Optimize security policy by migrating legacy rules to
application-based rules and removing unused applications from rules,
without compromising availability.
You now have a simple way to gain visibility
into, control usage of, and safely enable applications in Security
policy rules: Policy Optimizer. This
new feature identifies port-based rules so you can convert them
to application-based rules that allow the traffic or add applications
to existing rules without compromising application availability.
It also identifies rules configured with unused applications.
information helps you analyze rule characteristics
and prioritize which rules to migrate or clean up first.
Converting port-based rules to application-based
rules enables you to include the applications you want to allow
in an allow list and deny access to all other applications, which
improves your security posture. Restricting application traffic
to its default ports prevents evasive applications from running
on non-standard ports. Removing unused applications from rules is
a best practice that reduces the attack surface and keeps the rulebase
You can use this new feature on:
Firewalls that run PAN-OS version 9.0 and have App-ID enabled.
Panorama running PAN-OS version 9.0. You don’t have to upgrade
firewalls that Panorama manages to use the
However, to use these capabilities, managed firewalls must run PAN-OS
8.1 or later. If managed firewalls connect to Log Collectors, those
Log Collectors must also run PAN-OS version 9.0. Managed PA-7000
Series firewalls that have a Log Processing Card (LPC) can also
run PAN-OS 8.1 (or later).
Due to resource constraints, VM-50 Lite virtual firewalls
don’t support the Policy Optimizer.