Maintain the Rulebase
Table of Contents
Expand all | Collapse all
-
- What Is a Best Practice Internet Gateway Security Policy?
- Why Do I Need a Best Practice Internet Gateway Security Policy?
- How Do I Deploy a Best Practice Internet Gateway Security Policy?
- Create User Groups for Access to Allowed Applications
- Decrypt Traffic for Full Visibility and Threat Inspection
-
- Transition Vulnerability Protection Profiles Safely to Best Practices
- Transition Anti-Spyware Profiles Safely to Best Practices
- Transition Antivirus Profiles Safely to Best Practices
- Transition WildFire Profiles Safely to Best Practices
- Transition URL Filtering Profiles Safely to Best Practices
- Transition File Blocking Profiles Safely to Best Practices
- Create Best Practice Security Profiles for the Internet Gateway
- Monitor and Fine-Tune the Policy Rulebase
- Remove the Temporary Rules
- Maintain the Rulebase
Maintain the Rulebase
Businesses and applications evolve, so your Security policy rulebase also needs to
evolve. When your sanctioned applications change, make corresponding changes to
existing policy rules that align with the application's business use case whenever
possible instead of adding new rules. Often, the change is as simple as adding a new
application to an application group or removing a deprecated application from an
application group.
On Panorama or standalone firewalls, use the policy rule hit counter to analyze
changes to the rulebase. For example, when you add a new application, before you
allow that application’s traffic on the network, add the allow rule to the
rulebase. If traffic hits the rule and increments the counter, either traffic
that matches the rule is already on the network even though you haven’t
activated the application, or you might need to tune the rule. Follow up by
checking the ACCThreat ActivityApplications Using Non Standard Ports and the ACCThreat ActivityRules Allowing Apps On Non Standard Ports widgets to see if traffic on non-standard ports caused the
unexpected rule hits.
The key to using the policy rule hit counter is to
reset the counter when you make a change, such as introducing a
new application or changing a rule’s meaning. Resetting the hit
counter ensures that you see the result of the change, not results
that include the change and events that happened before the change.
If you use Panorama to manage firewalls, monitor firewall health to compare
devices to their baseline performance and to each other to identify deviations
from normal behavior.
Set Palo Alto Networks content updates to download automatically and schedule
installation on firewalls as soon as possible. Applications and Threats content updates
occur whenever Security profile signatures need updating. The content updates sent
on the third Tuesday of each month also contain new and modified App-IDs
(application updates; in rare cases, an application update might be delayed one or
two days). Evaluate how new and modified App-IDs affect your Security policy
rulebase in a non-production environment and modify rules as needed.
Follow content update best practices, install
updates as soon as you can to protect your internet gateway, and configure Log Forwarding for all content updates.
- Before installing a new content update, review new and modified App-IDs to determine if the changes impact policy.If necessary, modify existing Security policy rules to accommodate the App-ID changes. You can disable selected App-IDs if some App-IDs require more testing and install the rest of the new and modified App-IDs. Finish testing and any necessary policy revisions before the next monthly content release with new App-IDs arrives (third Tuesday of each month) to avoid overlap.Prepare policy updates to account for App-ID changes included in a content release, to add new sanctioned applications, to or remove applications from your allow rules.