Sorting and Filtering Security Policy Rules
Focus
Focus

Sorting and Filtering Security Policy Rules

Table of Contents

Sorting and Filtering Security Policy Rules

Use application usage information to prioritize which rules to migrate from port-based to app-based rules or to clean up (remove unused apps) first.
You can filter Security policy rules to see the port-based rules, which are rules with no applications configured on them (PoliciesSecurityPolicy OptimizerNo App Specified). You can also filter to see the rules that have applications configured on them, but traffic only matches some of the configured applications—the rule is over-provisioned and includes applications that aren’t seen on the rule (PoliciesSecurityPolicy OptimizerUnused Apps). In addition, if you have a SaaS Security Inline license, you can use the New App Viewer to filter rules that have seen new App-ID Cloud Engine (ACE) applications (see the ACE documentation for how to do this). You can sort the filtered policy rules based on different types of statistics to help prioritize which rules to convert from port-based to application-based rules or to clean up first.
You can’t filter or sort rules in PoliciesSecurity because that would change the order of the policy rules in the rulebase. Filtering and sorting PoliciesSecurityPolicy OptimizerNo App Specified, PoliciesSecurityPolicy OptimizerUnused Apps, and PoliciesSecurityPolicy OptimizerNew App Viewer (if you have a SaaS Inline Security subscription) does not change the order of the rules in the rulebase.
You can click several column headers to sort rules based on application usage statistics. In addition, you can View Policy Rule Usage to help identify and remove unused rules to reduce security risks and keep your policy rule base organized. Rule usage tracking allows you to quickly validate new rule additions and rule changes and to monitor rule usage for operations and troubleshooting tasks.
  • Traffic (Bytes, 30 days)—The amount of traffic seen on the rule over the last 30 days. The 30-day window places rules that currently match the most traffic at the top of the list by default (a longer time frame places more emphasis on older rules that would remain at the top of the list because they have large cumulative totals even though they may no longer see much traffic). Click to reverse the order.
  • Apps Seen—Place the rules with the most or least applications seen at the top. The firewall never automatically purges the application data.
    The firewall updates Apps Seen approximately every hour. However, if there is a large volume of application traffic or a large number of rules, it may take longer than an hour to update. After you add an application to a rule, wait at least an hour before running Traffic logs to see the application’s log information.
  • Days with No New Apps—Place the rules with the most or least days since the last new application matched the rule at the top.
  • (Unused Apps only) Apps Allowed—Place the rules with the most or least applications configured on the rule at the top.
Application usage statistics only count applications for rules that meet the following criteria:
  • The rule’s Action must be Allow.
  • The rule’s Log Setting must be Log at Session End (this is the default Log Setting). Rules that Log at Session Start are ignored to prevent counting transient applications.
  • Valid traffic must match the rule. For example, if the session ends before enough traffic passes through the firewall to identify the application, it is not counted. The following traffic types are not valid and therefore don’t count for Policy Optimizer statistics:
    • Insufficient-data
    • Not-applicable
    • Non-syn-tcp
    • Incomplete
    You can filter the Traffic logs (MonitorLogsTraffic) to see traffic identified as one of these types. For example, to see all traffic identified as incomplete, use the filter (app eq incomplete).
If these criteria aren’t met, the application isn’t counted for statistics such as Apps Seen, doesn’t affect statistics such as Days with No New Apps, and doesn’t appear in lists of applications.
The firewall doesn’t track application usage statistics for the interzone-default and intrazone-default Security policy rules.
If the UUID of a rule changes, the application usage statistics for that rule reset because the UUID change makes the firewall see the rule as a different (new) rule.
To see and sort the applications seen on a rule, in the rule’s row, click Compare or click the number in Apps Seen.
For the rules you see in PoliciesSecurityPolicy OptimizerNo App Specified and PoliciesSecurityPolicy OptimizerUnused Apps, clicking Compare or the Apps Seen number brings up Applications & Usage, which gives you a view of the applications seen on the rule and the ability to sort them. Applications & Usage is also where you Migrate Port-Based to App-ID Based Security Policy Rules and remove unused applications from rules.
You can sort the applications seen on the rule by all six of the Apps Seen statistics (Apps Seen is not updated in real time and takes an hour or longer to update, depending on the volume of traffic and number of rules).
  • Applications—Alphabetical by application name. If you configure specific ports or port ranges for a rule’s Service (the Service cannot be any), and there are standard (application default) ports for the application, and the configured ports don’t match the application-default ports, then a yellow, triangular warning icon appears next to the application.
  • Subcategory—Alphabetical by application subcategory, derived from the application content metadata.
  • Risk—According to the risk rating of the application.
  • First Seen—The first day the application was seen on the rule. The time stamp resolution is by the day only (not hourly).
  • Last Seen—The last day the application was seen on the rule. The time stamp resolution is by the day only (not hourly).
  • Traffic (30 days)—Traffic in bytes that matched the rule over the last 30 days is the default sorting method.
Set the Timeframe to display statistics for a particular time period—Anytime, the Past 7 days, the Past 15 days, or the Past 30 days.
Traffic (30 days) always displays only the last 30 days of traffic in bytes. Changing the Timeframe does not change the duration of the Traffic (30 days) bytes measurement.
Clicking the column header orders the display and clicking the same column again reverses the order. For example, click Risk to sort applications from low risk to high risk. Click Risk again to sort applications from high risk to low risk.
The firewall doesn’t report application usage statistics in real time for Policy Optimizer, so it isn’t a replacement for running reports.
  • The firewall updates Apps Allowed, Apps Seen, and the applications listed in Applications & Usage approximately every hour, not in real time. If there is a large amount of traffic or a large number of rules, updates may take longer. After you add an application to a rule, wait at least an hour before running Traffic logs to see the application’s log information.
    The firewall updates Apps Seen approximately every hour. However, if there is a large volume of application traffic or a large number of rules, it may take longer than an hour to update. After you add an application to a rule, wait at least an hour before running Traffic logs to see the application’s log information.
  • The firewall updates Days with No New Apps and also First Seen and Last Seen on Applications & Usage once per day, at midnight device time.
  • For rules with large numbers of applications seen, it may take longer to process application usage statistics.
  • For Security policy rulebases with large numbers of rules that have many applications, it may take longer to process application usage statistics.
  • For firewalls managed by Panorama, application usage data is visible only for rules Panorama pushes to the firewalls, not for rules configured locally on individual firewalls.