Network Security
Policy Object: Application Groups
Table of Contents
Policy Object: Application Groups
To simplify the creation of security rules, applications requiring the same
security settings can be combined into an application group.
To simplify the creation of security rules, applications requiring the same
security settings can be combined into an application group. An application group is an
object that contains applications that you want to treat similarly in
security rules. Application groups are useful for enabling access to applications that you
explicitly sanction for use within your organization. Grouping sanctioned applications
simplifies the administration of your rulebases. Instead of having to update individual
security rules when there is a change in the applications you support, you can update only
the affected application groups.
When deciding how to group applications, consider how you plan
to enforce access to your sanctioned applications and create an
application group that aligns with each of your policy goals. For
example, you might have some applications that you will only allow
your IT administrators to access, and other applications that you
want to make available for any known user in your organization.
In this case, you would create separate application groups for each
of these policy goals. Although you generally want to enable access to
applications on the default port only, you may want to group applications
that are an exception to this and enforce access to those applications
in a separate rule.
Create an Application Group
Cloud Managed
Group sanctioned applications to simplify administration of your
rulebases.
An application group is an object that contains applications that you want to treat
similarly in policy. Application groups are useful for enabling access to
applications that you explicitly sanction for use within your organization. Grouping
sanctioned applications simplifies the administration of your rulebases. Instead of
having to update individual security rules when there is a change in the applications
you support, you can update only the affected application groups.
When deciding how to group applications, consider how you plan to enforce access to
your sanctioned applications and create an application group that aligns with each
of your policy goals. For example, you might have some applications that you will
only allow your IT administrators to access, and other applications that you want to
make available for any known user in your organization. In this case, you would
create separate application groups for each of these policy goals. Although you
generally want to enable access to applications on the default port only, you may
want to group applications that are an exception to this and enforce access to those
applications in a separate rule.
- Select and selectAdd Application Group.
- Give it a descriptiveNameand selectAdd Application Groups.
- SelectAdd Applicationsto add the applications you want in the group and then selectSave.
- SelectPush Configto save your configuration and deploy it to your network.
PAN-OS & Panorama
Group sanctioned applications to simplify administration of your
rulebases.
An application group is an object that contains applications that you want to treat
similarly in policy. Application groups are useful for enabling access to
applications that you explicitly sanction for use within your organization. Grouping
sanctioned applications simplifies the administration of your rulebases. Instead of
having to update individual security rules when there is a change in the applications
you support, you can update only the affected application groups.
When deciding how to group applications, consider how you plan to enforce access to
your sanctioned applications and create an application group that aligns with each
of your policy goals. For example, you might have some applications that you will
only allow your IT administrators to access, and other applications that you want to
make available for any known user in your organization. In this case, you would
create separate application groups for each of these policy goals. Although you
generally want to enable access to applications on the default port only, you may
want to group applications that are an exception to this and enforce access to those
applications in a separate rule.
- Select .
- Adda group and give it a descriptiveName.
- (Optional) SelectSharedto create the object in a shared location for access as a shared object in Panorama or for use across all virtual systems in a multiple virtual system firewall.
- Addthe applications you want in the group and then clickOK.
- Committhe configuration.