Rule Cloning Migration Use Case: Web Browsing and SSL Traffic

Example of migrating port-based Security policy rules for web browsing and SSL traffic to app-based rules without affecting application availability.
A port-based rule that allows web access on TCP ports 80 (HTTP web-browsing) and 443 (HTTPS SSL) provides no control over which applications use those open ports. There are many web applications, so a general rule that allows web traffic allows thousands of applications, many of which you don’t want on your network.
This use case shows how to migrate a port-based policy that allows all web applications to an application-based policy that allows only the applications you want, so you can safely enable the applications you choose to allow. For rules that see a lot of applications, cloning the original port-based rule is safer than adding applications to the rule because adding replaces the port-based rule, so if you inadvertently forget to add a critical application, you affect application availability. And if you
Match Usage
, which also replaces the port-based rule, you allow all of the applications the rule has seen, which could be dangerous, especially with web browsing traffic.
Cloning the rule retains the original port-based rule and places the cloned rule directly above the port-based rule in the rulebase, so you can monitor the rules. Cloning also allows you to split rules that see a lot of different applications—such as a port-based web traffic rule—into multiple application-based rules so you can treat different groups of applications differently. When you’re sure you’re allowing all the applications you need to allow in the cloned rule (or rules), you can remove the port-based rule.
This example clones a port-based web traffic rule to create an application-based rule for social networking traffic (a subset of the application traffic seen on the port-based rule).
  1. Navigate to
    Policy Optimizer
    No App Specified
    to view the port-based rules.
  2. Click
    for the rule you want to migrate.
    In this example, the port-based rule that allows web access is named Traffic to internet.
  3. Use the sorting options to review and select the applications you want to allow from
    Apps Seen
    The number of
    Apps Seen
    is updated approximately every hour, so if you don’t see as many applications as you expect, check again after about an hour. Depending on the firewall’s load, it may take longer than one hour for these fields to update.
    For example, click
    to sort the applications, scroll to the social-networking subcategory, and then select the applications you want to allow.
  4. Click
    Create Cloned Rule
    Create Cloned Rule
    shows the selected applications shaded green, the container apps shaded gray, individual applications in the container that haven’t been seen on the rule in
    , and individual applications that have been seen on the rule in normal text font. Scrolling through
    shows all the container apps and their individual applications.
    Create Cloned Rule
    also shows the application dependencies of the selected applications. Because we selected social applications but not web-browsing or ssl, web-browsing and ssl are among the listed application dependencies.
  5. Name
    the cloned rule (in this example, the name will be Social Networking Apps).
  6. Select the applications you want in the cloned rule.
    For applications you don’t want to include, uncheck the corresponding box, which also unchecks the container app. If you don’t include the container app, then when new apps are added to the container, they won’t automatically be added to the rule.
    If you uncheck the container app, all the individual applications in the container are unchecked and you must select the apps you want to add manually.
  7. Click
    to create the cloned rule.
  8. In
    , the cloned rule (Social Networking Apps) is inserted in the rulebase above the original port-based rule (Traffic to internet).
  9. Click the rule name to edit the cloned rule, which inherits the properties of the original port-based rule.
  10. On the
    Service/URL Category
    tab, delete service-http and service-https from
    This changes the
    , which prevents applications from using non-standard ports and further reduces the attack surface.
    If business needs require you to allow applications (for example, internal custom applications) on non-standard ports between particular clients and servers, restrict the exception to only the required application, sources, and destinations. Consider rewriting custom applications so they use the application default port.
  11. On the
    , and
    tabs, tighten the rule to apply to only the right users in only the right locations (zones, subnets).
    For example, you may decide to limit social media activity to certain marketing, public relations, sales, and executive groups.
  12. Click
  13. Commit
    the configuration.
  14. Repeat the process for other application categories in the port-based web access rule until your application-based rules allow only the applications you want to allow on your network.
    When traffic you want to allow stops hitting the original port-based rule for a sufficient amount of time to be confident that the port-based rule is no longer needed, you can remove the port-based rule from the rulebase.

Recommended For You