1. Home
    2. PAN-OS
    3. PAN-OS Administrator's Guide
    4. Policy
    5. Best Practice Internet Gateway Security Policy
    6. Monitor and Fine Tune the Policy Rulebase

    Monitor and Fine Tune the Policy Rulebase

    A best practice security policy is iterative. It is a tool for safely enabling applications, users, and content by classifying all traffic, across all ports, all the time. As soon as you Define the Initial Internet Gateway Security Policy, you must begin to monitor the traffic that matches the temporary rules designed to identify policy gaps and alarming behavior and tune your policy accordingly. By monitoring traffic hitting these rules, you can make appropriate adjustments to your rules to either make sure all traffic is hitting your whitelist application allow rules or assess whether particular applications should be allowed. As you tune your rulebase, you should see less and less traffic hitting these rules. When you no longer see traffic hitting these rules, it means that your positive enforcement whitelist rules are complete and you can Remove the Temporary Rules.
    Because new App-IDs are added in weekly content releases, you should review the impact the changes in App-IDs have on your policy.
    1. Create custom reports that let you monitor traffic that hits the rules designed to identify policy gaps.
      1. Select
        Monitor
        Manage Custom Reports
        .
      2. Add
         a report and give it a descriptive
        Name
         that indicates the particular policy gap you are investigating, such as Best Practice Policy Tuning.
      3. Set the
        Database
         to
        Traffic Summary
        .
      4. Select the
        Scheduled
         check box.
      5. Add the following to the Selected Columns list:
        Rule
        ,
        Application
        ,
        Bytes
        ,
        Sessions
        .
      6. Set the desired
        Time Frame
        ,
        Sort By
         and
        Group By
         fields.
      7. Define the query to match traffic hitting the rules designed to find policy gaps and alarming behavior. You can create a single report that details traffic hitting any of the rules (using the
        or
         operator), or create individual reports to monitor each rule. Using the rule names defined in the example policy, you would enter the corresponding queries:
        • (rule eq 'Unexpected Port SSL and Web')
        • (rule eq 'Unknown User SSL and Web')
        • (rule eq 'Unexpected Traffic')
        • (rule eq 'Unexpected Port Usage')
      bp-custom-report-monitor-policy.png
    2. Review the report regularly to make sure you understand why traffic is hitting each of the best practice policy tuning rules and either update your policy to include legitimate applications and users, or use the information in the report to assess the risk of that application usage and implement policy reforms.
      bp-monitor-report-results.png

    Related Documentation

    © 2019 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo