Convert Internet Access Rules
Table of Contents
10.1
Expand all | Collapse all
Convert Internet Access Rules
Convert legacy port-based HTTP/HTTPS (port 80/443) internet
access rules to application-based rules.
An internet access rule controls traffic on
port 80 (HTTP) and port 443 (HTTPS). This rule usually sees the
largest number of applications and the greatest amount of traffic
in bytes. A port-based internet access rule may allow applications
you don’t want on your network and expose it to attacks. Control
and safely enable the applications you allow on those ports by converting
the port-based internet access rule to a set of application-based
rules. To do this, you need to understand which applications your
company sanctions for business use and which applications your company
tolerates for other purposes.
A good conversion method is
to group applications that require similar treatment in the same rule
instead of creating separate rules for each application to help
prevent rulebase bloat. Use Policy Optimizer to sort the applications
seen on a rule by application subcategory so you can see all the applications
on a rule for a particular subcategory, select the applications
your business uses, and then clone a rule to control those applications.
Policy Optimizer offers many sorting and filtering options to
organize and analyze applications seen on a rule.
Clone the
rule instead of directly converting it to ensure application availability.
Cloning a rule retains the original port-based rule and places the
cloned application-based rule directly above the port-based rule
in the Security rulebase. Create different internet access rules
from the original port-based rule for groups of applications you
want to treat differently, without risking application availability.
Easily see which applications match the cloned rule and which applications
filter through to the original port-based rule and then adjust the
rules as needed. When no applications you want to allow match the
port-based rule for a long enough period of time to be confident
that you’ve accounted for all the applications the business requires,
you can disable (or delete) the port-based rule, which finishes
the conversion without risking application availability.
Use
the same method to convert other rules that have seen more than
a few well-known applications. Use information
to help prioritize which rules to convert after you convert the
internet access rules. For example, you could prioritize based on
a combination of most
Policies
Security
Policy Optimizer
No App Specified
Apps Seen
and most
traffic over the last 30 days (Traffic (Bytes, 30 days)
)
to convert the most-used rules, or you could look at Days
with No New Apps
and the Modified
date
to find rules that have seen many applications but are also more
stable.This example shows you how to clone an application-based
rule that controls general business applications from a port-based
internet access rule. Use the same cloning process to create application-based
rules safely for different subcatgories and individual applications
seen on any port-based rule.
- Navigate toand find the port-based rule(s) that control internet access.PoliciesSecurityPolicy OptimizerNo App SpecfiedUse the filter(service/member eq ‘service-http’) and (service/member eq ‘service-https’)to find the port-based rule(s) configured withservice-httpandservice-https, which is the internet access rule (or rules).
- ClickCompareor the number ofApps Seento open theApplications & Usagedialog.
- SortApps Seenby application subcategory to group similar applications that may be appropriate to control in the same Security policy rule.Sort bySubcategoryto group the applications seen on the rule:You can also filter by a particular subcategory to see only the applications that belong to that subcategory. In this example, to create an App-ID based rule to control general-business applications, filter to view only the general business applications seen on the rule:
- Select the applications you want to allow and thenCreate Cloned Ruleto clone the new application-based rule from the port-based rule.In this example, the company uses four of the applications but has not used one of the applications for a long period of time, which you can see in theLast SeenandTraffic (30 Days)columns. Based on usage and company-sanctioned applications, the company chooses not to allow the application that it isn’t using.
- In theClonedialog, select the applications associated with each container app that you want to allow.Give the new rule aNamethat describes its purpose—in this example, general-business-apps. Decide if you want to allow only specific applications from each container app or if you want to allow the container app. Allowing the container app allows all of the applications in the container. This future-proofs the rule by automatically allowing new applications if they are added to the container app, which helps ensure application availability. By default, all of the applications are selected. The container apps are shaded gray, applications that have been seen on the rule are shaded green, and applications in the container app that haven’t been seen on the rule are italicized and not shaded.In this example’s illustration, you can see the gray-shaded container apps “adobe-creative-cloud” and “windows-azure”, applications seen on the rule in green (“adobe-creative-cloud-base” and “windows-azure-base”), and two applications that have not been seen on the rule in italics (“adobe-creative-cloud-uploading” and “azure-log-analytics”). The example shows that the application “adobe-creative-cloud-uploading” is deselected, which also automatically deselects its container app (“adobe-creative-cloud”) while all of the “windows-azure” applications remain selected, so the “windows-azure” container app remains selected.Deselect an application if you don’t want users to have access to that particular application. However, if new applications are added to the “adobe-creative-cloud” container app, the firewall will not automatically allow them because the container app is deselected. Conversely, if new applications are added to the “windows-azure” container app, the firewall will automatically allow them, which future-proofs the rule.
- ClickOKto return to the Security policy rule Usage tab and then clickOKagain to create the rule. The firewall places the rule above the port-based rule in the Security policy rulebase ().PoliciesSecurityIf you select a container app, Policy Optimizer adds only the container app to the rule because the container app includes all of the applications. The red gear for “adobe-creative-cloud-base” indicates that it is an individual application, not a container app.
- Click the ruleNameor aServiceand change theServicetoapplication-defaultto prevent evasive applications from gaining access on a non-standard port.
- Whenever you need to allow other sanctioned general business applications, add them to the general-business-apps rule, and remove applications from the rule if you no longer use them.