Rules to Begin Converting After 30 Days
Types of legacy port-based security policy rules to convert
to application-based rules after a month of monitoring production
traffic.
After 30 days of monitoring production
traffic, you can safely begin to convert the rest of the port-based
rules to App-ID based rules and clean up the rulebase. A good place
to start is with cleaning up unused rules to reduce the attack surface.
After that, start converting rules to App-ID at the perimeter with
your outbound internet access (port 80/443) rule, because that rule
likely sees more traffic with more applications than any other rule,
which also means it’s the rule that carries the most risk.
Install the latest
Content Updates before
you begin converting rules to ensure you have the latest application
signatures on your PAN-OS appliance.
Policy Optimizer provides many intuitive ways to sort, filter, and prioritize which rules
to convert first. After you remove unused rules and convert the web access rule to
App-ID, the rules you choose to prioritize depend on your business and security
requirements. Think about which applications are critical to your business and the risk
of an incident and the potential consequences as you prioritize.
The following sections provide ideas and methods for using simple yet powerful sorting
and filtering options to identify and prioritize rules to convert after the first 30
days: