example RDP), you can greatly reduce your attack surface by only allowing access to the administrators who have a business need.
    • This rule restricts access to users in the IT_admins group.
    • Create a custom application for each internal application or application that runs on non-standard ports so that you can enforce them on their default ports rather than opening additional ports on your network.
    • If you have different user groups for different applications, create separate rules for granular control.
    bp-admin-apps-it-infrastructure-zone.png
  6. Allow access to general business applications.
    Why do I need this rule?
    Rule Highlights
    • Beyond the applications you sanction for use and administer for your users, there are a variety of applications that users may commonly use for business purposes, for example to interact with partners, such as WebEx, Adobe online services, or Evernote, but which you may not officially sanction.
    • Because malware often sneaks in with legitimate web-based applications, this rule allows you to safely allow web browsing while still scanning for threats. See Create Best Practice Security Profiles for the Internet Gateway.
    bp-general-biz-apps.png
  7. (
    Optional
    ) Allow access to personal applications.
    Why do I need this rule?
    Rule Highlights
    • As the lines blur between work and personal devices, you want to ensure that all applications your users access are safely enabled and free of threats.
    • By using application filters, you can safely enable access to personal applications when you create this initial rulebase. After you assess what applications are in use, you can use the information to decide whether to remove the filter and allow a smaller subset of personal applications appropriate for your acceptable use policies.
    bp-allowed-personal-apps.png
  8. Allow general web browsing.
    Why do I need this rule?
    Rule Highlights
    • Use the same best practice security profiles as the other rules, except the Best Practice Internet Gateway File Blocking Profile profile, which is more stringent because general web browsing traffic is more vulnerable to threats, and the URL Filtering profile, which you should tighten as much as possible.
    • Allow only known users, to prevent devices with malware or embedded devices from reaching the internet.
    • Use application filters to allow access to general types of applications.
    • Explicitly allow SSL as an application to allow users to browse to HTTPS sites that are excluded from decryption.
    • Set the Service to
      application-default
    bp-general-web-browsing.png

Related Documentation