Optimize overly permissive security rules so that they only allow applications that
are actually in use in your network.
Where Can I Use
This?
What Do I Need?
NGFW (Cloud Managed)
NGFW (PAN-OS & Panorama
Managed)
Prisma Access (Cloud Managed)
Prisma Access (Panorama Managed)
AIOps for NGFW Premium
license
Prisma Access
license
Try out Policy Optimizer while it’s available for early access. If you’re
interested in continuing to use this future beyond the early access period,
check in with your account team.
Rules that are too broad introduce security gaps because they allow applications that
aren’t in use in your network. Policy optimizer enables you to convert these overly
permissive rules to more specific, focused rules that only allow the applications
you’re actually using.
Only rules created more than 90 days in the past are considered for policy
optimization.
How It Works
Strata Cloud Manager analyzes log data and categorizes rules as overly permissive
when they are allowing
any
application traffic, and the
rules must be at least 90 days old. These rules can introduce security
loopholes, if they’re allowing traffic that’s not necessary for enterprise
use.
For rules identified as overly permissive, Strata Cloud Manager auto-generates
recommendations you can accept to optimize the rule. The new, recommended rules
are more specific and targeted than the original rule; they explicitly allow
only the applications that have been detected in your network in the last 90
days.
Select an overly permissive rule to review, adjust, and accept optimization
recommendations. Replacing these rules with the more specific, recommended rules
strengthens your security posture.
Accepting recommendations to optimize a rule does not remove the original rule.
The original rule remains listed below the new rules in your security policy;
this is so you can monitor the rule, and remove it when you’re confident that
it’s not needed.
Both the original rule and optimized rules are tagged so you can easily identify
them in your security policy:
Optimize a Rule
Visit
Config Cleanup
to see if there are rules you
can optimize.
Go to
Manage
Security Posture
Policy Optimizer
.
Review overly permissive rules, and choose a rule to see the optimization
recommendations.
If there are multiple overly permissive rules, focus on optimizing the
rules that are impacting the most traffic; this’ll give you the most
significant gains towards strengthening your security posture.
Review the recommended, optimized rules.
You can see how much of the original rule’s traffic that each new rule
will cover. Note the specific applications that each new rule
enforces.
Accept some or all of the rule recommendations.
Accepting the new, optimized rules adds the rules to your rulebase. They
won’t be active just yet; that’ll happen in the next step when you
Push Config
to Prisma Access.
Accept All
accepts the recommended rules as they
are. You can also make changes before accepting the optimized rules:
Remove a rule from optimization. Add this rule to a list of rules
that you want to exclude from optimization (this time and moving
forward).
Disable an optimized rule. This means you’re not accepting this
rule, and it will not be added to the rulebase.
Revert any changes you’ve made. This undoes any edits you’ve made
and reverts the rules back to the recommendations.
Merge rules. You might decide to do this if you find any of the
recommended rules to be similar.
After you accept the optimized rules, you’ll be prompted to
Update Rulebase
. When you agree, the
optimized rules are added to your security policy. However, they’re not
yet enforcing traffic.
Push Config
to send the configuration updates to
Prisma Access and start enforcing the optimized rules.
Monitor the original rule until you’re confident that you don’t need
it.
The original, overly permissive rules remains in your security policy;
it’s listed below the optimized rules in your rulebase and is tagged so
you can easily identify it. The tag name appends _original to the rule
name (for example, security-rule-name_original).
Exclude a Rule from Optimization
Move a rule to the
Excluded from Optimization
list, and
Prisma Access will not optimize it. The rule settings remain as is.
Make sure to
Push Config
after moving a rule to the
exclusion list; after pushing the configuration, it can take up to 24 hours for
the rule to display on the list. You can always choose to add the rule back to
the optimization list later.
Track Optimization Results
Policy Optimizer shows a history of the security rules you’ve optimized.
Historical data includes the optimization results: compare original rule’s
traffic coverage against optimized rules.
The data you see for
Policy Optimizer History
is for the
last 30 days. If an original rule (a rule you optimized) gets no hits for six
months, it’s removed from the policy optimizer history and is classified instead
as a zero-hit policy rule.