Optimize security policy by migrating legacy rules to
application-based rules and removing unused applications from rules,
without compromising availability.
You now have a simple way to gain visibility
into, control usage of, and safely enable applications in Security
policy rules: Policy Optimizer. This
new feature identifies port-based rules so you can convert them to
application-based whitelist rules or add applications to existing
rules without compromising application availability. It also identifies
rules configured with unused applications.
helps you analyze rule characteristics and prioritize which rules
to migrate or clean up first.
Converting port-based rules to application-based
rules enables you to whitelist the applications you want to allow
and deny access to all other applications, which improves your security
posture. Restricting application traffic to its default ports prevents
evasive applications from running on non-standard ports. Removing unused
applications from rules is a best practice that reduces the attack
surface and keeps the rulebase clean.
You can use this new feature on:
Firewalls that run PAN-OS version 9.0 and have App-ID enabled.
Panorama running PAN-OS version 9.0. You don’t have to upgrade
firewalls that Panorama manages to use the
However, to use these capabilities, managed firewalls must run PAN-OS
8.1 or later. If managed firewalls connect to Log Collectors, those
Log Collectors must also run PAN-OS version 9.0. Managed PA-7000
Series firewalls that have a Log Processing Card (LPC) can also
run PAN-OS 8.1 (or later).
Due to resource constraints, VM-50 Lite virtual firewalls
don’t support the Policy Optimizer.