Convert Simple Rules with Well-Known Apps After One Week
Convert legacy port-based security policy rules that
control a small number of well-known applications after one week
of monitoring production traffic.
After a week of monitoring
production traffic, you can safely begin to convert simple port-based
rules to App-ID based rules. Good candidates include rules for which
only one or a small number of well-known applications should legitimately
use the port because it’s fairly easy to determine which applications
you want to allow on a simple rule. Examples include port 21 (FTP),
port 22 (SSH), and port 53 (DNS).
Install the latest Content Updates before
you begin converting rules to ensure you have the latest application
signatures on your PAN-OS appliance. This example shows you how
to sort port-based rules to find candidates for safe conversion
and the options for converting those port-based rules directly to
App-ID based rules.
In
Policies
Security
Policy Optimizer
No App Specified
, select
Apps
Seen
and
Sort Ascending
to find
the port-based rules that have seen the fewest applications.
The port-based rules that have seen the fewest applications
are at the top of the
No App Specified
display.
You can safely convert rules for specific services, such as SSH,
directly to application-based rules and you can examine rules that
have seen few applications to see if you can safely convert them.
The
port-based rule intended to allow Server Message Block (SMB) traffic
has seen only three applications since migrating the configuration
to the PAN-OS appliance and therefore is a candidate for conversion.
Click the
Apps Seen
number or
Compare
to
examine the applications seen on the rule.
Applications & Usage
shows the
applications actually seen in the traffic that match the rule.
Evaluate whether you want to allow all, some, or none
of the applications seen on the rule and select the applications
you want to allow.
You can match the exact usage of the rule, future-proof
the rule by adding the container apps, or select individual applications
to add to the rule.
If you want the rule to allow all applications
exactly as matched on the rule:
Select all
Applications
in
Apps
Seen
).
Click
Match Usage
.
Click
OK
to convert the port-based
rule to an App-ID based rule.
Set the
Service
to
application-default
so
that no evasive, malicious applications can use the port.
If you want to allow all of the applications seen on the
rule and future-proof the rule by adding their container applications
(so all applications within each container are allowed and applications
added to the container app later are automatically allowed):
Leave all the applications selected and
Add to Rule
.
The
gray-shaded applications are the container apps. The green-shaded applications
are the applications seen on the rule. The unshaded applications belong
to the same container app but have not been seen on the rule.
Click
OK
. Only the container apps
appear in
Apps on Rule
because they include
(allow) all of the applications they contain:
Click
OK
to convert the rule.
Set the
Service
to
application-default
so
that no evasive, malicious applications can use the port.
If you want to allow only some of the applications or if
you want to select the applications to allow within a container
app, select those applications and then click
Add to
Rule
. For example, if you decide not to allow msrpc-base
and select only ms-ds-smbv2 and ms-ds-smb-base and
Add
to Rule
, Policy Optimizer shows you the related applications
in the container app (ms-ds-smb, shaded gray) and provides the opportunity
to future-proof the rule by adding those applications:
Select
the applications you want to allow and then click
Add
to Rule
.
For example, if you decide not to allow
msrpc-base and select only ms-ds-smbv2 and ms-ds-smb-base and
Add
to Rule
, Policy Optimizer shows you the related applications
in the container app (ms-ds-smb, shaded gray) and provides the opportunity
to future-proof the rule by adding those applications:
The green-shaded
applications are the applications seen on the rule. The unshaded
applications belong to the same container app but have not been
seen on the rule. In this case, you may choose to allow ms-ds-smbv3
to future-proof the rule but not to allow ms-ds-smbv1 because it’s
an older protocol.
You can allow all of the applications or select which applications to
allow.
To allow all of the applications, click
OK
.
Apps
on Rule
shows the selected applications. Click
OK
to
convert the rule.
To allow only selected applications, deselect
the undesired applications. If you deselect an application in a
container, the container app is also deselected so it doesn’t automatically
allow its child apps.
Click
OK
.
Apps on Rule
shows
the selected applications.
Click
OK
to convert the rule.
Set the
Service
to
application-default
so
that no evasive, malicious applications can use the port.