Migrate port-based Security rules to app-based rules,
remove unused apps from rules, and safely enable apps without compromising
Policy Optimizer provides a simple workflow
to migrate your legacy Security policy rulebase to an App-ID based
rulebase, which improves your security by reducing the attack surface
and gaining visibility into applications so you can safely enable
them. Policy Optimizer identifies port-based rules so you can convert
them to application-based allow rules or add applications from a
port-based rule to an existing application-based rule without compromising
application availability. It also identifies over-provisioned App-ID
based rules (App-ID rules configured with unused applications).
Policy Optimizer helps you prioritize which port-based rules to
migrate first, identify application-based rules that allow applications
you don’t use, and analyze rule usage characteristics such as hit
Converting port-based rules to application-based
rules improves your security posture because you select the applications
you want to allow and deny all other applications, so you eliminate
unwanted and potentially malicious traffic from your network. Combined
with restricting application traffic to its default ports (set the Service
), converting to application-based
rules also prevents evasive applications from running on non-standard
You can use this feature on:
Firewalls that run PAN-OS version 9.0 or later and have
Panorama running PAN-OS version 9.0 or later. You don’t have
to upgrade firewalls that Panorama manages to use the
capabilities. However, to use the
capabilities (Monitor Policy Rule Usage), managed
firewalls must run PAN-OS 8.1 or later. If managed firewalls connect to
Log Collectors, those Log Collectors must also run PAN-OS version
9.0. Managed PA-7000 Series firewalls that have a Log Processing
Card (LPC) can also run PAN-OS 8.1 (or later).
For Cortex Data Lake compatibility, Panorama running PAN-OS
10.0.3 or later with the Cloud Services plugin 2.0 Innovation or
PA-7000 Series Firewalls support two logging cards, the
PA-7000 Series Firewall Log Processing Card (LPC) and the high-performance
PA-7000 Series Firewall Log Forwarding Card (LFC). Unlike the LPC,
the LFC does not have disks to store logs locally. Instead, the
LFC forwards all logs to one or more external logging systems, such
as Panorama or a syslog server. If you use the LFC, the application
usage information for Policy Optimizer does not display on the firewall
because traffic logs aren’t stored locally. If you use the LPC,
the traffic logs are stored locally on the firewall, so the application
usage information for Policy Optimizer displays on the firewall.
Use this feature to:
Migrate port-based rules to application-based rules
of combing through traffic logs and manually mapping applications
to port-based rules, use Policy Optimizer to identify port-based
rules and list the applications that matched each rule, so you can
select the applications you want to allow and safely enable them.
Converting your legacy port-based rules to application-based allow
rules supports your business applications and enables you to block
any applications associated with malicious activity.
Identify over-provisioned application-based rules
that are too broad allow applications you don’t use on your network,
which increases the attack surface and the risk of inadvertently
allowing malicious traffic.
applications from Security policy rules to reduce the attack surface
and keep the rulebase clean. Don’t allow applications that nobody
uses on your network.
because sorting would change
the rule order in the rulebase. However, under
Policy Optimizer provides sorting options that don’t affect the
rule order to help you prioritize which rules to convert or clean
up first. You can sort rules by the amount of traffic during the
past 30 days, the number of applications seen on the rule, the number
of days with no new applications, and the number of applications
allowed (for over-provisioned rules).
You can use Policy Optimizer in other ways as well, including
validating pre-production rules and troubleshooting existing rules.
Note that Policy Optimizer honors only
Log at Session
Log at Session Start
avoid counting transient applications on rules.
Due to resource constraints, VM-50 Lite virtual firewalls
don’t support Policy Optimizer.