Sorting and Filtering Security Policy Rules

Use application usage information to prioritize which rules to migrate from port-based to app-based rules or to clean up (remove unused apps) first.
You can filter Security policy rules to see all the port-based rules, which have no applications configured (
Policies
Security
Policy Optimizer
No App Specified
). You can also filter to see all the rules that have applications configured but traffic doesn’t hit all of the applications (
Policies
Security
Policy Optimizer
Unused Apps
). You can sort the filtered policy rules based on different types of statistics to help prioritize which rules to convert from port-based to application-based rules or to clean up first.
You can’t filter or sort rules in
Policies
Security
because that would change the order of the policy rules in the rulebase. Filtering and sorting
Policies
Security
Policy Optimizer
No App Specified
and
Policies
Security
Policy Optimizer
Unused Apps
does not change the order of the rules in the rulebase.
You can click several column headers to sort port-based rules (
No App Specified
) and rules with unused applications (
Unused Apps
) based on application usage statistics. In addition, you can View Policy Rule Usage to help identify and remove unused rules to reduce security risks and keep your policy rule base organized. Rule usage tracking allows you to quickly validate new rule additions and rule changes and to monitor rule usage for operations and troubleshooting tasks.
rule-usage-sorting-options.png
  • Traffic (Bytes, 30 days)
    —The amount of traffic seen on the rule over the last 30 days. The 30-day window places rules that
    currently
    match the most traffic at the top of the list by default (a longer time frame places more emphasis on older rules that would remain at the top of the list because they have large cumulative totals even though they may no longer see much traffic). Click to reverse the order.
  • Apps Seen
    —Place the rules with the most or least applications seen at the top. The firewall never automatically purges the application data.
    The firewall updates
    Apps Seen
    approximately every hour. However, if there is a large volume of application traffic or a large number of rules, it may take longer than an hour to update. After you add an application to a rule, wait at least an hour before running Traffic logs to see the application’s log information.
  • Days with No New Apps
    —Place the rules with the most or least days since the last new application matched the rule at the top.
  • (
    Unused Apps
    only
    )
    Apps Allowed
    —Place the rules with the most or least applications configured on the rule at the top.
Application usage statistics only count applications for rules that meet the following criteria:
  • The rule’s Action must be
    Allow
    .
  • The rule’s Log Setting must be
    Log at Session End
    (this is the default Log Setting). Rules that
    Log at Session Start
    are ignored to prevent counting transient applications.
  • Valid traffic must match the rule. For example, if the session ends before enough traffic passes through the firewall to identify the application, it is not counted. The following traffic types are not valid and therefore don’t count for Policy Optimizer statistics:
    • Insufficient-data
    • Not-applicable
    • Non-syn-tcp
    • Incomplete
    You can filter the Traffic logs (
    Monitor
    Logs
    Traffic
    ) to see traffic identified as one of these types. For example, to see all traffic identified as incomplete, use the filter
    (app eq incomplete)
    .
If these criteria aren’t met, the application isn’t counted for statistics such as
Apps Seen
, doesn’t affect statistics such as
Days with No New Apps
, and doesn’t appear in lists of applications.
The firewall doesn’t track application usage statistics for the interzone-default and intrazone-default Security policy rules.
If the UUID of a rule changes, the application usage statistics for that rule reset because the UUID change makes the firewall see the rule as a different (new) rule.
To see and sort the applications seen on a rule, in the rule’s row, click
Compare
or click the number in
Apps Seen
.
click-compare-or-apps-seen-number-for-apps-and-usage.png
For the rules you see in
Policies
Security
Policy Optimizer
No App Specified
and
Policies
Security
Policy Optimizer
Unused Apps
, clicking
Compare
or the
Apps Seen
number brings up
Applications & Usage
, which gives you a view of the applications seen on the rule and the ability to sort them.
Applications & Usage
is also where you Migrate Port-Based to App-ID Based Security Policy Rules and remove unused applications from rules.
filtering-sorting-apps-and-usage-screen.png
You can sort the applications seen on the rule by all six of the
Apps Seen
statistics (
Apps Seen
is not updated in real time and takes an hour or longer to update, depending on the volume of traffic and number of rules).
  • Applications
    —Alphabetical by application name. If you configure specific ports or port ranges for a rule’s Service (the Service cannot be
    any
    ), and there are standard (application default) ports for the application, and the configured ports don’t match the application-default ports, then a yellow, triangular warning icon appears next to the application.
  • Subcategory
    —Alphabetical by application subcategory, derived from the application content metadata.
  • Risk
    —According to the risk rating of the application.
  • First Seen
    —The first day the application was seen on the rule. The time stamp resolution is by the day only (not hourly).
  • Last Seen
    —The last day the application was seen on the rule. The time stamp resolution is by the day only (not hourly).
  • Traffic (30 days)
    —Traffic in bytes that matched the rule over the last 30 days is the default sorting method.
Set the
Timeframe
to display statistics for a particular time period—
Anytime
, the
Past 7 days
, the
Past 15 days
, or the
Past 30 days
.
Traffic (30 days)
always displays only the last 30 days of traffic in bytes. Changing the
Timeframe
does not change the duration of the
Traffic (30 days)
bytes measurement.
Clicking the column header orders the display and clicking the same column again reverses the order. For example, click
Risk
to sort applications from low risk to high risk. Click
Risk
again to sort applications from high risk to low risk.
The firewall doesn’t report application usage statistics in real time on
Policies
Security
Policy Optimizer
No App Specified
,
Policies
Security
Policy Optimizer
Unused Apps
, or on
Applications & Usage
, so this feature isn’t a replacement for running reports.
  • The firewall updates
    Apps Allowed
    ,
    Apps Seen
    , and the applications listed in
    Applications & Usage
    approximately every hour, not in real time. If there is a large amount of traffic or a large number of rules, updates may take longer. After you add an application to a rule, wait at least an hour before running Traffic logs to see the application’s log information.
    The firewall updates
    Apps Seen
    approximately every hour. However, if there is a large volume of application traffic or a large number of rules, it may take longer than an hour to update. After you add an application to a rule, wait at least an hour before running Traffic logs to see the application’s log information.
  • The firewall updates
    Days with No New Apps
    and also
    First Seen
    and
    Last Seen
    on
    Applications & Usage
    once per day, at midnight device time.
  • For rules with large numbers of applications seen, it may take longer to process application usage statistics.
  • For Security policy rulebases with large numbers of rules that have many applications, it may take longer to process application usage statistics.
  • For firewalls managed by Panorama, application usage data is visible only for rules Panorama pushes to the firewalls, not for rules configured locally on individual firewalls.

Related Documentation