1. Home
    2. PAN-OS
    3. PAN-OS® New Features Guide
    4. App-ID Features
    5. Policy Optimizer

    Policy Optimizer

    Optimize security policy by migrating legacy rules to application-based rules and removing unused applications from rules, without compromising availability.
    You now have a simple way to gain visibility into, control usage of, and safely enable applications in Security policy rules: Policy Optimizer. This new feature identifies port-based rules so you can convert them to application-based whitelist rules or add applications to existing rules without compromising application availability. It also identifies rules configured with unused applications.
    Policy Optimizer
     information helps you analyze rule characteristics and prioritize which rules to migrate or clean up first.
    Converting port-based rules to application-based rules enables you to whitelist the applications you want to allow and deny access to all other applications, which improves your security posture. Restricting application traffic to its default ports prevents evasive applications from running on non-standard ports. Removing unused applications from rules is a best practice that reduces the attack surface and keeps the rulebase clean.
    You can use this new feature on:
    • Firewalls that run PAN-OS version 9.0 and have App-ID enabled.
    • Panorama running PAN-OS version 9.0. You don’t have to upgrade firewalls that Panorama manages to use the
      Policy Optimizer
       capabilities. However, to use these capabilities, managed firewalls must run PAN-OS 8.1 or later. If managed firewalls connect to Log Collectors, those Log Collectors must also run PAN-OS version 9.0.
    Due to resource constraints, VM-50 Lite virtual firewalls don’t support the Policy Optimizer.

    Related Documentation

    Enable or Disable Policy Optimizer

    Policy Optimizer provides many capabilities that make it easier to migrate to an application-based Security policy but you may disable it if you wish. ...

    Policy Optimizer Concepts

    Concepts for migrating port-based Security rules to app-based rules, removing unused apps from rules, and safely enabling apps without compromising availability. ...

    App-ID Features

    App-ID Features Policy Optimizer Optimize security policy by migrating legacy rules to application-based rules and removing unused applications from rules, without compromising availability. HTTP/2 Inspection ...

    Best Practices for Migrating to Application-Based Policy

    Use Expedition and Policy Optimizer to migrate legacy firewall security policy to a Palo Alto Networks next-generation firewall or Panorama. ...

    App-ID Features

    Learn about the new App-ID™ features in PAN-OS® 9.0. ...

    Rules to Begin Converting After 30 Days

    Types of legacy port-based security policy rules to convert to application-based rules after a month of monitoring production traffic. ...

    Sorting and Filtering Security Policy Rules

    Use application usage information to prioritize which rules to migrate from port-based to app-based rules or to clean up (remove unused apps) first. ...

    Migrate to Application-Based Policy Using Policy Optimizer

    Convert legacy port-based Security policy rules to application-based rules to gain visibility into and control over applications. ...

    Identify Security Policy Rules with Unused Applications

    Policy Optimizer finds Security policy rules that specify applications not seen on your network so you can remove the unused apps to reduce the attack ...

    Migrate Port-Based to App-ID Based Security Policy Rules

    Policy Optimizer converts port-based Security policy rules to app-based rules without compromising app availability to safely enable applications. ...

    © 2019 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo