Maintain the Rulebase
Businesses and applications evolve, so your Security policy rulebase also needs to
evolve. When your sanctioned applications change, make corresponding changes to
existing policy rules that align with the application's business use case whenever
possible instead of adding new rules. Often, the change is as simple as adding a new
application to an application group or removing a deprecated application from an
application group.
On Panorama or standalone firewalls, use the policy rule hit counter to analyze
changes to the rulebase. For example, when you add a new application, before you
allow that application’s traffic on the network, add the allow rule to the
rulebase. If traffic hits the rule and increments the counter, either traffic
that matches the rule is already on the network even though you haven’t
activated the application, or you might need to tune the rule. Follow up by
checking the and the widgets to see if traffic on non-standard ports caused the
unexpected rule hits.
ACC
Threat Activity
Applications Using Non Standard Ports
ACC
Threat Activity
Rules Allowing Apps On Non Standard Ports
The key to using the policy rule hit counter is to
reset the counter when you make a change, such as introducing a
new application or changing a rule’s meaning. Resetting the hit
counter ensures that you see the result of the change, not results
that include the change and events that happened before the change.
If you use Panorama to manage firewalls, monitor firewall health to compare
devices to their baseline performance and to each other to identify deviations
from normal behavior.
Set Palo Alto Networks content updates to download automatically and schedule
installation on firewalls as soon as possible. Applications and Threats content updates
occur whenever Security profile signatures need updating. The content updates sent
on the third Tuesday of each month also contain new and modified App-IDs
(application updates; in rare cases, an application update might be delayed one or
two days). Evaluate how new and modified App-IDs affect your Security policy
rulebase in a non-production environment and modify rules as needed.
Follow content update best practices, install
updates as soon as you can to protect your internet gateway, and configure Log Forwarding for all content updates.
- Before installing a new content update, review new and modified App-IDs to determine if the changes impact policy.
- If necessary, modify existing Security policy rules to accommodate the App-ID changes. You can disable selected App-IDs if some App-IDs require more testing and install the rest of the new and modified App-IDs. Finish testing and any necessary policy revisions before the next monthly content release with new App-IDs arrives (third Tuesday of each month) to avoid overlap.
- Prepare policy updates to account for App-ID changes included in a content release, to add new sanctioned applications, to or remove applications from your allow rules.
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.