Sorting and Filtering Security Policy Rules
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
End-of-Life (EoL)
Sorting and Filtering Security Policy Rules
Use application usage information to prioritize which
rules to migrate from port-based to app-based rules or to clean
up (remove unused apps) first.
You can filter Security policy rules to see all the
port-based rules, which have no applications configured ().
You can also filter to see all the rules that have applications
configured but traffic doesn’t hit all of the applications ().
You can sort the filtered policy rules based on different types
of statistics to help prioritize which rules to convert from port-based
to application-based rules or to clean up first.
Policies
Security
Policy Optimizer
No App Specified
Policies
Security
Policy Optimizer
Unused Apps
You can’t filter or sort rules in because that would
change the order of the policy rules in the rulebase. Filtering
and sorting and does
not change the order of the rules in the rulebase.
Policies
Security
Policies
Security
Policy Optimizer
No App Specified
Policies
Security
Policy Optimizer
Unused Apps
You can click several column headers to sort port-based rules
(
No App Specified
) and rules with unused
applications (Unused Apps
) based on application
usage statistics. In addition, you can View Policy Rule Usage to help identify
and remove unused rules to reduce security risks and keep your policy
rule base organized. Rule usage tracking allows you to quickly validate
new rule additions and rule changes and to monitor rule usage for
operations and troubleshooting tasks. - Traffic (Bytes, 30 days)—The amount of traffic seen on the rule over the last 30 days. The 30-day window places rules thatcurrentlymatch the most traffic at the top of the list by default (a longer time frame places more emphasis on older rules that would remain at the top of the list because they have large cumulative totals even though they may no longer see much traffic). Click to reverse the order.
- Apps Seen—Place the rules with the most or least applications seen at the top. The firewall never automatically purges the application data.The firewall updatesApps Seenapproximately every hour. However, if there is a large volume of application traffic or a large number of rules, it may take longer than an hour to update. After you add an application to a rule, wait at least an hour before running Traffic logs to see the application’s log information.
- Days with No New Apps—Place the rules with the most or least days since the last new application matched the rule at the top.
- ()Unused AppsonlyApps Allowed—Place the rules with the most or least applications configured on the rule at the top.
Application usage statistics only count applications for rules
that meet the following criteria:
- The rule’s Action must beAllow.
- The rule’s Log Setting must beLog at Session End(this is the default Log Setting). Rules thatLog at Session Startare ignored to prevent counting transient applications.
- Valid traffic must match the rule. For example, if the session ends before enough traffic passes through the firewall to identify the application, it is not counted. The following traffic types are not valid and therefore don’t count for Policy Optimizer statistics:
- Insufficient-data
- Not-applicable
- Non-syn-tcp
- Incomplete
You can filter the Traffic logs () to see traffic identified as one of these types. For example, to see all traffic identified as incomplete, use the filterMonitorLogsTraffic(app eq incomplete).
If these criteria aren’t met, the application isn’t counted for
statistics such as
Apps Seen
, doesn’t affect
statistics such as Days with No New Apps
,
and doesn’t appear in lists of applications.The firewall doesn’t track application usage statistics
for the interzone-default and intrazone-default Security policy
rules.
If the UUID of a rule changes, the application usage statistics
for that rule reset because the UUID change makes the firewall see
the rule as a different (new) rule.
To see and sort the applications seen on a rule, in the rule’s
row, click
Compare
or click the number in Apps
Seen
.For the rules you see in and ,
clicking
Policies
Security
Policy Optimizer
No App Specified
Policies
Security
Policy Optimizer
Unused Apps
Compare
or the Apps Seen
number
brings up Applications & Usage
, which
gives you a view of the applications seen on the rule and the ability
to sort them. Applications & Usage
is
also where you Migrate Port-Based to App-ID Based Security Policy Rules and remove unused applications
from rules.You can sort the applications seen on the rule by all six of
the
Apps Seen
statistics (Apps
Seen
is not updated in real time and takes an hour or
longer to update, depending on the volume of traffic and number
of rules).- Applications—Alphabetical by application name. If you configure specific ports or port ranges for a rule’s Service (the Service cannot beany), and there are standard (application default) ports for the application, and the configured ports don’t match the application-default ports, then a yellow, triangular warning icon appears next to the application.
- Subcategory—Alphabetical by application subcategory, derived from the application content metadata.
- Risk—According to the risk rating of the application.
- First Seen—The first day the application was seen on the rule. The time stamp resolution is by the day only (not hourly).
- Last Seen—The last day the application was seen on the rule. The time stamp resolution is by the day only (not hourly).
- Traffic (30 days)—Traffic in bytes that matched the rule over the last 30 days is the default sorting method.
Set the
Timeframe
to display statistics
for a particular time period—Anytime
, the Past
7 days
, the Past 15 days
, or
the Past 30 days
. Traffic
(30 days)
always displays only the last 30 days of traffic
in bytes. Changing the Timeframe
does not
change the duration of the Traffic (30 days)
bytes measurement.Clicking the column header orders the display and clicking the
same column again reverses the order. For example, click
Risk
to
sort applications from low risk to high risk. Click Risk
again
to sort applications from high risk to low risk.The firewall doesn’t report application usage statistics in real
time on , ,
or on
Policies
Security
Policy Optimizer
No App Specified
Policies
Security
Policy Optimizer
Unused Apps
Applications & Usage
, so this feature
isn’t a replacement for running reports. - The firewall updatesApps Allowed,Apps Seen, and the applications listed inApplications & Usageapproximately every hour, not in real time. If there is a large amount of traffic or a large number of rules, updates may take longer. After you add an application to a rule, wait at least an hour before running Traffic logs to see the application’s log information.The firewall updatesApps Seenapproximately every hour. However, if there is a large volume of application traffic or a large number of rules, it may take longer than an hour to update. After you add an application to a rule, wait at least an hour before running Traffic logs to see the application’s log information.
- The firewall updatesDays with No New Appsand alsoFirst SeenandLast SeenonApplications & Usageonce per day, at midnight device time.
- For rules with large numbers of applications seen, it may take longer to process application usage statistics.
- For Security policy rulebases with large numbers of rules that have many applications, it may take longer to process application usage statistics.
- For firewalls managed by Panorama, application usage data is visible only for rules Panorama pushes to the firewalls, not for rules configured locally on individual firewalls.