Expand all | Collapse all
Maintain the Rulebase
Businesses and applications evolve, so your Security policy rulebase also needs to
evolve. When your sanctioned applications change, make corresponding changes to
existing policy rules that align with the application's business use case whenever
possible instead of adding new rules. Often, the change is as simple as adding a new
application to an application group or removing a deprecated application from an
application group.
On Panorama or standalone firewalls, use the
policy rule hit counter to analyze
changes to the rulebase. For example, when you add a new application, before you
allow that application’s traffic on the network, add the allow rule to the
rulebase. If traffic hits the rule and increments the counter, either traffic
that matches the rule is already on the network even though you haven’t
activated the application, or you might need to tune the rule. Follow up by
checking the and the widgets to see if traffic on non-standard ports caused the
unexpected rule hits.
The key to using the policy rule hit counter is to
reset the counter when you make a change, such as introducing a
new application or changing a rule’s meaning. Resetting the hit
counter ensures that you see the result of the change, not results
that include the change and events that happened before the change.
If you use Panorama to manage firewalls,
monitor firewall health to compare
devices to their baseline performance and to each other to identify deviations
from normal behavior.
Set Palo Alto Networks content updates to download automatically and schedule
installation on firewalls as soon as possible.
Applications and Threats content updates
occur whenever Security profile signatures need updating. The content updates sent
on the third Tuesday of each month also contain new and modified App-IDs
(application updates; in rare cases, an application update might be delayed one or
two days). Evaluate how new and modified App-IDs affect your Security policy
rulebase in a non-production environment and modify rules as needed.
If necessary, modify existing
Security policy rules to accommodate
the App-ID changes. You can
disable selected App-IDs if some
App-IDs require more testing and install the rest of the new and modified
App-IDs. Finish testing and any necessary policy revisions before the next
monthly content release with new App-IDs arrives (third Tuesday of each month)
to avoid overlap.
Prepare policy updates to account for
App-ID changes included in a content release, to add new sanctioned
applications, to or remove applications from your allow rules.