PAN-OS® Administrator’s Guide
  • PAN-OS® Administrator’s Guide
  • All Documentation
>
Add Apps to an Application Filter with Policy Optimizer
Focus
Download PDF
Focus
  1. Home
  2. PAN-OS
  3. App-ID
  4. App-ID Cloud Engine
  5. Add Apps to an Application Filter with Policy Optimizer
Download PDF

Add Apps to an Application Filter with Policy Optimizer

Table of Contents

Add Apps to an Application Filter with Policy Optimizer

Automate adding App-ID Cloud Engine (ACE) applications dynamically to Security policy rules using Application Filters.
Add App-IDs from the App-ID Cloud Engine (ACE, and/or content-provided App-IDs) to new or existing Application Filters to automate how you control cloud App-IDs in Security policy. When new ACE App-IDs match an Application Filter, the firewall adds them to the filter automatically. When you use the Application Filter in a Security policy rule, the rule automatically controls new ACE App-IDs as they arrive at the firewall and are added to the filter.
ACE provides App-IDs for applications that were previously identified as ssl or web-browsing.
Using Application Filters is a best practice because they:
  • Improve your security posture. Application Filters automate adding new ACE App-IDs to Security policy rules that you design specifically to handle a particular type of application traffic, instead of matching the traffic to more general ssl or web-browsing rules.
  • Save time. Firewall administrators can configure Application Filters to handle different types of traffic so that adding new ACE App-IDs to policy is automatic and requires no further effort by the administrator.
When you create Application Filters, exclude ssl and web-browsing from the filters. Together, ssl and web-browsing match all browser-based cloud applications, so an Application Filter that includes ssl and web-browsing matches all browser-based cloud applications.
Use Policy Optimizer to add ACE App-IDs to Application Filters and to apply the filters to cloned or existing rules and control the ACE App-IDs in Security policy.
  1. Go to PoliciesSecurity and then select Policy OptimizerNew App Viewer.
    If the firewall has identified traffic with ACE App-IDs, a number displays next to New App Viewer in the left navigation window. The screen displays the Security policy rules that match cloud App-IDs.
  2. Click the number in Apps Seen for a Security policy rule to see the cloud-delivered applications that matched the rule in the Applications & Usage dialog.
  3. Select the applications that you want to add to an existing or new Application Filter.
    You can sort and filter the applications in Apps Seen by subcategory, risk, amount of traffic seen over the last 30 days, or when the application was first or last seen.
  4. Select Application Filter from Create Cloned Rule or Add to Existing Rule, depending on how you want to handle the applications.
    The maximum number of applications you can clone using Create Cloned Rule is 1,000 applications. If there are more than 1,000 applications that you want to move to a different rule, use Add to Existing Rule instead. If you want to move the applications to a new rule, simply create the rule first (PoliciesSecurity) and then use Policy Optimizer to add them to that rule.
  5. Select or create the Application Filter for the cloned or existing rule. Creating an Application Filter using Policy Optimizer is the almost exactly the same as using ObjectsApplication Filters to create an Application Filter—you use the same filtering tools and options.
    Create Cloned Rule:
    1. Type the Cloned Rule Name (the name for the cloned rule, which will appear in the Security policy rulebase immediately above the original rule).
    2. Select the Policy Action (Allow or Deny).
    3. Select the Application Filter Name from the menu or type the name of a new Application Filter.
    4. Select whether the filter should Apply to New App-IDs only or if it should apply to all App-IDs.
    5. Use the Category, Subcategory, Risk, Tags, and Characteristic values to filter the types of applications you want to add to the Application Filter. The firewall automatically adds new applications that meet the filter criteria to the Application Filter.
    6. Click OK to add the applications to the new or existing Application Filter. The firewall includes the applications that you selected in
      Step 3
      in the Application Filter.
    7. Commit the changes.
    Add to Existing Rule:
    1. Select the Existing Rule Name to add the selected applications to an existing rule in an Application Filter.
    2. Select the Application Filter Name from the menu or type the name of a new Application Filter.
    3. Select whether the Application Filter is Shared, whether you want to Disable override of application characteristics for the filter, and whether the filter should Apply to New App-IDs only or if it should apply to all App-IDs.
    4. Use the Category, Subcategory, Risk, Tags, and Characteristic values to filter the types of applications you want to add to the Application Filter. The firewall automatically adds new applications that meet the filter criteria to the Application Filter.
    5. Click OK to add the applications to the new or existing Application Filter. The firewall includes the applications that you selected in
      Step 3
      in the Application Filter.
    6. Commit the changes.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.