Policy Recommendation Best Practices
Table of Contents
Expand all | Collapse all
Policy Recommendation Best Practices
Create Security policy rule recommendations to secure IoT devices and unsanctioned SaaS applications in PAN-OS and Prisma Access.
- PAN-OS firewalls and Panorama (SaaS and IoT Policy Recommendation).
- Panorama Managed Prisma Access (SaaS and IoT Policy Recommendation).
- Cloud Managed Prisma Access (SaaS Policy Recommendation only).
Cloud-based services such as IoT and SaaS policy recommendation cannot be used in air-gapped environments because they require a cloud connection.
In air-gapped environments, for IoT Security, consider using Panorama as the management engine for interacting with the cloud service and receiving policy recommendations. Then push the recommendations to the managed firewalls that don't have cloud connectivity. This solution only applies to policy recommendations themselves. Functions such as device-to-IP mapping still requires cloud connectivity for managed devices.
SaaS Policy Recommendation controls unsanctioned SaaS applications in PAN-OS and Prisma Access. IoT Policy Recommendation controls unmanaged network devices in PAN-OS and Panorama Managed Prisma Access. Their workflows have many similarities.
- SaaS Policy Recommendation:
- PAN-OS 10.1 or later for PAN-OS and Panorama Managed Prisma Access.
- IoT Policy Recommendation:
Panorama can push SaaS and IoT policy recommendations only to firewalls that have the appropriate licenses, so they must be installed on firewalls that use IoT and SaaS policy recommendations. If the managed devices don't have the appropriate licenses, the push fails.
In addition to licenses, to function properly and in a best practices manner, both IoT and SaaS policy recommendation require:
- A valid device certificate on each appliance that uses SaaS or IoT policy recommendation.
- A connection to Cortex Data Lake (CDL) for visibility into the traffic.
- Log Forwarding to CDL configured in each Security policy rule recommendation. For SaaS Security, forward Traffic logs, URL Filtering logs, and Threat logs at a minimum.
Policy Recommendation Concepts
SaaS and IoT policy recommendation have many similarities in their workflows and goals. The workflows and thought process for policy recommendation in PAN-OS and Prisma Access also have many similarities. Review Security Policy Rule Best Practices to better understand best practices for the components of rules.
Cloud Managed Prisma Access does not support IoT Policy Recommendation.
SaaS Security and IoT Security administrators submit policy recommendations to PAN-OS and Prisma Access. PAN-OS administrators import SaaS policy recommendations and IoT policy recommendations into PAN-OS and Panorama Managed Prisma Access. Cloud Managed Prisma Access administrators import SaaS policy recommendations in the cloud platform. Different administrators often must cooperate to recommend and implement policy rules, so good communication between administrators is critical.
General best practices for IoT Policy Recommendation include:
- Allow enough time for IoT Security to collect enough data about devices to identify them with high confidence.
General best practices for SaaS Policy Recommendation include:
- Know the applications and application types that should and should not be on your network. Create a formal list of sanctioned, tolerated, and unsanctioned applications and application types, and tag applications appropriately as you gain visibility into them. View usage data for unsanctioned applications and use filters to see who uses applications and how they are used. Use theVisibilitytools to view discovered applications and then tag the discovered applications.
- Understand the data you want to look for in files so you can create appropriate DLP profiles for policy rule recommendations.
- Most SaaS policy rule recommendations are for blocking traffic. Applying the principle of least privilege access to SaaS applications is more complex than applying it only to content-delivered applications because there are tens of thousands of SaaS applications to control. If SaaS policy recommendations are too strict, they may impact business applications. Be sure that you understand applications and application types that you intend to block before you block them.Use filters to focus on high-risk categories such as file transfer and CMS applications and to check which applications have the highest usage. Focus on those categories and subcategories first.
- For Cloud Managed Prisma Access, if your organization's administrative policy permits it, add the SaaS Security app to the cloud management console. Use the cloud management console to manage SaaS policy recommendations (and SaaS Security and other cloud apps) instead of using standalone apps to gain the following benefits:
- Manage all cloud security elements from a single interface instead of from different app interfaces.
- One administrator can perform all of SaaS policy recommendation actions, including adding the rule to the Prisma Access rulebase. If you manage with the standalone app, then you can create the policy recommendation but you have to switch to another app or handoff to another administrator to add the rule to Prisma Access.
Policy Recommendation Workflow
This workflow is valid for IoT Security and for both the SaaS Security app (PAN-OS, Panorama Managed Prisma Access) and the cloud management console (Cloud Managed Prisma Access). Each step indicates which administrators are involved. It's helpful for each administrator to understand the responsibilities of other administrators who are involved in policy recommendations.
- (All Administrators) Create open lines of communication between administrators who administer different parts of policy recommendation.Policy recommendation often requires different administrators to work together to recommend, import, and integrate new SaaS Security and IoT Security policy rules into the PAN-OS or Prisma Access rulebase. Devise a process that ensures good communication when an IoT Security or SaaS Security administrator hands off a policy recommendation to a Panorama, firewall, or Prisma Access administrator. The handoff occurs after an IoT Security or SaaS Security administrator creates a new rule, modifies an existing rule, or deletes a rule and enables (submits in SaaS Security) or activates (IoT Security) the rule.The administration workflow is:
Communication among administrators is crucial so that all parties understand the purpose of recommended rules, the purpose of rule updates, and why a rule is deleted. Communication among administrators helps ensure that SaaS and IoT policy recommendations don't sit in PAN-OS or Prisma Access waiting for an administrator to notice their presence and import them into the rulebase.
- SaaS Security Administratorscreate new rule recommendations, add applications, users/user groups, and DLP profiles, and set the action. They review rule recommendations and then submit them to PAN-OS, Panorama Managed Prisma Access, or Cloud Managed Prisma Access. Review the guidelines for SaaS Security administrator collaboration and authoring.IoT Security Administratorsevaluate automatically generated rule recommendations, modify them as needed, create policy sets (groups of rule recommendations based on traffic from IoT devices in the same device profile), and submit them to PAN-OS and Panorama Managed Prisma Access.
- PAN-OS and Prisma Access Administratorsimport SaaS and IoT policy recommendations. They evaluate rule recommendations, import them, and add Security profile groups and other objects to the rules. They also order the rules in the Security policy rulebase. When Panorama pushes policy recommendations to firewalls and Prisma Access, the firewall and Prisma administrators import the recommended rules.Administrators must communicate to add the appropriate objects to the recommended rules and understand the purpose of those rules.For Cloud Managed Prisma Access, the same administrator may handle both SaaS policy recommendations and Prisma Access duties, especially if the administrator manages both apps on the cloud management console.
- SaaS and IoT Security Administratorsupdate or delete a rule recommendation and then submit the change to PAN-OS or Prisma Access.PAN-OS and Prisma Access Administratorssee the rule update or deletion and either import the updated rule or delete the rule from PAN-OS or Prisma Access.
- (SaaS Security and IoT Security Administrator) SaaS Security administrators need to assess the risks of unsanctioned SaaS applications and IoT Security administrators need to understand device profiles, which describe types of unmanaged devices on the network and their behavior.IoT Security automatically learns about unmanaged devices on the network and creates a device profile for each set of similar devices. The profile describes the devices' characteristics.Be familiar with SaaS applications and IoT devices on your network:
- SaaS—Wait for at least seven business days of data before you analyze an application for policy recommendation. Gather enough data to understand the application and its business usage.IoT—Monitor the list of device profiles to see which ones are eligible for policy recommendation. You can create a policy recommendation when the confidence rating for a device profile reaches 90%, which indicates high confidence about device behavior. Some devices produce less traffic and can take time to achieve a high confidence rating. Allow time for IoT Security to collect sufficient data to achieve a 90% confidence rating.
- SaaS—Understand how and why users use specific SaaS applications and if there are business reasons to allow those applications.IoT—Understand whether the discovered devices belong on your network. If your business is banking, then seeing a medical device on your network may indicate an issue.
- SaaS—Assess the Security and Privacy, Identity Access Management, and Compliance attributes of SaaS applications based on risk tolerance.IoT—In medical environments, assess the compliance risk of medical IoT devices.
- (SaaS Security Administrator) Configure predefined SaaS policy recommendations. (IoT Security administrators skip to Step 5.)
- Select a predefined rule. (in the cloud management console orDiscovered AppsPolicy Recommendationsin the SaaS Security console.)VisibilitySecurity Rules
- Select and add applications to the rule. If the rule doesn't apply to all users, add users and user groups. Be sure that you understand applications and application types that you intend to block before you block them, and understand who needs to use certain applications for business purposes.Focus on risky application types first, such as file sharing, content management, and collaboration and productivity applications. Reduce uploads to file sharing sites so that only users who need to upload for business purposes have access to only the file sharing applications used for business purposes.
- Verify that the rule does what you want it to do in the way you want to do it.
- Savethe default rule.
- Enablethe rule to submit it to PAN-OS or Prisma Access. You must enable rules for PAN-OS or Prisma Access administrators to import them.Communicate about enabled rule(s) with the administrator who is responsible for checking, evaluating, and importing SaaS policy recommendations.
- (SaaS Security Administrator) Configure user-defined SaaS policy recommendations. (IoT Security administrators skip to Step 5.)Use the filters in the Discovered Applications view to find applications and their usage metrics and to help you understand whether to block or allow an application. Focus on the riskiest application categories, such as file transfer, content management, and collaboration and productivity applications. HighRiskapplications that also have highUsagetend to have the highest risk potential. Select applications to see who uses the application and how they use it.When you configure policy recommendations and submit them, PAN-OS and Prisma Access create any attached HIP profiles, tags, and application groups automatically. If you have an Enterprise DLP license on the target firewalls, the DLP profile is also created (otherwise, the submission fails). The submission fails if the SaaS Security administrator adds any other types of profiles to a rule recommendation and those profiles do not already exist on the firewall. If the attached profile objects exist on the firewall, the submission succeeds. (The PAN-OS or Prisma Access administrator can add profiles to imported rule recommendations. In Cloud Managed Prisma Access, you can only add profile groups, not individual profiles.)The appropriate licenses for profiles need to be on all firewalls that import SaaS policy recommendations.User groups from CIE are consistent across your organization. If you don't use CIE or if you can't sync from CIE,Users & Groupsconfiguration is not available in SaaS Security and you can't base SaaS policy recommendations on users. The best practice is to use CIE and create application policy based on who needs to access applications for business purposes.To enforce SaaS Security and Enterprise DLP, you must enable Web Security in the cloud management console. (This is a free feature.)To configure best practices SaaS policy recommendations:
- Create new SaaS Security policy recommendations:
- SaaS Security console:VisibilitySecurity RulesCreate New Rule
- Cloud management console:Discovered AppsPolicy RecommendationsAdd Policy
- Add applications to the rule.Use the category, risk, and capabilities filters to find SaaS applications. Add applications to the rule directly from the filter results. Focus on the riskiest, highest usage applications first.
- Select theUser Activityto detect. All the applications selected for the rule must support the selected user activities. If an application doesn't support an activity, the interface returns an error.
- Configure the rest of the rule's parameters:
- Users & Groups—You must use and sync from CIE to specify users and groups in SaaS policy recommendation.
- Device Posture—Specify which types of devices can access the rule's applications. When a rule is imported in PAN-OS or Prisma Access, the device posture automatically creates a Host Information Profile (HIP) object for mobile devices.
- Data Profile—You must have an Enterprise DLP license in SaaS Security and on targeted firewalls to use this feature. With an Enterprise DLP subscription, you can create rules for a specific DLP profile and block applications only if they contain data that matches the profile.
- Response—AlloworBlockthe traffic that matches the rule. Most recommendations are block rules to prevent over-provisioning access.
- Verify that the rule does what you want it to do in the way you want to do it.
- Savethe rule.
- Enablethe rule to submit it to PAN-OS or Prisma Access. You must enable rules for PAN-OS or Prisma Access administrators to import them.Communicate about enabled rule(s) with the PAN-OS or Prisma Access administrator who is responsible for checking, evaluating, and importing SaaS policy recommendations.
- (IoT Security Administrator) Configure IoT policy recommendations (PAN-OS and Panorama Managed Prisma Access only) in the IoT Security app.IoT Security automatically generates IoT policy recommendations based on the behavior of devices that belong to a device profile when IoT Security reaches a confidence score (the level of confidence IoT Security has in its identification of a device) of 90% or higher for the profile. The confidence score rises over time as IoT Security gathers more information about the devices. You can edit automatically generated rules before you submit them to Panorama, firewalls, or Prisma Access.IoT Security doesn't provide policy recommendations for IT devices such as PCs, smart phones, or tablets, but IoT Security does identify those devices.Use the automatic policy recommendations to create policy rule sets based on the behavior of IoT devices in the same device profile across multiple IoT Security tenants. A policy rule set includes the policy rule recommendations you select to control the devices in a device profile.
- Create new IoT Security policy recommendations in either of two ways:
- Navigate to the Profiles page, hover the cursor over a profile name, and clickCreate Policy Setin the pop-up.
- , selectProfiles<profile-name>BehaviorsOutbound Behaviors, selectCreate Policy, and then clickNext.
- Select Policiesshows the automatically generated policy recommendations for the selected device profile, including the applications the devices use.
- Make sure the applications you see in the list are appropriate for the devices. For example, you shouldn't see the iTunes application when you're looking at printers or cameras. If you see unexpected applications in the list, the device may be compromised.Know your devices and device profiles so that you can craft appropriate recommendations to govern them.
- CheckAlerts Raised. Investigate applications with a high number of alerts before you add them to the policy set, especially if the alerts are high or critical severity.
- Select the policies you want to apply to the devices. These policies are included in the policy set for the device profile.If you don't see an application that you want to include in the policy set,Add Ruleto manually select an application and a destination type andCreatethe rule.
- By default, the rule applies to all (Any) destinations detected in traffic for the device profile. If you want to restrict the destinations for an application, click, toggleDestinationAnyAllow any destinationoff, and uncheck destinations you don't want to allow in the list.
- When you are satisfied the policy set contains the rules you want, selectNext.
- In, modify automatically generated recommendations as needed.Firewall ConfigurationPolicy configurationsPolicy configurationsshows the selected applications.
- LeaveServicesasapplication-defaultto prevent applications from using non-standard ports, which is an indication of evasive, potentially malicious behavior.
- Add Security profiles and Security profile groups, log forwarding profiles, and other objects in Panorama or on firewalls, not in the IoT Security app.
- Review the policy set. When you're sure it's configured as you want it,Createthe policy set, which also saves it.
- Activate Policy Setto make the policy rule recommendation available for import on Panorama and individual firewalls.Communicate about enabled rule(s) with the PAN-OS or Prisma Access administrator who is responsible for checking, evaluating, and importing IoT policy recommendations.
- (Panorama and firewall Administrators) (Cloud Managed Prisma Access administrator for SaaS Security only) Evaluate, import, and if necessary, modify policy rule recommendations.Because the cloud management console enables management of all cloud apps in one place, the Cloud Managed Prisma Access administrator may be the same administrator who created the SaaS Security policy recommendations.Before you import rules:
To import SaaS and IoT policy recommendations:
- Create Security profile groups on Panorama, firewalls, and/or the cloud management console that are ready for you to apply to imported SaaS Security and IoT Security policy recommendations. At the least, create profile groups that alert on most traffic and block known malicious traffic to maintain availability As you understand policy recommendations better over time, follow Security profile best practices to make the profile groups as strict as possible without endangering the ability to access critical business applications and devices.For SaaS profile groups, know the types of applications and understand who users the applications to determine which profiles to use and how strict they should be at the start.For IoT profile groups, know your devices and device profiles so that you can craft appropriate Security profile groups to govern them. Understand what the application in the rule means so you can apply the appropriate Security profiles to the group.When you create Security profile groups, consult with the IoT Security and/or SaaS Security administrator to ensure that the Security profile groups make sense for IoT and SaaS policy recommendations.
- In IoT Security deployments, enable Device-ID in each zone in which you want to control IoT devices. Device-ID is to IoT devices what User-ID is to users and App-ID is to applications—a unique identifier. In zones without Device-ID enabled, you can't enforce Security policy on IoT devices.
- If you use ACE App-IDs in any Security policy rule, even if the rule applies only to one user or user group, the firewall enforces the ACE App-ID for all users. (Once you use the ACE App-ID in policy, the firewall enforces the App-ID the same way it enforces content-provided App-IDs.)
For detailed configuration procedures, refer to the appropriate Administrator's Guide:
- Periodically check for imported rules. Refresh the IoT or SaaS policy recommendation page to ensure that you see the latest policy recommendations:
- Panorama:orPanoramaPolicy RecommendationSaaS.PanoramaPolicy RecommendationIoT
- Firewalls:orDevicePolicy RecommendationSaaS.DevicePolicy RecommendationIoT
- Cloud Managed Prisma Access (SaaS Policy Recommendation only): Select, and then select thePolicy RecommendationManageWeb SecurityWeb Access PolicyPolicy Recommendationstab to seeNew SaaS Rule Recommendations.
- Select and evaluate new rules. Ensure all of the objects, addresses, etc., in the imported rule make sense. If you're not sure about something in the recommendation, talk with the IoT Security or SaaS Security administrator to ensure that you understand the purpose of the rule and its components.For SaaS policy rule recommendations, ensure that user access to the applications isn't too broad.
- The rule import process enables you to modify the rule as well as position it in the Security policy rulebase. Select a rule or rules to import, then:
Do not finish the rule import until you complete the following steps to add Security and Log Forwarding profiles, assess the rule, and select its order it in the Security policy rulebase.When you import a rule, PAN-OS and Prisma Access automatically create some of the rule's objects in the policy rule:
- Panorama and PAN-OS firewalls:Import Policy Rule.You can import up to ten IoT policy rules at a time.
- Cloud Managed Prisma Access (SaaS Policy Recommendation only):.ActionsImport
- Importing IoT policy recommendations automatically creates the Device object, including device-to-IP mappings, based on the IoT device profile.After Panorama imports the Device object and pushes it to managed firewalls, the firewalls pull down the device-to-IP mapping directly from the cloud. Panorama is not involved in refreshing the device-to-IP mapping.
- Importing SaaS policy recommendations automatically creates any required HIP profiles, tags, and application groups. For Enterprise DLP profiles, the target devices must have an Enterprise DLP license. Any other profiles can only be imported if they already exist on the target device.
- Add a Security profile group to each rule.Using profile groups instead of individual profiles is faster, easier, and prevents accidentally omitting a profile from a rule. It also enables you to start with a profile group that mostly alerts and easily replace it with a stricter profile group as you gain experience with SaaS applications and IoT devices.Applying profiles to SaaS application and IoT device rules differs:
- SaaS Security policy rule recommendations:
- Cloud Managed Prisma Access—You can apply Security profile groups to policy recommendations, but not individual Security profiles. Add Security profiles to a profile group and apply the group to a rule.
- IoT Security policy rule recommendations—To prevent malicious behavior, make sure Security profiles are appropriate for the device. Work with the IoT Security administrator to understand the behavior and alerts for different devices shown in the device profiles. Apply profiles to IoT policy recommendations based on behavior and alerts. Look for common weaknesses in IoT devices, such as weak manufacturer credentials, connections to risky URLs, out of date antivirus, allowing access to rogue devices, insecure protocols, and EOL operating systems, as well as devices that are unpatched or that can't be patched.
- Apply Vulnerability Protection profiles and Anti-Spyware profiles (to prevent command-and-control malware) to all devices.
- If a device has outbound traffic to the internet, especially to unknown destinations, apply Advanced URL Filtering and Advanced Threat Prevention. If the device can send files, add Advanced WildFire and File Blocking profiles.
- If the device has server ports and accepts incoming connections, apply DoS Protection in addition to File Blocking, Advanced WildFire, and Advanced Threat Prevention profiles.
- Add a Log Forwarding profile to each rule.
- For IoT policy recommendations, add theIoT Security Default Profile - EAL Enabledpredefined Log Forwarding profile, which provides all the log types IoT Security requires, including enhanced application logs.
- SaaS policy recommendation requires ACE to identify SaaS applications. ACE requires Log Forwarding to CDL, so Security policy rules based on SaaS applications also require Log Forwarding to CDL.After you import rules, you can apply Log Forwarding profiles to multiple rules at one time usingLog Forwarding for Security Servicesin Policy Optimizer to identify Security policy rules that don’t have a Log Forwarding profile attached (selectNonein the filter).
- In Panorama and Cloud Managed Prisma Access, select whether the rule is a pre-rule or a post-rule. (Does not apply to standalone firewalls.)The precedence order for evaluating rules is pre-rules, then deployment-specific rules, then post-rules. Cloud Managed Prisma Access pre- and post-rules reside in the shared configuration folder. Panorama pre-rules and post-rules reside in. In Panorama, you can specify device groups for the rule.PoliciesSecurity
- Select the rule that you want the imported rule to go after in the Security policy rulebase. Follow rulebase best practices.Do not chooseNo Rule Selection, which places the rule at the top of the Security policy rulebase. The top of the rulebase is often the wrong place for a new rule. For example, a new allow rule won't be subject to critical rules that block known malicious traffic. A new block rule may block access for legitimate users if it isn't placed after an allow rule for the application's legitimate users. Order each rule appropriately in the rulebase.
- Check the rule and if you're satisfied with it, import it.
- Cloud Managed Prisma Access—Import.
- Panorama and standalone firewalls—OK.After importing rules, Panorama administrators must push the rules to managed firewalls and firewall administrators must import them before they become active on the firewall. RefreshorDevicePolicy RecommendationIoTto see the newest recommendations.DevicePolicy RecommendationSaaSFirewall administrators may need to modify rules after importing them. Firewall administrators should check with Panorama, SaaS Security, or IoT Security administrators if they're not sure about the purpose of the rule.Check the Security policy rulebase to ensure that the rule is in the proper order.
- (IoT Security only) After importing the rule, view theDevice Objectto check the attribute filters for the device.Use IoT device attributes in Security policy to better identify devices. Importing an IoT policy rule automatically imports the attributes associated with the device and creates its Device-ID. Device-ID is to IoT devices what User-ID is to people. Although there are six device attributes, firewalls often receive only one attribute from a device. If the Device Object () specifies attributes that the device doesn't send to the firewall, then the traffic doesn't match the device and the rule doesn't control the device, so only specify attributes that devices send to the firewall.ObjectsDevicesClick theDevice-IDin the rule to pop up its associated Device Object.Run the CLI commandshow iot ip-device-mapping-mp allorshow iot ip-device-mapping-mp ip <IP-address>to validate that the firewall receives the attributes imported with the rule. If the firewall doesn't receive an attribute that's configured in the Device Object, remove the attribute from the device object.
- SaaS Security:
- PAN-OS and Panorama Managed Prisma Access—Import SaaS Policy Recommendations (For standalone firewalls; on Panorama, you also specify whether the imported rule is a pre- or post-rule and push the rule to firewalls after importing it in Panorama.)
- (All Administrators) Update and delete policy recommendations as needed to keep the Security policy rulebase up to date.Importing policy recommendations is an ongoing process. Administrators recommend new rules, modify rules, and delete old rules. The IoT device population grows and device postures change over time. The number of SaaS applications increases and the applications your enterprise tags as sanctioned, tolerated, and unsanctioned change over time. Create checklists of daily, weekly, and monthly items to monitor and maintain visibility into IoT devices and SaaS applications.Procedures to import updated policy recommendations:
Procedures to remove deleted policy recommendations:
- SaaS Security:
- Cloud Managed Prisma Access—Update Imported SaaS Policy Rule Recommendations on Cloud Managed Prisma Access.If the same administrator is both the SaaS policy recommendation and Prisma Access administrator, you can enable automatic updates to automatically apply rule recommendation changes.
- SaaS Security: