Security Policy Rule Optimization
Migrate port-based Security rules to app-based rules, remove unused apps from rules, and safely enable apps without compromising availability.
Policy Optimizer provides a simple workflow to migrate your legacy Security policy rulebase to an App-ID based rulebase, which improves your security by reducing the attack surface and gaining visibility into applications so you can safely enable them. Policy Optimizer identifies port-based rules so you can convert them to application-based whitelist rules or add applications from a port-based rule to an existing application-based rule without compromising application availability. It also identifies over-provisioned App-ID based rules (App-ID rules configured with unused applications). Policy Optimizer helps you prioritize which port-based rules to migrate first, identify application-based rules that allow applications you don’t use, and analyze rule usage characteristics such as hit count.
Converting port-based rules to application-based rules improves your security posture because you select the applications you want to whitelist and deny all other applications, so you eliminate unwanted and potentially malicious traffic from your network. Combined with restricting application traffic to its default ports (set the Service to application-default), converting to application-based rules also prevents evasive applications from running on non-standard ports.
You can use this feature on:
- Firewalls that run PAN-OS version 9.0 and have App-ID enabled.
- Panorama running PAN-OS version 9.0. You don’t have to upgrade firewalls that Panorama manages to use the Policy Optimizer capabilities. However, to use the Rule Usage capabilities (Monitor Policy Rule Usage), managed firewalls must run PAN-OS 8.1 or later. If managed firewalls connect to Log Collectors, those Log Collectors must also run PAN-OS version 9.0.
PA-7000 Series Firewalls support two logging cards, the PA-7000 Series Firewall Log Processing Card (LPC) and the high-performance PA-7000 Series Firewall Log Forwarding Card (LFC). Unlike the LPC, the LFC does not have disks to store logs locally. Instead, the LFC forwards all logs to one or more external logging systems, such as Panorama or a syslog server. If you use the LFC, the application usage information for Policy Optimizer does not display on the firewall because traffic logs aren’t stored locally.
Use this feature to:
- Migrate port-based rules to application-based rules—Instead of combing through traffic logs and manually mapping applications to port-based rules, use Policy Optimizer to identify port-based rules and list the applications that matched each rule, so you can select the applications you want to allow and safely enable them. Converting your legacy port-based rules to application-based whitelist rules supports your business applications and enables you to block any applications associated with malicious activity.
- Identify over-provisioned application-based rules—Rules
that are too broad allow applications you don’t use on your network,
which increases the attack surface and the risk of inadvertently
allowing malicious traffic.Remove unused applications from Security policy rules to reduce the attack surface and keep the rulebase clean. Don’t allow applications that nobody uses on your network.
To migrate a configuration from a legacy firewall to a Palo Alto Networks device, see Best Practices for Migrating to Application-Based Policy.
You can’t sort Security policy rules in SecurityPolicies because sorting would change the rule order in the rulebase. However, under PolicesSecurityPolicy Optimizer, Policy Optimizer provides sorting options that don’t affect the rule order to help you prioritize which rules to convert or clean up first. You can sort rules by the amount of traffic during the past 30 days, the number of applications seen on the rule, the number of days with no new applications, and the number of applications allowed (for over-provisioned rules).
You can use Policy Optimizer in other ways as well, including validating pre-production rules and troubleshooting existing rules. Note that Policy Optimizer honors only Log at Session End and ignores Log at Session Start to avoid counting transient applications on rules.
Due to resource constraints, VM-50 Lite virtual firewalls don’t support Policy Optimizer.
- Policy Optimizer Concepts
- Migrate Port-Based to App-ID Based Security Policy Rules
- Rule Cloning Migration Use Case: Web Browsing and SSL Traffic
- Add Applications to an Existing Rule
- Identify Security Policy Rules with Unused Applications
- High Availability for Application Usage Statistics
- How to Disable Policy Optimizer
Enable or Disable Policy Optimizer
Policy Optimizer provides many capabilities that make it easier to migrate to an application-based Security policy but you may disable it if you wish. ...
Policy Optimizer Concepts
Concepts for migrating port-based Security rules to app-based rules, removing unused apps from rules, and safely enabling apps without compromising availability. ...
Optimize security policy by migrating legacy rules to application-based rules and removing unused applications from rules, without compromising availability. ...
Best Practices for Migrating to Application-Based Policy
Use Expedition and Policy Optimizer to migrate legacy firewall security policy to a Palo Alto Networks next-generation firewall or Panorama. ...
Sorting and Filtering Security Policy Rules
Use application usage information to prioritize which rules to migrate from port-based to app-based rules or to clean up (remove unused apps) first. ...
Migrate Port-Based to App-ID Based Security Policy Rules
Policy Optimizer converts port-based Security policy rules to app-based rules without compromising app availability to safely enable applications. ...
Rule Cloning Migration Use Case: Web Browsing and SSL Traffic
Example of migrating port-based Security policy rules for web browsing and SSL traffic to app-based rules without affecting application availability. ...
Rules to Begin Converting After 30 Days
Types of legacy port-based security policy rules to convert to application-based rules after a month of monitoring production traffic. ...
Identify Security Policy Rules with Unused Applications
Policy Optimizer finds Security policy rules that specify applications not seen on your network so you can remove the unused apps to reduce the attack ...