Add Apps to an Application Group with Policy Optimizer

Add App-IDs from the App-ID Cloud Engine (ACE, and/or content-provided App-IDs) to new or existing Application Groups and use the Application Groups in Security policy rules to control cloud App-IDs in Security policy.
ACE provides App-IDs for applications that were previously identified as ssl, web-browsing, unknown-tcp, or unknown-udp.
Use Policy Optimizer to add ACE App-IDs to Application Groups and to apply the groups to cloned or existing rules and control the ACE App-IDs in Security policy.
  1. Go to
    Policies
    Security
    and then select
    Policy Optimizer
    New App Viewer
    .
    If the firewall or Panorama has downloaded ACE App-IDs, a number displays next to
    New App Viewer
    in the left navigation window. The screen displays the Security policy rules that match downloaded cloud App-IDs.
  2. Click the number in
    Apps Seen
    for a Security policy rule to see the cloud-delivered applications that matched the rule in the
    Applications & Usage
    dialog.
  3. Select the applications that you want to add to an existing or new Application Group.
    You can sort and filter the applications in
    Apps Seen
    by subcategory, risk, amount of traffic seen over the last 30 days, or when the application was first or last seen.
  4. Select
    Application Group
    from
    Create Cloned Rule
    or
    Add to Existing Rule
    , depending on how you want to handle the applications.
    The maximum number of applications you can clone using
    Create Cloned Rule
    is 1,000 applications. If there are more than 1,000 applications that you want to move to a different rule, use
    Add to Existing Rule
    instead. If you want to move the applications to a new rule, simply create the rule first (
    Policies
    Security
    ) and then use Policy Optimizer to add them to that rule.
  5. Select or create the Application Group for the cloned or existing rule. Creating Application Groups using Policy Optimizer is similar to using
    Objects
    Application Groups
    to create an Application Group.
    Create Cloned Rule
    :
    1. Type the
      Cloned Rule Name
      (the name for the cloned rule, which will appear in the Security policy rulebase immediately above the original rule).
    2. Select the
      Policy Action
      (Allow or Deny).
    3. In
      Add to Application Group
      , select the Application Group to which you want to add the applications that you selected in 3.
    4. Select whether to
      Add container app
      (default) or only to
      Add specific apps seen
      .
      When you add the container app, you also add all of the functional apps in that container, including functional apps that have not yet been seen on the firewall. For example, if you add the “facebook” container app, that also adds facebook-base, facebook-chat, facebook-posting, etc., and also any future applications added to the container. The container app and its functional apps are subject to the Security policy rule to which you add the Application Group. Selecting the container app essentially future-proofs and automates security for the container’s apps so that you don’t have to manually add new apps in that container to your Security policy.
      Adding only the specific apps seen means that only the applications that you selected are added to the Application Group. If new applications in the same container app arrive at the firewall, the Application Group doesn’t control them and you have to manually decide how to handle the new apps.
    5. In some cases, the applications that you want to place in an Application Group require (depend on) other applications to function. In those cases, the
      Create Cloned Rule
      dialog box includes
      Dependent Applications
      , where you can select whether to add those applications to the cloned rule. Add the dependent applications to the rule to ensure that the selected applications function properly.
    6. Click
      OK
      to add the applications to the new or existing Application Group.
    7. Commit
      the changes.
    Add Apps to Existing Rule
    :
    1. Select the
      Existing Rule Name
      to add the selected applications to an existing rule in an Application Group.
    2. Select the Application Group in
      Add to Application Group
      or type the name of a new Application Group.
    3. As with cloning the rule, you can choose whether to
      Add container app
      or
      Add specific apps seen
      . Adding the container app adds all the functional apps in the container and any future apps added to that container. Adding only the specific apps only adds the specific selected apps.
    4. As with cloning the rule, in some cases, the applications that you want to place in an Application Group require (depend on) other applications to function. In those cases, the
      Add Apps to Existing Rule
      dialog box includes
      Dependent Applications
      , where you can select whether to add those applications to the cloned rule. Add the dependent applications to the rule to ensure that the selected applications function properly.
    5. Click
      OK
      to add the applications to the new or existing Application Group.
    6. Commit
      the changes.

Recommended For You