Migrate Port-Based to App-ID Based Security Policy Rules
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
PAN-OS 9.1 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- Cloud Management of NGFWs
-
- Management Interfaces
-
- Launch the Web Interface
- Configure Banners, Message of the Day, and Logos
- Use the Administrator Login Activity Indicators to Detect Account Misuse
- Manage and Monitor Administrative Tasks
- Commit, Validate, and Preview Firewall Configuration Changes
- Export Configuration Table Data
- Use Global Find to Search the Firewall or Panorama Management Server
- Manage Locks for Restricting Configuration Changes
-
-
- Define Access to the Web Interface Tabs
- Provide Granular Access to the Monitor Tab
- Provide Granular Access to the Policy Tab
- Provide Granular Access to the Objects Tab
- Provide Granular Access to the Network Tab
- Provide Granular Access to the Device Tab
- Define User Privacy Settings in the Admin Role Profile
- Restrict Administrator Access to Commit and Validate Functions
- Provide Granular Access to Global Settings
- Provide Granular Access to the Panorama Tab
- Panorama Web Interface Access Privileges
-
- Reset the Firewall to Factory Default Settings
-
- Plan Your Authentication Deployment
- Configure SAML Authentication
- Configure Kerberos Single Sign-On
- Configure Kerberos Server Authentication
- Configure TACACS+ Authentication
- Configure RADIUS Authentication
- Configure LDAP Authentication
- Configure Local Database Authentication
- Configure an Authentication Profile and Sequence
- Test Authentication Server Connectivity
- Troubleshoot Authentication Issues
-
- Keys and Certificates
- Default Trusted Certificate Authorities (CAs)
- Certificate Deployment
- Configure the Master Key
- Export a Certificate and Private Key
- Configure a Certificate Profile
- Configure an SSL/TLS Service Profile
- Replace the Certificate for Inbound Management Traffic
- Configure the Key Size for SSL Forward Proxy Server Certificates
-
- HA Overview
-
- Prerequisites for Active/Active HA
- Configure Active/Active HA
-
- Use Case: Configure Active/Active HA with Route-Based Redundancy
- Use Case: Configure Active/Active HA with Floating IP Addresses
- Use Case: Configure Active/Active HA with ARP Load-Sharing
- Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall
- Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses
- Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3
- Refresh HA1 SSH Keys and Configure Key Options
- HA Firewall States
- Reference: HA Synchronization
-
- Use the Dashboard
- Monitor Applications and Threats
- Monitor Block List
-
- Report Types
- View Reports
- Configure the Expiration Period and Run Time for Reports
- Disable Predefined Reports
- Custom Reports
- Generate Custom Reports
- Generate the SaaS Application Usage Report
- Manage PDF Summary Reports
- Generate User/Group Activity Reports
- Manage Report Groups
- Schedule Reports for Email Delivery
- Manage Report Storage Capacity
- View Policy Rule Usage
- Use External Services for Monitoring
- Configure Log Forwarding
- Configure Email Alerts
-
- Configure Syslog Monitoring
-
- Traffic Log Fields
- Threat Log Fields
- URL Filtering Log Fields
- Data Filtering Log Fields
- HIP Match Log Fields
- IP-Tag Log Fields
- User-ID Log Fields
- Tunnel Inspection Log Fields
- SCTP Log Fields
- Authentication Log Fields
- Config Log Fields
- System Log Fields
- Correlated Events Log Fields
- GTP Log Fields
- Syslog Severity
- Custom Log/Event Format
- Escape Sequences
- Forward Logs to an HTTP/S Destination
- Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors
-
- User-ID Overview
- Enable User-ID
- Map Users to Groups
- Enable User- and Group-Based Policy
- Enable Policy for Users with Multiple Accounts
- Verify the User-ID Configuration
-
- App-ID Overview
- App-ID and HTTP/2 Inspection
- Manage Custom or Unknown Applications
-
- Apply Tags to an Application Filter
- Create Custom Application Tags
- Workflow to Best Incorporate New and Modified App-IDs
- See the New and Modified App-IDs in a Content Release
- See How New and Modified App-IDs Impact Your Security Policy
- Ensure Critical New App-IDs are Allowed
- Monitor New App-IDs
- Disable and Enable App-IDs
- Safely Enable Applications on Default Ports
- Applications with Implicit Support
- Application Level Gateways
- Disable the SIP Application-level Gateway (ALG)
- Maintain Custom Timeouts for Data Center Applications
-
- Best Practices for Securing Your Network from Layer 4 and Layer 7 Evasions
- Set Up Antivirus, Anti-Spyware, and Vulnerability Protection
- Set Up File Blocking
- Prevent Brute Force Attacks
- Customize the Action and Trigger Conditions for a Brute Force Signature
- Enable Evasion Signatures
- Monitor Blocked IP Addresses
- Threat Signature Categories
- Create Threat Exceptions
- Custom Signatures
- Threat Prevention Resources
-
- Decryption Overview
-
- Keys and Certificates for Decryption Policies
- SSL Forward Proxy
- SSL Forward Proxy Decryption Profile
- SSL Inbound Inspection
- SSL Inbound Inspection Decryption Profile
- SSL Protocol Settings Decryption Profile
- SSH Proxy
- SSH Proxy Decryption Profile
- Decryption Profile for No Decryption
- SSL Decryption for Elliptical Curve Cryptography (ECC) Certificates
- Perfect Forward Secrecy (PFS) Support for SSL Decryption
- SSL Decryption and Subject Alternative Names (SANs)
- High Availability Support for Decrypted Sessions
- Decryption Mirroring
- Configure SSL Forward Proxy
- Configure SSL Inbound Inspection
- Configure SSH Proxy
- Configure Server Certificate Verification for Undecrypted Traffic
- Enable Users to Opt Out of SSL Decryption
- Temporarily Disable SSL Decryption
- Configure Decryption Port Mirroring
- Verify Decryption
-
- How Decryption Broker Works
- Layer 3 Security Chain Guidelines
- Configure Decryption Broker with One or More Layer 3 Security Chain
- Transparent Bridge Security Chain Guidelines
- Configure Decryption Broker with a Single Transparent Bridge Security Chain
- Configure Decryption Broker with Multiple Transparent Bridge Security Chains
- Activate Free Licenses for Decryption Features
-
- About Palo Alto Networks URL Filtering Solution
- How Advanced URL Filtering Works
- URL Filtering Use Cases
- Plan Your URL Filtering Deployment
- URL Filtering Best Practices
- Activate The Advanced URL Filtering Subscription
- Configure URL Filtering
- Test URL Filtering Configuration
- Log Only the Page a User Visits
- Create a Custom URL Category
- URL Category Exceptions
- Use an External Dynamic List in a URL Filtering Profile
- Allow Password Access to Certain Sites
- URL Filtering Response Pages
- Customize the URL Filtering Response Pages
- HTTP Header Logging
- Request to Change the Category for a URL
-
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure an Aggregate Interface Group
- Use Interface Management Profiles to Restrict Access
- Virtual Routers
- Service Routes
- RIP
- Route Redistribution
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
- Dynamic DNS Overview
- Configure Dynamic DNS for Firewall Interfaces
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
-
- Policy Types
- Policy Objects
- Track Rules Within a Rulebase
- Enforce Policy Rule Description, Tag, and Audit Comment
- Move or Clone a Policy Rule or Object to a Different Virtual System
-
- External Dynamic List
- Built-in External Dynamic Lists
- Configure the Firewall to Access an External Dynamic List
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Exclude Entries from an External Dynamic List
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Register IP Addresses and Tags Dynamically
- Use Dynamic User Groups in Policy
- Use Auto-Tagging to Automate Security Actions
- CLI Commands for Dynamic IP Addresses and Tags
- Application Override Policy
- Test Policy Rules
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure a PPPoE Client on a Subinterface
- Configure an IPv6 PPPoE Client
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- Dynamic IPv6 Addressing on the Management Interface
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure the Management Interface for Dynamic IPv6 Address Assignment
- Configure an Interface as a DHCP Relay Agent
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Create a Source NAT Rule with Persistent DIPP
- PAN-OS
- Strata Cloud Manager
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
-
-
PAN-OS 11.2
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
- Cloud Management and AIOps for NGFW
End-of-Life (EoL)
Migrate Port-Based to App-ID Based Security Policy Rules
Policy Optimizer converts port-based Security policy
rules to app-based rules without compromising app availability to
safely enable applications.
When you transition from a legacy firewall
to a Palo Alto Networks next-generation firewall, you inherit a
large number of port-based rules that allow any application on the
ports, which increases the attack surface because any application
can use an open port. Policy Optimizer identifies all applications
seen on any legacy port-based Security policy rule and provides
an easy workflow for selecting the applications you want to allow
on that rule. Migrate port-based rules to application-based allow
rules to reduce the attack surface and safely enable applications
on your network. Use Policy Optimizer to maintain the rulebase as
you add new applications.
Migrate
a few port-based rules at a time to application-based rules, in
a prioritized manner. A gradual conversion is safer than migrating
a large rulebase at one time and makes it easier to ensure that
new application-based rules control the necessary applications.
Use Policy Optimizer information to prioritize
which rules to convert first.
To migrate a configuration
from a legacy firewall to a Palo Alto Networks device, see Best Practices for Migrating
to Application-Based Policy.
- Identify port-based rules.Port-based rules have no configured (allowed) applications. PoliciesSecurityPolicy OptimizerNo App Specified displays all port-based rules (Apps Allowed is any).
- Prioritize which port-based rules to convert first.PoliciesSecurityPolicy OptimizerNo App Specified enables you to sort rules without affecting their order in the rulebase and provides other information that helps you prioritize rules for conversion based on your business goals and risk tolerance.
- Traffic (Bytes, 30 days)—(Click to sort.) Rules that currently match the most traffic are at the top of the list. This is the default sorting order.
- Apps Seen—(Click to sort.) A large number of legitimate applications matching a port-based rule may indicate you should replace it with multiple application-based rules that tightly define the applications, users, and sources and destinations. For example, if a port-based rule controls traffic for multiple applications for different user groups on different sets of devices, create separate rules that pair applications with their legitimate users and devices to reduce the attack surface and increase visibility. (Clicking the Apps Seen number or Compare shows you the applications that have matched the rule.)The firewall updates Apps Seen approximately every hour. However, if there is a large volume of application traffic or a large number of rules, it may take longer than an hour to update. After you add an application to a rule, wait at least an hour before running Traffic logs to see the application’s log information.
- Days with No New Apps—(Click to sort.) When the applications seen on a port-based rule stabilize, you can be more confident the rule is mature, conversion won’t accidentally exclude legitimate applications, and no more new applications will match the rule. The Created and Modified dates help you evaluate a rule’s stability because older rules that have not been modified recently may also be more stable.
- Hit Count—Displays rules with the most matches over a selected time frame. You can exclude rules for which you reset the hit counter and specify the exclusion time period in days. Excluding rules with recently reset hit counters prevents misconceptions about rules that show fewer hits than you expect because you didn’t know the counter was reset.You can also use Hit Count to View Policy Rule Usage and help identify and remove unused rules to reduce security risks and keep your rulebase organized.
- Review the Apps Seen on port-based
rules, starting with the highest priority rules.On No Apps Specified, click Compare or the number in Apps Seen to open Applications & Usage, which lists applications that matched a port-based rule over a specified Timeframe, with each application’s Risk, the date it was First Seen, the date it was Last Seen, and the amount of traffic over the last 30 days.You can check Applications seen on port-based rules over the past 7, 15, or 30 days, or over the rule’s lifetime (Anytime). For migrating rules, Anytime provides the most complete assessment of applications that matched the rule.You can search and filter the Apps Seen, but keep in mind that it takes an hour or more to update Apps Seen. You can also order the Apps Seen by clicking the column headers. For example, you can click Traffic (30 days) to bring the applications with the most recent traffic to the top of the list, or click Subcategory to organize the applications by subcategory.The granularity of measurement for First Seen and Last Seen data is one day, so on the day you define a rule, the dates in these two columns are the same. On the second day the firewall sees traffic on an application, you’ll see a difference in the dates.
- Clone or add applications to the rule to specify the
applications you want to allow on the rule.On Applications & Usage, convert a port-based rule to an application-based rule by:
- Cloning the rule—Preserves the original port-based rule and places the cloned application-based rule directly above it in the rulebase.
- Adding applications to the rule—Replaces the original port-based rule with the new application-based rule and deletes the original rule.If you have existing application-based rules and you want to migrate applications to them from port-based rules, you can Add Applications to an Existing Rule.
Some applications appear on the network at intervals, for example, for quarterly or yearly events. These applications may not display on the Applications & Usage screen if the history isn’t long enough to capture their latest activity.When you clone a rule or add applications to a rule, nothing else about the original rule changes. The original rule’s configuration remains the same except for the applications you added to the rule. For example, if the original rule’s Service allowed Any application or specified a particular service, you need to change the Service to Application-Default to restrict the allowed applications to their default ports on the new rule.Cloning is the safest way to migrate rules, especially when Applications & Usage shows more than a few well-known applications matching the rule (Rule Cloning Migration Use Case: Web Browsing and SSL Traffic provides an example of this). Cloning preserves the original port-based rule and places it below the cloned application-based rule, which eliminates the risk of losing application availability because traffic that doesn’t match the cloned rule flows through to the port-based rule. When traffic from legitimate applications hasn’t hit the port-based rule for a reasonable period of time, you can remove it to complete that rule’s migration.To clone a port-based rule:- In Apps Seen, click the check box next to each application you want in the cloned rule. Keep in mind that it takes an hour or more to update Apps Seen.
- Click Create Cloned Rule. In the Create Cloned Rule dialog, Name the cloned rule (“slack” in this example) and add other applications in the same container and application dependencies, if required. For example, to clone a rule by selecting the slack-base application:The green text is the selected application to clone. The container application (slack) is in the gray row. The applications listed in italics are applications that have not been seen on the rule but are in the same container as the selected application. Individual applications that have been seen on the rule are in normal font. All the applications are included in the cloned rule by default (Add Container App, which adds all the applications in the container, is selected by default) to help prevent the rule from breaking in the future.
- If you want to allow all of the applications in the container, leave Add container app selected. This also “future proofs” the rule because when an application is added to the container app, it’s automatically added to the rule.If you want to constrain access to some of the individual applications in the container, uncheck the box next to each individual application you don’t want users to access. This also unchecks the container app, so if you want to allow new applications in the container later, you have to add those applications individually.If you uncheck the container app, all the apps are unchecked and you manually select the apps you want to include in the cloned rule.
- Leave the application dependencies checked, in this example, ssl and web-browsing (these are applications that the selected application requires).
- Click OK to add the new application-based rule directly above the port-based rule in the rulebase.
- Commit the configuration.
When you clone a rule and Commit the configuration, the applications you select for the cloned rule are removed from the original port-based rule’s Apps Seen list. For example, if a port-based rule has 16 Apps Seen and you select two individual applications and one dependent application for the cloned rule, after cloning, the port-based rule shows 13 Apps Seen because the three selected applications have been removed from the port-based rule (16-3 = 13). The cloned rule shows the three added applications in Apps on Rule.Creating a cloned rule with a container app works a bit differently. For example, a port-based rule has 16 Apps Seen and you select one individual application and a container app for the cloned rule. The container app has five individual applications and has one dependent application. After cloning, the cloned rule shows seven Apps on Rule—the individual application, the five individual applications in the container app, and the dependent application for the container app. However, in the original port-based rule, Apps Seen shows 13 applications because only the individual application, the container app, and the container app’s dependent application are removed from the port-based rule.In contrast to cloning, adding applications to a port-based rule replaces the rule with the resulting application-based rule. Adding applications to a rule is simpler than cloning, but riskier because you may inadvertently miss applications that should be on the rule, and the original port-based rule is no longer in the rulebase to catch accidental omissions. However, adding applications to port-based rules that apply to only a few well-known applications migrates the rule quickly to an application-based rule. For example, for a port-based rule that only controls traffic to TCP port 22, the only legitimate application is SSH, so it’s safe to add applications to the rule.Adding applications using the traditional Security policy rule’s Application tab does not change Apps Seen or Apps on Rule. To preserve accurate application usage information, when replacing port-based rules with application-based rules, add applications using Add to This Rule or Match Usage (or create a cloned rule or add applications to an existing application-based rule instead) in Apps Seen.There are three ways to replace a port-based rule with an application-based rule by adding applications (Add to This Rule and Match Usage in Apps Seen and Add in Apps on Rule):- Add to This Rule applications from Apps Seen (applications that matched the rule). Keep in mind that it takes an hour or more to update Apps Seen.
- Select applications from Apps Seen on the rule.
- Click Add to Rule. In the Add to Rule dialog, add other applications in the same container app and application dependencies, if required. For example, to add slack-base to a rule:Similar to the Create Cloned Rule dialog, the green text in Add to This Rule is the selected application to add to the rule. The container app (slack) is in the gray row. The applications listed in italics are applications that have not been seen on the rule but are in the same container as the selected application. Individual applications that have been seen on the rule are in normal font. All the applications are included in the cloned rule by default (Add Container App, which adds all the applications in the container, is selected by default) to help prevent the rule from breaking in the future.
- If you want to allow all of the applications in the container, leave Add container app selected. This also “future proofs” the rule because when an application is added to the container app, it’s automatically added to the rule.If you want to constrain access to some of the individual applications in the container, uncheck the box next to each individual application you don’t want users to access. This also unchecks the container app, so if you want to allow new applications in the container later, you have to add those applications individually.If you uncheck the container app, all the apps are unchecked and you manually select the apps you want to include in the cloned rule.
- Leave the application dependencies checked, in this example, ssl and web-browsing (these are applications that the selected application requires).
- Click OK to replace the port-based rule with the new application-based rule.
When you Add to This Rule and Commit the configuration, the applications you didn’t add are removed from Apps Seen because the new application-based rule no longer allows them. For example, if a rule has 16 Apps Seen and you Add to This Rule three applications, the resulting new rule shows only those three added applications in Apps Seen.Add to This Rule with a container app works a bit differently. For example, a port-based rule has 16 Apps Seen and you select one individual application and a container app to add to the new rule. The container app has five individual applications and has one dependent application. After adding the applications to the rule, the new rule shows seven Apps on Rule—the individual application, the five individual applications in the container app, and the dependent application for the container app. However, Apps Seen shows 13 applications because the individual application, the container app, and the container app’s dependent application are removed from that list. - Add all of the Apps Seen on the rule to the rule at one time with one click (Match Usage).Port-based rules allow any application, so Apps Seen may include unneeded or unsafe applications. Use Match Usage to convert a rule only when the rule has seen a small number of well-known applications with legitimate business purposes. A good example is TCP port 22, which should only allow SSH traffic, so if SSH is the only application seen on a port-based rule that opens port 22, you can safely Match Usage.
- In Apps Seen, click Match Usage. Keep in mind that it takes an hour or more to update Apps Seen. All the applications in Apps Seen are copied to Apps on Rule.
- Click OK to create the application-based rule and replace the port-based rule.
- If you know the applications you want on the rule, you can Add applications manually in Apps on Rule. However, this method is equivalent to using the traditional Security policy rule Application tab and does not change Apps Seen or Apps on Rule. To preserve accurate application usage information, convert rules using Add to Rule, Create Cloned Rule, or Match Usage in Apps Seen.
- In Apps on Rule, Add (or Browse) and select applications to add to the rule. This is equivalent to adding applications on the Application tab.
- Click OK to add the applications to the rule and replace the port-based rule with the new application-based rule.Because this method is equivalent to adding applications using the Application tab, the dialog to add application dependencies doesn’t pop up.
- For each application-based rule, set the Service to application-default. If business needs require you to allow applications (for example, internal custom applications) on non-standard ports between particular clients and servers, restrict the exception to only the required application, sources, and destinations. Consider rewriting custom applications so they use the application default port.
- Commit the configuration.
- Monitor the rules.
- Cloned rules—Monitor the original port-based rule to ensure the application-based rule matches the desired traffic. If applications you want to allow match the port-based rule, add them to the application-based rule or clone another application-based rule for them. When only applications that you don’t want on your network match the port-based rule for a reasonable period of time, the cloned rule is robust (it catches all the application traffic you want to control) and you can safely remove it.
- Rules with Added Applications—Because you convert only port-based rules that have a few well-known applications directly to application-based rules, in most cases the rule is solid from the start. Monitor the converted rule to see if the expected traffic matches the rule—if there’s less traffic than expected, the rule may not allow all of the necessary applications. If there’s more traffic than expected, the rule may allow unwanted traffic. Listen to user feedback—if users can’t access applications they need for business purposes, the rule (or another rule) may be too tight.