Continue to improve network security after you convert
legacy port-based rules to application-based rules.
After you finish your first pass at converting port-based
rules to application-based rules, consider the following steps to
strengthen your Security policy rulebase and improve network security:
Use Expedition’s Rule Enrichment
capability, which uses machine learning to examine and consolidate
your policy configuration.
Run the Best Practice Assessment (BPA)
regularly to measure progress toward achieving your App-ID adoption
goal and to identify additional weaknesses. When you reach your
goal, use the BPA to identify areas where you can continue to improve
adoption and further safeguard your network.
Policy Optimizer converts port-based rules to App-ID based
rules but doesn’t change anything else about the rules. After you
convert legacy rules to App-ID based rules, tighten the rules to
reduce the attack surface and increase visibility:
prevent applications from using non-standard ports. For internal
custom applications, define default ports and then apply
At the perimeter (internet gateway), for web applications,
use URL Filtering categories
to prevent access to risky websites.
Configure User-ID to control who
has access to applications.
Configure Log Forwarding to centralize
the logs from multiple PAN-OS appliances, to send email alerts to
specific administrators or groups for specific alerts, and to preserve
logs for historical analysis.
Configure best practice Security
profiles for Antivirus, Anti-Spyware, Vulnerability
Protection, File Blocking, and WildFire Analysis, and apply them to
App-ID Security policy rules.
Maintain the App-ID deployment. As you add rules for new
applications, including internal custom applications, create App-ID
based rules that help keep your network safe. Don’t revert to using
port-based rules that don’t give you visibility into application
traffic or allow you to inspect and control it. Learn more about App-ID in the PAN-OS Administrator’s Guide.
If you need help migrating your legacy device configuration to
Palo Alto Networks appliances, contact the Palo Alto Networks’ Professional Services group,
which has a wealth of migration experience you can leverage to achieve
a successful migration and a successful conversion to App-ID.