>
    Strata Copilot
    Add Apps to an Application Filter with Policy Optimizer
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. App-ID
    4. App-ID Cloud Engine
    5. Add Apps to an Application Filter with Policy Optimizer
    Download PDF
    Next-Generation Firewall

    Add Apps to an Application Filter with Policy Optimizer

    Table of Contents

    Add Apps to an Application Filter with Policy Optimizer

    Automate adding App-ID Cloud Engine (ACE) applications dynamically to Security policy rules using Application Filters.
    Where Can I Use This?What Do I Need?
    • Prisma Access
    • Next-Generation Firewall
    • SaaS Security Inline license (for NGFW)
    • Prisma Access license (ACE is a core feature)
    Add App-IDs from the App-ID Cloud Engine (ACE) to Application Filters to automate adding cloud App-IDs to Security policy. When new ACE App-IDs match an Application Filter, the firewall adds them to the filter automatically. When you use the Application Filter in a Security policy rule, the rule automatically controls new ACE App-IDs as they arrive at the firewall and are added to the filter.
    ACE provides App-IDs for applications that were previously identified as ssl or web-browsing.
    Using Application Filters is a best practice because they:
    • Improve your security posture. Application Filters automate adding new ACE App-IDs to Security policy rules that you design specifically to handle a particular type of application traffic, instead of matching the traffic to more general ssl or web-browsing rules.
    • Save time. Firewall administrators can configure Application Filters to handle different types of traffic so that adding new ACE App-IDs to policy is automatic and requires no further effort by the administrator.
    When you create Application Filters, exclude ssl and web-browsing from the filters. Together, ssl and web-browsing match all browser-based cloud applications, so an Application Filter that includes ssl and web-browsing matches all browser-based cloud applications.
    Use Policy Optimizer to add ACE App-IDs to Application Filters and to apply the filters to Security policy rules.
    1. Go to PoliciesSecurity and then select Policy OptimizerNew App Viewer.
      If the firewall has identified traffic with ACE App-IDs, a number displays next to New App Viewer in the left navigation window to show how many rules match ACE App-IDs. The screen displays the Security policy rules that match cloud App-IDs.
    2. Click the number in Apps Seen for a Security policy rule to view the cloud-delivered applications that matched the rule in the Applications & Usage dialog.
    3. Select the applications that you want to add to an existing or new Application Filter.
      You can sort and filter the applications in Apps Seen by subcategory, risk, amount of traffic seen over the last 30 days, or when the application was first or last seen.
    4. Select Application Filter from Create Cloned Rule or Add to Existing Rule, depending on how you want to handle the applications.
      The maximum number of applications you can clone using Create Cloned Rule is 1,000 applications. If there are more than 1,000 applications that you want to move to a different rule, use Add to Existing Rule instead. If you want to move the applications to a new rule, simply create the rule first (PoliciesSecurity) and then use Policy Optimizer to add them to that rule.
    5. Select or create the Application Filter. Creating an Application Filter using Policy Optimizer is the almost exactly the same as using ObjectsApplication Filters to create an Application Filter—you use the same filtering tools and options. This step shows you how to use Policy Optimizer first for creating a cloned and then for adding to an existing rule.
      Create Cloned Rule:
      1. Type the Cloned Rule Name (the name for the cloned rule, which will appear in the Security policy rulebase immediately above the original rule).
      2. Select the Policy Action (Allow or Deny).
      3. Select the Application Filter Name from the menu or type the name of a new Application Filter.
      4. Select whether the filter should Apply to New App-IDs only or if it should apply to all App-IDs.
      5. Use the Category, Subcategory, Risk, Tags, and Characteristic values to filter the types of applications you want to add to the Application Filter. The firewall automatically adds new applications that meet the filter criteria to the Application Filter.
      6. Click OK to add the applications to the new or existing Application Filter. The firewall includes the applications that you selected in Step 3 in the Application Filter.
      7. Commit the changes.
      Add to Existing Rule:
      1. Select the Existing Rule Name to add the selected applications to an existing rule in an Application Filter.
      2. Select the Application Filter Name from the menu or type the name of a new Application Filter.
      3. Select whether the Application Filter is Shared, whether you want to Disable override of application characteristics for the filter, and whether the filter should Apply to New App-IDs only or if it should apply to all App-IDs.
      4. Use the Category, Subcategory, Risk, Tags, and Characteristic values to filter the types of applications you want to add to the Application Filter. The firewall automatically adds new applications that meet the filter criteria to the Application Filter.
      5. Click OK to add the applications to the new or existing Application Filter. The firewall includes the applications that you selected in Step 3 in the Application Filter.
      6. Commit the changes.

    © 2026 Palo Alto Networks, Inc. All rights reserved.