Optimize Overly Permissive Security Rules
Optimize overly permissive security rules so that they
only allow applications that are actually in use in your network.
Try out Policy Optimizer
while it’s available for early access. If you’re interested in continuing
to use this future beyond the early access period, check in with
your account team.
Rules that are too broad introduce
security gaps because they allow applications that aren’t in use
in your network. Policy optimizer enables you to convert these overly
permissive rules to more specific, focused rules that only allow
the applications you’re actually using.
Only rules created
more than 90 days in the past are considered for policy optimization.
How It Works
Based on log activity, Prisma Access identifies
overly permissive rules; these are rules that are allowing
any
application
traffic and the rules must be at least 90 days old.
For rules
it identifies as overly permissive, Prisma Access auto-generates recommendations
you can accept to optimize the rule. The new, recommended rules are
more specific and targeted than the original rule; they explicitly
allow only the applications that have been detected in your network
in the last 90 days.

Accepting
recommendations to optimize a rule does not remove the original rule.
The original rule remains listed below the new rules in your security
policy; this is so you can monitor the rule, and remove it when
you’re confident that it’s not needed.
Both the original rule
and optimized rules are tagged so you can easily identify them in
your security policy:

Optimize a Rule
- Visit theOverviewdashboard to see if there are rules you can optimize.Go to.ManageService SetupOverviewOptimize
- Review overly permissive rules, and choose a rule to see the optimization recommendations.If there are multiple overly permissive rules, focus on optimizing the rules that are impacting the most traffic; this’ll give you the most significant gains towards strengthening your security posture.
- Review the recommended, optimized rules.You can see how much of the original rule’s traffic that each new rule will cover. Note the specific applications that each new rule enforces.
- Accept some or all of the rule recommendations.Accepting the new, optimized rules adds the rules to your rulebase. They won’t be active just yet; that’ll happen in the next step when youPush Configto Prisma Access.Accept Allaccepts the recommended rules as they are. You can also make changes before accepting the optimized rules:
- Remove a rule from optimization. Add this rule to a list of rules that you want to exclude from optimization (this time and moving forward).
- Disable an optimized rule. This means you’re not accepting this rule, and it will not be added to the rulebase.
- Revert any changes you’ve made. This undoes any edits you’ve made and reverts the rules back to the recommendations.
- Merge rules. You might decide to do this if you find any of the recommended rules to be similar.
After you accept the optimized rules, you’ll be prompted toUpdate Rulebase. When you agree, the optimized rules are added to your security policy. However, they’re not yet enforcing traffic. - Push Configto send the configuration updates to Prisma Access and start enforcing the optimized rules.
- Monitor the original rule until you’re confident that you don’t need it.The original, overly permissive rules remains in your security policy; it’s listed below the optimized rules in your rulebase and is tagged so you can easily identify it. The tag name appends _original to the rule name (for example, security-rule-name_original).
Exclude a Rule from Optimization
Move a rule to the
Excluded from
Optimization
list, and Prisma Access will not optimize
it. The rule settings remain as is.
Make sure
to
Push Config
after moving a rule to the exclusion
list; after pushing the configuration, it can take up to 24 hours
for the rule to display on the list. You can always choose to add
the rule back to the optimization list later.Track Optimization Results
Policy Optimizer shows a history of the security
rules you’ve optimized. Historical data includes the optimization
results: compare original rule’s traffic coverage against optimized
rules.
The data you see for
Policy Optimizer History
is
for the last 90 days. If an original rule (a rule you optimized)
gets no hits for six months, it’s removed from the policy optimizer
history and is classified instead as a zero-hit policy rule.
Recommended For You
Recommended Videos
Recommended videos not found.