Applications and Usage

  • Policies > Security > Policy Optimizer > No App Specified > Compare (or click the number in
    Apps Seen)
  • Policies > Security > Policy Optimizer > Unused Apps > Compare (or click the number in
    Apps Seen)
  • Policies > Security and click the number in
    Apps Seen
On the Usage tab of the Security policy rule, you can also
Compare Applications & Applications Seen
to access tools that help you to migrate from port-based Security policy rules to application-based Security policy rules and to eliminate unused applications from rules in
Applications & Usage
.
Field
Description
Timeframe
The time period for the application information:
  • Anytime
    —Displays applications seen over the lifetime of the rule.
  • Past 7 days
    —Displays only applications seen over the last 7 days.
  • Past 15 days
    —Displays only applications seen over the last 15 days.
  • Past 30 days
    —Displays only applications seen over the last 30 days.
Apps on Rule
The applications configured on the rule or
Any
if no specific applications are configured on the rule. You can
Browse
,
Add
, and
Delete
applications as needed, and applications are configured on a rule, the circled number next to Apps on Rule indicates how many. Adding applications from this location is the same as adding applications on the Security policy rule
Application
tab.
Apps Seen
All applications seen and allowed on the firewall that matched the rule. The circled number next to Apps Seen indicates how many applications were seen on the rule.
  • Applications
    —The applications seen on the rule. For example, if a rule allows web-browsing traffic (Apps on Rule), you may see many applications in the list because there are many web-browsing applications.
  • Subcategory
    —The subcategory of the application.
  • Risk
    —The risk rating of the application.
  • First Seen
    —The first day the application was seen on the network.
  • Last Seen
    —The most recent day the application was seen on the network.
    The granularity of measurement for First Seen and Last Seen is one day, so on the day you define a rule, the First Day and Last Day are the same day.
  • Traffic (30 days)
    —The amount of traffic in bytes seen during the last 30-day period.
    A longer time period would result in the oldest rules remaining at the top of the list because they are likely to have the most cumulative traffic. This can result in newer rules being listed below older rules even if the newer rules see heavy traffic.
Apps Seen Actions
Actions you can perform on
Apps Seen
:
  • Create Cloned Rule
    —Clones the current rule. When migrating from port-based rules to application-based rules, clone the port-based rule first and then edit the clone to create the application-based whitelist rule. The cloned rule is inserted above the port-based rule in the policy list. Use this migration method to ensure that you don’t inadvertently deny traffic that you want to allow—if the cloned rule doesn’t allow all the applications you need, the port-based rule that follows allows them. Monitor the port-based rule and adjust the (cloned) application-based rule as needed. When you’re sure the application-based rule allows the traffic you want and only unwanted traffic filters through to the port-based rule, you can safely remove the port-based rule.
  • Add to This Rule
    —Adds applications from Apps Seen to the rule. Adding applications to the rule transforms a rule configured to match
    Any
    application (a port-based rule) to an application-based rule that whitelists the applications you specify (the new application-based rule replaces the port-based rule). Any applications that you don’t add to the rule are denied, just as with any other application-based whitelist rule. Be sure to identify all applications you want to allow and add them to the rule so you don’t accidentally deny an application.
  • Add to Existing Rule
    —Adds applications from Apps Seen to an existing application-based (App-ID) rule. This enables you to clone an App-ID-based rule from a port-based rule, then add more applications seen on port-based rules to the App-ID rule later.
  • Match Usage
    —Moves all Apps Seen into the rule (they are listed under Apps on Rule after you
    Match Usage
    ). If you are certain that the rule should allow
    all
    listed applications,
    Match Usage
    is very convenient. However, you must be certain that all listed applications are applications you want to allow on your network. If many applications have been seen on the rule (for example, on a rule that allows web-browsing), it’s better to clone the rule and transition to an application-based rule.
    Match Usage
    works well for simple rules with well-known applications. For example, if a port-based rule for port 22 has only seen SSH traffic (and that’s all it should see), it’s safe to
    Match Usage
    .
Clone dialog
Add to This Rule dialog
Add Apps to Existing Rule dialog
When you select applications from
Apps Seen
and
Create Cloned Rule
or
Add to Rule
that have related applications, these dialogs list:
  • Name
    (Clone and Add Apps to Existing Rule dialogs only).
    • Clone: Enter the name of the new cloned rule.
    • Add Apps to Existing Rule: Select the rule to which to add applications from the drop-down menu or enter the name of the rule.
  • Applications
    :
    • Add container app (default): Selects the checkboxes of all the container apps, the apps seen on the rule, and the apps in the container that have not been seen on the rule.
    • Add specific apps seen: Selects only the apps that have actually been seen on the rule and deselects everything else. (You can manually select container apps and other apps.)
  • Application
    :
    • The selected applications that were seen on the rule, highlighted green.
    • Container apps, highlighted gray, with their individual applications listed below.
    • Individual applications in a container that have been seen on the rule but were not selected in
      Applications & Usage
      (normal text).
    • Individual applications in a container that have not been seen on the rule (
      italics
      ).
    • The date applications were
      Last Seen
      on the rule.
  • Dependent Applications
    :
    • The checkbox for adding application dependencies is checked by default because these applications are required for the selected application to run.
    • Depends On
      —The list of dependent applications for the selected applications. The applications you selected require these dependent applications to run.
    • Required By
      —Lists the application that requires the dependent application (
      Depends On
      ). (Sometimes a dependent application in turn requires another dependent application.)
The
Clone
,
Add to Rule
, and
Add Apps to Existing Rule
dialogs help to ensure that applications don’t break and enable you to future-proof the rule by including relevant individual applications that are related to the applications you’re cloning or adding to a rule.

Related Documentation