Security Policy Rule Optimization

Migrate port-based Security rules to app-based rules, remove unused apps from rules, and safely enable apps without compromising availability.
Policy Optimizer provides a simple workflow to migrate your legacy Security policy rulebase to an App-ID based rulebase, which improves your security by reducing the attack surface and gaining visibility into applications so you can safely enable them. Policy Optimizer identifies port-based rules so you can convert them to application-based whitelist rules or add applications from a port-based rule to an existing application-based rule without compromising application availability. It also identifies over-provisioned App-ID based rules (App-ID rules configured with unused applications). Policy Optimizer helps you prioritize which port-based rules to migrate first, identify application-based rules that allow applications you don’t use, and analyze rule usage characteristics such as hit count.
Converting port-based rules to application-based rules improves your security posture because you select the applications you want to whitelist and deny all other applications, so you eliminate unwanted and potentially malicious traffic from your network. Combined with restricting application traffic to its default ports (set the Service to
application-default
), converting to application-based rules also prevents evasive applications from running on non-standard ports.
You can use this feature on:
  • Firewalls that run PAN-OS version 9.0 and have App-ID enabled.
  • Panorama running PAN-OS version 9.0. You don’t have to upgrade firewalls that Panorama manages to use the
    Policy Optimizer
    capabilities. However, to use the
    Rule Usage
    capabilities (Monitor Policy Rule Usage), managed firewalls must run PAN-OS 8.1 or later. If managed firewalls connect to Log Collectors, those Log Collectors must also run PAN-OS version 9.0.
PA-7000 Series Firewalls support two logging cards, the PA-7000 Series Firewall Log Processing Card (LPC) and the high-performance PA-7000 Series Firewall Log Forwarding Card (LFC). Unlike the LPC, the LFC does not have disks to store logs locally. Instead, the LFC forwards all logs to one or more external logging systems, such as Panorama or a syslog server. If you use the LFC, the application usage information for Policy Optimizer does not display on the firewall because traffic logs aren’t stored locally.
Use this feature to:
  • Migrate port-based rules to application-based rules
    —Instead of combing through traffic logs and manually mapping applications to port-based rules, use Policy Optimizer to identify port-based rules and list the applications that matched each rule, so you can select the applications you want to allow and safely enable them. Converting your legacy port-based rules to application-based whitelist rules supports your business applications and enables you to block any applications associated with malicious activity.
  • Identify over-provisioned application-based rules
    —Rules that are too broad allow applications you don’t use on your network, which increases the attack surface and the risk of inadvertently allowing malicious traffic.
    Remove unused applications from Security policy rules to reduce the attack surface and keep the rulebase clean. Don’t allow applications that nobody uses on your network.
To migrate a configuration from a legacy firewall to a Palo Alto Networks device, see Best Practices for Migrating to Application-Based Policy.
You can’t sort Security policy rules in
Security
Policies
because sorting would change the rule order in the rulebase. However, under
Polices
Security
Policy Optimizer
, Policy Optimizer provides sorting options that don’t affect the rule order to help you prioritize which rules to convert or clean up first. You can sort rules by the amount of traffic during the past 30 days, the number of applications seen on the rule, the number of days with no new applications, and the number of applications allowed (for over-provisioned rules).
You can use Policy Optimizer in other ways as well, including validating pre-production rules and troubleshooting existing rules. Note that Policy Optimizer honors only
Log at Session End
and ignores
Log at Session Start
to avoid counting transient applications on rules.
Due to resource constraints, VM-50 Lite virtual firewalls don’t support Policy Optimizer.

Related Documentation