Sorting and Filtering Security Policy Rules
Use application usage information to prioritize which rules to migrate from port-based to app-based rules or to clean up (remove unused apps) first.
You can filter Security policy rules to see all the port-based rules, which have no applications configured (
). You can also filter to see all the rules that have applications configured but traffic doesn’t hit all of the applications (
No App Specified
). You can sort the filtered policy rules based on different types of statistics to help prioritize which rules to convert from port-based to application-based rules or to clean up first.
You can’t filter or sort rules in
because that would change the order of the policy rules in the rulebase. Filtering and sorting
No App Specified
does not change the order of the rules in the rulebase.
You can click several column headers to sort port-based rules (
No App Specified) and rules with unused applications (
Unused Apps) based on application usage statistics. In addition, you can View Policy Rule Usage to help identify and remove unused rules to reduce security risks and keep your policy rule base organized. Rule usage tracking allows you to quickly validate new rule additions and rule changes and to monitor rule usage for operations and troubleshooting tasks.
- Traffic (Bytes, 30 days)—The amount of traffic seen on the rule over the last 30 days. The 30-day window places rules thatcurrentlymatch the most traffic at the top of the list by default (a longer time frame places more emphasis on older rules that would remain at the top of the list because they have large cumulative totals even though they may no longer see much traffic). Click to reverse the order.
- Apps Seen—Place the rules with the most or least applications seen at the top. The firewall never automatically purges the application data.The firewall updatesApps Seenapproximately every hour. However, if there is a large volume of application traffic or a large number of rules, it may take longer than an hour to update. After you add an application to a rule, wait at least an hour before running Traffic logs to see the application’s log information.
- Days with No New Apps—Place the rules with the most or least days since the last new application matched the rule at the top.
- ()Unused AppsonlyApps Allowed—Place the rules with the most or least applications configured on the rule at the top.
Application usage statistics only count applications for rules that meet the following criteria:
- The rule’s Action must beAllow.
- The rule’s Log Setting must beLog at Session End(this is the default Log Setting). Rules thatLog at Session Startare ignored to prevent counting transient applications.
- Valid traffic must match the rule. For example, if the session ends before enough traffic passes through the firewall to identify the application, it is not counted. The following traffic types are not valid and therefore don’t count for Policy Optimizer statistics:
You can filter the Traffic logs () to see traffic identified as one of these types. For example, to see all traffic identified as incomplete, use the filterMonitorLogsTraffic(app eq incomplete).
If these criteria aren’t met, the application isn’t counted for statistics such as
Apps Seen, doesn’t affect statistics such as
Days with No New Apps, and doesn’t appear in lists of applications.
The firewall doesn’t track application usage statistics for the interzone-default and intrazone-default Security policy rules.
If the UUID of a rule changes, the application usage statistics for that rule reset because the UUID change makes the firewall see the rule as a different (new) rule.
To see and sort the applications seen on a rule, in the rule’s row, click
Compareor click the number in
For the rules you see in
No App Specified
Apps Seennumber brings up
Applications & Usage, which gives you a view of the applications seen on the rule and the ability to sort them.
Applications & Usageis also where you Migrate Port-Based to App-ID Based Security Policy Rules and remove unused applications from rules.
You can sort the applications seen on the rule by all six of the
Apps Seenstatistics (
Apps Seenis not updated in real time and takes an hour or longer to update, depending on the volume of traffic and number of rules).
- Applications—Alphabetical by application name. If you configure specific ports or port ranges for a rule’s Service (the Service cannot beany), and there are standard (application default) ports for the application, and the configured ports don’t match the application-default ports, then a yellow, triangular warning icon appears next to the application.
- Subcategory—Alphabetical by application subcategory, derived from the application content metadata.
- Risk—According to the risk rating of the application.
- First Seen—The first day the application was seen on the rule. The time stamp resolution is by the day only (not hourly).
- Last Seen—The last day the application was seen on the rule. The time stamp resolution is by the day only (not hourly).
- Traffic (30 days)—Traffic in bytes that matched the rule over the last 30 days is the default sorting method.
Timeframeto display statistics for a particular time period—
Past 7 days, the
Past 15 days, or the
Past 30 days.
Traffic (30 days)always displays only the last 30 days of traffic in bytes. Changing the
Timeframedoes not change the duration of the
Traffic (30 days)bytes measurement.
Clicking the column header orders the display and clicking the same column again reverses the order. For example, click
Riskto sort applications from low risk to high risk. Click
Riskagain to sort applications from high risk to low risk.
The firewall doesn’t report application usage statistics in real time on
No App Specified
, or on
Applications & Usage, so this feature isn’t a replacement for running reports.
- The firewall updatesApps Allowed,Apps Seen, and the applications listed inApplications & Usageapproximately every hour, not in real time. If there is a large amount of traffic or a large number of rules, updates may take longer. After you add an application to a rule, wait at least an hour before running Traffic logs to see the application’s log information.The firewall updatesApps Seenapproximately every hour. However, if there is a large volume of application traffic or a large number of rules, it may take longer than an hour to update. After you add an application to a rule, wait at least an hour before running Traffic logs to see the application’s log information.
- The firewall updatesDays with No New Appsand alsoFirst SeenandLast SeenonApplications & Usageonce per day, at midnight device time.
- For rules with large numbers of applications seen, it may take longer to process application usage statistics.
- For Security policy rulebases with large numbers of rules that have many applications, it may take longer to process application usage statistics.
- For firewalls managed by Panorama, application usage data is visible only for rules Panorama pushes to the firewalls, not for rules configured locally on individual firewalls.