Add Apps to an Application Filter with Policy Optimizer
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Add Apps to an Application Filter with Policy Optimizer
Automate adding App-ID Cloud Engine (ACE) applications
dynamically to Security policy rules using Application Filters.
Add App-IDs from the App-ID Cloud Engine (ACE)
to Application Filters to automate adding cloud App-IDs to Security policy.
When new ACE App-IDs match an Application Filter, the firewall adds
them to the filter automatically. When you use the Application Filter
in a Security policy rule, the rule automatically controls new ACE
App-IDs as they arrive at the firewall and are added to the filter.
ACE
provides App-IDs for applications that were previously identified
as ssl or web-browsing.
Using Application Filters is
a best practice because they:
- Improve your security posture. Application Filters automate adding new ACE App-IDs to Security policy rules that you design specifically to handle a particular type of application traffic, instead of matching the traffic to more general ssl or web-browsing rules.
- Save time. Firewall administrators can configure Application Filters to handle different types of traffic so that adding new ACE App-IDs to policy is automatic and requires no further effort by the administrator.
When you create Application
Filters, exclude ssl and web-browsing from the filters. Together,
ssl and web-browsing match all browser-based cloud applications,
so an Application Filter that includes ssl and web-browsing matches
all browser-based cloud applications.
Use Policy Optimizer to add
ACE App-IDs to Application Filters and to apply the filters to Security
policy rules.
- Go to PoliciesSecurity and then select Policy OptimizerNew App Viewer.If the firewall has identified traffic with ACE App-IDs, a number displays next to New App Viewer in the left navigation window to show how many rules match ACE App-IDs. The screen displays the Security policy rules that match cloud App-IDs.Click the number in Apps Seen for a Security policy rule to view the cloud-delivered applications that matched the rule in the Applications & Usage dialog.Select the applications that you want to add to an existing or new Application Filter.You can sort and filter the applications in Apps Seen by subcategory, risk, amount of traffic seen over the last 30 days, or when the application was first or last seen.Select Application Filter from Create Cloned Rule or Add to Existing Rule, depending on how you want to handle the applications.The maximum number of applications you can clone using Create Cloned Rule is 1,000 applications. If there are more than 1,000 applications that you want to move to a different rule, use Add to Existing Rule instead. If you want to move the applications to a new rule, simply create the rule first (PoliciesSecurity) and then use Policy Optimizer to add them to that rule.Select or create the Application Filter. Creating an Application Filter using Policy Optimizer is the almost exactly the same as using ObjectsApplication Filters to create an Application Filter—you use the same filtering tools and options. This step shows you how to use Policy Optimizer first for creating a cloned and then for adding to an existing rule.Create Cloned Rule:
- Type the Cloned Rule Name (the name for the cloned rule, which will appear in the Security policy rulebase immediately above the original rule).
- Select the Policy Action (Allow or Deny).
- Select the Application Filter Name from the menu or type the name of a new Application Filter.
- Select whether the filter should Apply to New App-IDs only or if it should apply to all App-IDs.
- Use the Category, Subcategory, Risk, Tags, and Characteristic values to filter the types of applications you want to add to the Application Filter. The firewall automatically adds new applications that meet the filter criteria to the Application Filter.
- Click OK to add the applications to the new or existing Application Filter. The firewall includes the applications that you selected in Step 3 in the Application Filter.
- Commit the changes.
Add to Existing Rule:- Select the Existing Rule Name to add the selected applications to an existing rule in an Application Filter.
- Select the Application Filter Name from the menu or type the name of a new Application Filter.
- Select whether the Application Filter is Shared, whether you want to Disable override of application characteristics for the filter, and whether the filter should Apply to New App-IDs only or if it should apply to all App-IDs.
- Use the Category, Subcategory, Risk, Tags, and Characteristic values to filter the types of applications you want to add to the Application Filter. The firewall automatically adds new applications that meet the filter criteria to the Application Filter.
- Click OK to add the applications to the new or existing Application Filter. The firewall includes the applications that you selected in Step 3 in the Application Filter.
- Commit the changes.