Safely Enable Applications Using a Phased Transition
Migrate to App-ID based Security policy in stages to
reduce the attack surface and improve network security.
The glaring weaknesses of port-based Security policy
are well known: you can’t see which applications use a port, so
any malicious application can gain access to your network on open
ports such as port 80 (HTTP) or port 53 (DNS). This makes it easier
for attackers to install malware, move laterally through the network,
exfiltrate data, and compromise your network because you have no
visibility into the applications on your network and no ability
to prevent the threats that their traffic conceals.
In contrast, application-based Security policy using App-ID™ provides visibility
into applications regardless of port, protocol, encryption (SSL
or SSH), or evasive tactics, so you know exactly which applications
are on your network and you can inspect their traffic for threats.
Application-specific policies enable safe access because you can
configure Security policy rules that allow only the right users to
access the right applications in the right places and you can apply
threat prevention profiles to those rules. Using App-ID to classify
applications reduces the attack surface because you allow only the
applications required to support your business on the network and
automatically block unwanted applications. Allowing what you want
and blocking everything else is much easier and safer than the endless
task of attempting to block all the individual applications you
don’t want.
Migrate to App-ID in phases:
Use Expedition to
import a legacy rulebase, clean it up, and achieve a like-for-like
migration to a Palo Alto Networks next-generation firewall or Panorama
appliance. Expedition is distributed as a virtual machine (VM).
Run the PAN-OS firewall or appliance in your network production environment
so it can learn and categorize the applications on your network.
After at least one week of logging traffic, run the Best
Practice Assessment (BPA) to set a baseline, and then use Policy Optimizer to begin
safely converting port-based rules to application-based rules and
securing your network. (You can convert some simple rules that allow
well-known applications after about a week; for other rules that
see many applications, such as a general outbound internet access
rule, wait at least 30 days to gather application information.)
Take a phased approach to safely convert the rules based on your
business needs and priorities.
(Optional)
After you use Policy Optimizer convert
the rulebase to App-ID, reimport the configuration in to Expedition
and use the Rule Enrichment features to further simplify and refine
the rulebase.
Maintain the App-ID deployment as you introduce new applications
to your network. Run the BPA after the first conversion pass through
the port-based rules and periodically thereafter to measure progress
and discover other areas to improve security.
Policy Optimizer is available starting with PAN-OS 9.0.
If you use Panorama to manage your next-generation firewalls, you
don’t have to upgrade managed firewalls to PAN-OS 9.0 to use Policy
Optimizer. You only need to upgrade Panorama to PAN-OS 9.0, send
traffic logs from the managed firewalls to Panorama or Log Collectors
running PAN-OS 9.0, and push policy from Panorama to the firewalls.
Managed firewalls need to run PAN-OS 8.1 or later, and if they connect
to Log Collectors, the Log Collectors must run PAN-OS 9.0. This
provides a fast path for qualification so you can use Policy Optimizer
to adopt policy based on App-ID quickly.
PA-7000 Series Firewalls
support two logging cards, the PA-7000 Series Firewall Log Processing
Card (LPC) and the high-performance PA-7000 Series Firewall Log
Forwarding Card (LFC). Unlike the LPC, the LFC does not have disks
to store logs locally. Instead, the LFC forwards all logs to one
or more external logging systems, such as Panorama or a syslog server.
If you use the LFC, the application usage information for Policy
Optimizer does not display on the firewall because traffic logs
aren’t stored locally. If you use the LPC, the traffic logs are
stored locally on the firewall, so the application usage information
for Policy Optimizer displays on the firewall. In both cases, the
PA-7000 firewall can run PAN-OS 8.1 (or later) as long as the Log Collectors
and Panorama run PAN-OS 9.0 or later.