Sorting and Filtering Security Policy Rules
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Sorting and Filtering Security Policy Rules
Use application usage information to prioritize which
rules to migrate from port-based to app-based rules or to clean
up (remove unused apps) first.
You can filter Security policy rules to see the port-based
rules, which are rules with no applications configured on them (PoliciesSecurityPolicy OptimizerNo App Specified).
You can also filter to see the rules that have applications configured
on them, but traffic only matches some of the configured applications—the
rule is over-provisioned and includes applications that aren’t seen
on the rule (PoliciesSecurityPolicy OptimizerUnused Apps).
In addition, if you have a SaaS Security Inline license,
you can use the New App Viewer to filter
rules that have seen new App-ID Cloud Engine (ACE) applications
(see the ACE documentation for
how to do this). You can sort the filtered policy rules based on
different types of statistics to help prioritize which rules to
convert from port-based to application-based rules or to clean up
first.
You can’t filter or sort rules in PoliciesSecurity because that would
change the order of the policy rules in the rulebase. Filtering
and sorting PoliciesSecurityPolicy OptimizerNo App Specified, PoliciesSecurityPolicy OptimizerUnused Apps,
and PoliciesSecurityPolicy OptimizerNew App Viewer (if
you have a SaaS Inline Security subscription) does not change the
order of the rules in the rulebase.
You can click several column headers to sort rules based on application
usage statistics. In addition, you can View Policy Rule Usage to help identify
and remove unused rules to reduce security risks and keep your policy
rule base organized. Rule usage tracking allows you to quickly validate new
rule additions and rule changes and to monitor rule usage for operations
and troubleshooting tasks.
- Traffic (Bytes, 30 days)—The amount of traffic seen on the rule over the last 30 days. The 30-day window places rules that currently match the most traffic at the top of the list by default (a longer time frame places more emphasis on older rules that would remain at the top of the list because they have large cumulative totals even though they may no longer see much traffic). Click to reverse the order.
- Apps Seen—Place the rules with the most or least applications seen at the top. The firewall never automatically purges the application data.The firewall updates Apps Seen approximately every hour. However, if there is a large volume of application traffic or a large number of rules, it may take longer than an hour to update. After you add an application to a rule, wait at least an hour before running Traffic logs to see the application’s log information.
- Days with No New Apps—Place the rules with the most or least days since the last new application matched the rule at the top.
- (Unused Apps only) Apps Allowed—Place the rules with the most or least applications configured on the rule at the top.
Application usage statistics only count applications for rules
that meet the following criteria:
- The rule’s Action must be Allow.
- The rule’s Log Setting must be Log at Session End (this is the default Log Setting). Rules that Log at Session Start are ignored to prevent counting transient applications.
- Valid traffic must match the rule. For example, if the session ends before enough traffic passes through the firewall to identify the application, it is not counted. The following traffic types are not valid and therefore don’t count for Policy Optimizer statistics:
- Insufficient-data
- Not-applicable
- Non-syn-tcp
- Incomplete
You can filter the Traffic logs (MonitorLogsTraffic) to see traffic identified as one of these types. For example, to see all traffic identified as incomplete, use the filter (app eq incomplete).
If these criteria aren’t met, the application isn’t counted for
statistics such as Apps Seen, doesn’t affect
statistics such as Days with No New Apps,
and doesn’t appear in lists of applications.
The firewall doesn’t track application usage statistics
for the interzone-default and intrazone-default Security policy
rules.
If the UUID of a rule changes, the application usage statistics
for that rule reset because the UUID change makes the firewall see
the rule as a different (new) rule.
To see and sort the applications seen on a rule, in the rule’s
row, click Compare or click the number in Apps Seen.
For the rules you see in PoliciesSecurityPolicy OptimizerNo App Specified and PoliciesSecurityPolicy OptimizerUnused Apps,
clicking Compare or the Apps Seen number
brings up Applications & Usage, which
gives you a view of the applications seen on the rule and the ability
to sort them. Applications & Usage is
also where you Migrate Port-Based to App-ID Based Security Policy Rules and remove unused applications
from rules.
You can sort the applications seen on the rule by all six of
the Apps Seen statistics (Apps
Seen is not updated in real time and takes an hour or
longer to update, depending on the volume of traffic and number
of rules).
- Applications—Alphabetical by application name. If you configure specific ports or port ranges for a rule’s Service (the Service cannot be any), and there are standard (application default) ports for the application, and the configured ports don’t match the application-default ports, then a yellow, triangular warning icon appears next to the application.
- Subcategory—Alphabetical by application subcategory, derived from the application content metadata.
- Risk—According to the risk rating of the application.
- First Seen—The first day the application was seen on the rule. The time stamp resolution is by the day only (not hourly).
- Last Seen—The last day the application was seen on the rule. The time stamp resolution is by the day only (not hourly).
- Traffic (30 days)—Traffic in bytes that matched the rule over the last 30 days is the default sorting method.
Set the Timeframe to display statistics
for a particular time period—Anytime, the Past
7 days, the Past 15 days, or
the Past 30 days.
Traffic
(30 days) always displays only the last 30 days of traffic
in bytes. Changing the Timeframe does not
change the duration of the Traffic (30 days) bytes
measurement.
Clicking the column header orders the display and clicking the
same column again reverses the order. For example, click Risk to sort
applications from low risk to high risk. Click Risk again
to sort applications from high risk to low risk.
The firewall doesn’t report application usage statistics in real
time for Policy Optimizer, so it isn’t a replacement for running
reports.
- The firewall updates Apps Allowed, Apps Seen, and the applications listed in Applications & Usage approximately every hour, not in real time. If there is a large amount of traffic or a large number of rules, updates may take longer. After you add an application to a rule, wait at least an hour before running Traffic logs to see the application’s log information.The firewall updates Apps Seen approximately every hour. However, if there is a large volume of application traffic or a large number of rules, it may take longer than an hour to update. After you add an application to a rule, wait at least an hour before running Traffic logs to see the application’s log information.
- The firewall updates Days with No New Apps and also First Seen and Last Seen on Applications & Usage once per day, at midnight device time.
- For rules with large numbers of applications seen, it may take longer to process application usage statistics.
- For Security policy rulebases with large numbers of rules that have many applications, it may take longer to process application usage statistics.
- For firewalls managed by Panorama, application usage data is visible only for rules Panorama pushes to the firewalls, not for rules configured locally on individual firewalls.