Rule Cloning Migration Use Case: Web Browsing and SSL Traffic
Example of migrating port-based Security policy rules for web browsing and SSL traffic to app-based rules without affecting application availability.
A port-based rule that allows web access on TCP ports 80 (HTTP web-browsing) and 443 (HTTPS SSL) provides no control over which applications use those open ports. There are many web applications, so a general rule that allows web traffic allows thousands of applications, many of which you don’t want on your network.
This use case shows how to migrate a port-based policy that allows all web applications to an application-based policy that allows only the applications you want, so you can safely enable the applications you choose to allow. For rules that see a lot of applications, cloning the original port-based rule is safer than adding applications to the rule because adding replaces the port-based rule, so if you inadvertently forget to add a critical application, you affect application availability. And if you
Match Usage, which also replaces the port-based rule, you allow all of the applications the rule has seen, which could be dangerous, especially with web browsing traffic.
Cloning the rule retains the original port-based rule and places the cloned rule directly above the port-based rule in the rulebase, so you can monitor the rules. Cloning also allows you to split rules that see a lot of different applications—such as a port-based web traffic rule—into multiple application-based rules so you can treat different groups of applications differently. When you’re sure you’re allowing all the applications you need to allow in the cloned rule (or rules), you can remove the port-based rule.
This example clones a port-based web traffic rule to create an application-based rule for social networking traffic (a subset of the application traffic seen on the port-based rule).
- Navigate toto view the port-based rules.PoliciesSecurityPolicy OptimizerNo App Specified
- ClickComparefor the rule you want to migrate.In this example, the port-based rule that allows web access is named Traffic to internet.
- Use the sorting options to review and select the applications you want to allow fromApps Seen.The number ofApps Seenis updated approximately every hour, so if you don’t see as many applications as you expect, check again after about an hour. Depending on the firewall’s load, it may take longer than one hour for these fields to update.For example, clickSubcategoryto sort the applications, scroll to the social-networking subcategory, and then select the applications you want to allow.
- ClickCreate Cloned Rule.Create Cloned Ruleshows the selected applications shaded green, the container apps shaded gray, individual applications in the container that haven’t been seen on the rule initalics, and individual applications that have been seen on the rule in normal text font. Scrolling throughApplicationsshows all the container apps and their individual applications.Create Cloned Rulealso shows the application dependencies of the selected applications. Because we selected social applications but not web-browsing or ssl, web-browsing and ssl are among the listed application dependencies.
- Namethe cloned rule (in this example, the name will be Social Networking Apps).
- Select the applications you want in the cloned rule.For applications you don’t want to include, uncheck the corresponding box, which also unchecks the container app. If you don’t include the container app, then when new apps are added to the container, they won’t automatically be added to the rule.If you uncheck the container app, all the individual applications in the container are unchecked and you must select the apps you want to add manually.
- ClickOKto create the cloned rule.
- In, the cloned rule (Social Networking Apps) is inserted in the rulebase above the original port-based rule (Traffic to internet).PoliciesSecurity
- Click the rule name to edit the cloned rule, which inherits the properties of the original port-based rule.
- On theService/URL Categorytab, delete service-http and service-https fromService.This changes theServicetoapplication-default, which prevents applications from using non-standard ports and further reduces the attack surface.If business needs require you to allow applications (for example, internal custom applications) on non-standard ports between particular clients and servers, restrict the exception to only the required application, sources, and destinations. Consider rewriting custom applications so they use the application default port.
- On theSource,User, andDestinationtabs, tighten the rule to apply to only the right users in only the right locations (zones, subnets).For example, you may decide to limit social media activity to certain marketing, public relations, sales, and executive groups.
- Committhe configuration.
- Repeat the process for other application categories in the port-based web access rule until your application-based rules allow only the applications you want to allow on your network.When traffic you want to allow stops hitting the original port-based rule for a sufficient amount of time to be confident that the port-based rule is no longer needed, you can remove the port-based rule from the rulebase.