Add Apps to an Application Filter with Policy Optimizer

Add App-IDs from the App-ID Cloud Engine (ACE, and/or content-provided App-IDs) to new or existing Application Filters to automate how you control cloud App-IDs in Security policy. When new ACE App-IDs match an Application Filter, the firewall adds them to the filter automatically. When you use the Application Filter in a Security policy rule, the rule automatically controls new ACE App-IDs as they arrive at the firewall and are added to the filter.
ACE provides App-IDs for applications that were previously identified as ssl, web-browsing, unknown-tcp, or unknown-udp.
Using Application Filters is a best practice because they:
  • Improve your security posture. Application Filters automate adding new ACE App-IDs to Security policy rules that you design specifically to handle a particular type of application traffic, instead of matching the traffic to more general ssl, web-browsing, unknown-tcp, or unknown-udp rules.
  • Save time. Firewall administrators can configure Application Filters to handle different types of traffic so that adding new ACE App-IDs to policy is automatic and requires no further effort by the administrator.
When you create Application Filters, exclude ssl and web-browsing from the filters. Together, ssl and web-browsing match all browser-based cloud applications, so an Application Filter that includes ssl and web-browsing matches all browser-based cloud applications.
Use Policy Optimizer to add ACE App-IDs to Application Filters and to apply the filters to cloned or existing rules and control the ACE App-IDs in Security policy.
  1. Go to
    Policies
    Security
    and then select
    Policy Optimizer
    New App Viewer
    .
    If the firewall has identified traffic with ACE App-IDs, a number displays next to
    New App Viewer
    in the left navigation window. The screen displays the Security policy rules that match cloud App-IDs.
  2. Click the number in
    Apps Seen
    for a Security policy rule to see the cloud-delivered applications that matched the rule in the
    Applications & Usage
    dialog.
  3. Select the applications that you want to add to an existing or new Application Filter.
    You can sort and filter the applications in
    Apps Seen
    by subcategory, risk, amount of traffic seen over the last 30 days, or when the application was first or last seen.
  4. Select
    Application Filter
    from
    Create Cloned Rule
    or
    Add to Existing Rule
    , depending on how you want to handle the applications.
    The maximum number of applications you can clone using
    Create Cloned Rule
    is 1,000 applications. If there are more than 1,000 applications that you want to move to a different rule, use
    Add to Existing Rule
    instead. If you want to move the applications to a new rule, simply create the rule first (
    Policies
    Security
    ) and then use Policy Optimizer to add them to that rule.
  5. Select or create the Application Filter for the cloned or existing rule. Creating an Application Filter using Policy Optimizer is the almost exactly the same as using
    Objects
    Application Filters
    to create an Application Filter—you use the same filtering tools and options.
    Create Cloned Rule
    :
    1. Type the
      Cloned Rule Name
      (the name for the cloned rule, which will appear in the Security policy rulebase immediately above the original rule).
    2. Select the
      Policy Action
      (Allow or Deny).
    3. Select the
      Application Filter Name
      from the menu or type the name of a new Application Filter.
    4. Select whether the filter should
      Apply to New App-IDs only
      or if it should apply to all App-IDs.
    5. Use the Category, Subcategory, Risk, Tags, and Characteristic values to filter the types of applications you want to add to the Application Filter. The firewall automatically adds new applications that meet the filter criteria to the Application Filter.
    6. Click
      OK
      to add the applications to the new or existing Application Filter. The firewall includes the applications that you selected in Step 3 in the Application Filter.
    7. Commit
      the changes.
    Add to Existing Rule
    :
    1. Select the
      Existing Rule Name
      to add the selected applications to an existing rule in an Application Filter.
    2. Select the
      Application Filter Name
      from the menu or type the name of a new Application Filter.
    3. Select whether the Application Filter is
      Shared
      , whether you want to
      Disable override
      of application characteristics for the filter, and whether the filter should
      Apply to New App-IDs only
      or if it should apply to all App-IDs.
    4. Use the Category, Subcategory, Risk, Tags, and Characteristic values to filter the types of applications you want to add to the Application Filter. The firewall automatically adds new applications that meet the filter criteria to the Application Filter.
    5. Click
      OK
      to add the applications to the new or existing Application Filter. The firewall includes the applications that you selected in Step 3 in the Application Filter.
    6. Commit
      the changes.

Recommended For You