Best Practices For Migrating To Application Based Policy

Best Practices for Migrating to
Application-Based Policy
9.0
paloaltonetworks.com/documentation
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support
About the Documentation

• For the most recent version of this guide or for access to related documentation, visit the Technical
Documentation portal www.paloaltonetworks.com/documentation.
• To search for a specific topic, go to our search page www.paloaltonetworks.com/documentation/
document-search.html.
• Have feedback or questions for us? Leave a comment on any page in the portal, or write to us at
documentation@paloaltonetworks.com.
Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2019-2019 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.
Last Revised
April 25, 2019
2 BEST PRACTICES FOR MIGRATING TO APPLICATION-BASED POLICY |

Table of Contents
Best Practices for Migrating to Application-Based Policy......................... 5
Enable Applications Safely Using a Phased Transition...................................................................... 7
Migrate a Port-Based Policy to PAN-OS Using Expedition.............................................................. 9
Migrate to Application-Based Policy Using Policy Optimizer........................................................ 12
Convert Simple Rules with Well-Known Apps After One Week......................................14
Rules to Begin Converting After 30 Days............................................................................. 17
Next Steps to Adopt Security Best Practices.................................................................................... 27
TABLE OF CONTENTS iii

iv TABLE OF CONTENTS
Best Practices for Migrating to
You don’t have to sacrifice better security in exchange for application availability. You can use
Expedition and Policy Optimizer to automate and reduce the time and effort of migrating from
a legacy firewall’s port-based Security policy to an application-based Security policy on a Palo
Alto Networks next-generation firewall or Panorama in a phased, safe manner.
> Enable Applications Safely Using a Phased Transition

> Migrate a Port-Based Policy to PAN-OS Using Expedition
> Migrate to Application-Based Policy Using Policy Optimizer
> Next Steps to Adopt Security Best Practices
5
6 BEST PRACTICES FOR MIGRATING TO APPLICATION-BASED POLICY | Best Practices for Migrating to
© 2019 Palo Alto Networks, Inc.
Enable Applications Safely Using a Phased
Transition
The glaring weaknesses of port-based Security policy are well known: you can’t see which applications use
a port, so any malicious application can gain access to your network on open ports such as port 80 (HTTP)
or port 53 (DNS). This makes it easier for attackers to install malware, move laterally through the network,
exfiltrate data, and compromise your network because you have no visibility into the applications on your
network or ability to prevent the threats their traffic conceals.
In contrast, application-based Security policy using App-ID provides visibility into applications regardless of
port, protocol, encryption (SSL or SSH), or any other evasive tactic, so you know exactly which applications
are on your network and you can inspect their traffic for threats. Application-specific policies enable safe
access because you can configure Security policy rules that allow only the right users to access the right
applications in the right places and you can apply threat prevention profiles to those rules. Using App-ID to
classify applications reduces the attack surface because you allow only the applications required to support
your business and automatically block unwanted applications. That’s much easier and safer than the endless
task of attempting to block all the applications you don’t want.
Migrate to App-ID in phases:
1. Use Expedition to import a legacy rulebase, clean it up, and achieve a like-for-like migration to a Palo
Alto Networks next-generation firewall or Panorama running PAN-OS. Expedition is distributed as a VM.
2. Run the PAN-OS device in your network production environment so the device can learn and categorize
the applications on the network.
3. After at least a week of logging traffic, run the Best Practice Assessment (BPA) to set a baseline, and
then use Policy Optimizer to begin safely converting port-based rules to application-based rules and
securing your network. (You can convert some simple rules that allow well-known applications after
about a week; for other rules that see many applications, such as a general outbound internet access
rule, wait at least 30 days to gather application information.) Take a phased approach to safely convert
the rules based on your business needs and priorities.
4. (Optional) After you convert the rulebase to App-ID, import the configuration back into Expedition and
use the Rule Enrichment features to further simplify and refine the rulebase.
5. Maintain the App-ID deployment as you introduce new applications to your network. Run the BPA after
the first conversion pass through the port-based rules and periodically thereafter to measure progress
and discover other areas to improve security.
BEST PRACTICES FOR MIGRATING TO APPLICATION-BASED POLICY | Best Practices for Migrating to Application-Based
Policy 7
Policy Optimizer is available in PAN-OS 9.0 and later. If you use Panorama to manage
your next-generation firewalls, you don’t have to upgrade managed firewalls to PAN-OS 9.0
to use Policy Optimizer, you only need to upgrade Panorama to PAN-OS 9.0, send traffic
logs from the managed firewalls to Panorama or Log Collectors running PAN-OS 9.0, and
push policy from Panorama to the firewalls. Managed firewalls need to run PAN-OS 8.1 or
later, and if they connect to Log Collectors, the Log Collectors must run PAN-OS 9.0. This
provides a fast path for qualification so you can use Policy Optimizer quickly to adopt App-ID
based policy.
Migrate a Port-Based Policy to PAN-OS Using
Expedition
Use Expedition to import a legacy rulebase, clean it up, and achieve a like-for-like migration to a Palo
Alto Networks next-generation firewall or Panorama as the first phase in your migration to application-
based Security policy. Expedition is a great tool for performing bulk operations on multiple objects in a
configuration. Expedition supports importing legacy configurations from most major firewall vendors.
The Live community provides support for Expedition, including how to obtain the tool and
documentation about how to use the tool. This topic summarizes the Expedition workflow;
refer to the documentation in the Live community for details.
Palo Alto Networks technical support (TAC) does not provide support for Expedition.
For Expedition migration workflow details, refer to the Expedition User Guide, which also includes
information about how to import objects into a configuration using CSV files and how to import an Iron-
Skillet Day 1 configuration.
For managing Expedition, refer to the Expedition Admin Guide, which also includes some user interface
information, and to the Expedition Hardening Guide, which provides advice on how to protect the
Expedition VM.
Before you begin a migration, ensure you meet the following prerequisites:
• Download Expedition to a management device that supports running a VM.
• SSH and/or SSL connectivity to the Palo Alto Networks Panorama and/or firewalls to which you’re
migrating. SSH access is for connectivity to the CLI and SSL access is for connectivity to the web
interface and to push API commands.
• Operational access to the Palo Alto Networks Panorama and/or firewalls to which you’re migrating so
you can push the like-for-like configuration to the PAN-OS device(s).
Professional Services has a wealth of migration experience. You can engage Professional
Services’ expertise to help you move a configuration from your legacy devices to Palo Alto
Networks next-generation firewalls.
STEP 1 | Review the legacy firewall configuration.

Understand the goals of the legacy rulebase. Document items you need to know for the migration, such
as disabled interfaces on a Juniper SRX device or verifying that traffic is allowed between interfaces with
the same security levels, verifying the state of IPSec tunnels, and gathering pre-shared keys on a Cisco
ASA device.
STEP 2 | Import the legacy configuration into Expedition and make any required modifications to the
configuration.
STEP 3 | Create a new Project in Expedition.
STEP 4 | Import the migrated source (legacy) configuration into the Project and inspect it.
Check the file format, whether all required files are included, and check Expedition logs and events to
ensure the migrated configuration file loaded correctly. If necessary, modify the migrated source file to
fix the issues, then check again. Iterate until all issues are fixed.
Policy 9
STEP 5 | Import a PAN-OS configuration into the Project to be the Base configuration for the migration.
Get the latest Content Updates and then import the Base configuration from an existing PAN-OS device,
either the device’s configuration file or the factory default PAN-OS configuration file.
The configuration file should match the PAN-OS version you want to use. For example, to
use PAN-OS 9.0, import a 9.0 PAN-OS configuration file.
STEP 6 | Clean up the migrated configuration to prepare to merge it with the Base PAN-OS
configuration.
• Remove or replace invalid service objects. PAN-OS recognizes only TCP and UDP service ports, and
Expedition automatically migrates TCP and UDP service objects to applications. Search for non-IP-
based applications and services, such as ping and ICMP, which some legacy devices see as services
rather than applications. Replace them with App-ID to classify them as applications and gain visibility
into, inspect, and control the traffic.
• To simplify the configuration and reduce its size, remove or replace other invalid objects and unused
objects, and merge duplicate objects.
• Find and remove disabled rules so they don’t clutter the configuration.
• Rename interfaces to match the PAN-OS device interfaces. The interfaces names imported from the
legacy device typically don’t match PAN-OS naming conventions.
• When you import the legacy configuration, Expedition automatically assigns zone names. Rename
zones so that their names describe the purpose they will fulfill when you migrate the configuration to
the PAN-OS device and ensure zones are mapped correctly to interfaces.
In addition, check the virtual router for static routes. If many static routes exist, use Expedition to
migrate the routes to PAN-OS. If there are only few static routes, note them and then create them
manually after migrating the configuration.
STEP 7 | Merge the migrated configuration with the PAN-OS Base configuration by dragging and
dropping objects from the migrated configuration into the Base configuration.
STEP 8 | Check the merged configuration for duplicate objects the merge may have created and remove
or merge them.
STEP 9 | Before you export the merged configuration to the PAN-OS device, clear the ARP cache on
switches and routers connected to the PAN-OS device and on the PAN-OS device to update
their ARP tables.
On PAN-OS devices, use the CLI command clear arp all. (If necessary, you can clear the ARP cache
on a per-interface basis using the CLI command clear arp <interface>.)
STEP 10 | Export the merged configuration to the PAN-OS device and load the merged configuration.
The method you use depends on how you want to migrate the merged configuration:
• For a new installation on a PAN-OS device, Generate XML & Set Output, import the XML file
(configuration), and then load it on the PAN-OS device.
• For an existing PAN-OS installation or if you want to migrate the configuration one piece at a time,
Generate XML & Set Output, import the XML file (configuration), and then use the CLI command
load config partial to select a specific portion of the configuration to load. You need SSH
access to use the CLI on a PAN-OS device.
• If the PAN-OS device is connected to Expedition, you can also use API calls to send portions of or the
whole configuration to the device.
STEP 11 | After you export the merged configuration to a PAN-OS device and load the configuration,
use Policy Optimizer to convert the port-based policy to application-based policy.
Policy 11
Migrate to Application-Based Policy Using
Policy Optimizer
After using Expedition to migrate a like-for-like configuration to a PAN-OS device, the next phase is using
Policy Optimizer to simplify the migration to App-ID based Security policy rules. Policy Optimizer makes
the conversion from legacy port-based rules much easier because it automates presenting application
information for each rule with the context you need to understand the information and create intelligent
application-based rules in a single view. Policy Optimizer:
• Learns and remembers all applications seen in each rule’s traffic automatically over time, eliminating the
need to comb through and analyze reams of log data. Even if logs roll over, Policy Optimizer retains the
application information, so you can be confident you’re seeing all of the applications on a rule.
• Enables you to safely migrate to App-ID without risking application availability.
• Is a tool native to and supported on PAN-OS devices, so you don’t have to move configurations and data
between the device and an off-device tool.
• Provides easy, intuitive sorting and filtering options to help you identify and prioritize which rules are
easiest and safest to convert first.
• Runs on Panorama as well as on individual next-generation firewalls. If you manage your next-generation
firewalls running PAN-OS 8.1 with Panorama, you only have to upgrade Panorama (and any Log
Collectors connected to managed firewalls) to PAN-OS 9.0 to use and gain the benefits of Policy
Optimizer, so you can qualify and adopt Policy Optimizer faster than if you had to qualify all your
firewalls.
These capabilities result in an easy-to-use tool that saves time and prevents errors in converting port-based
rules to App-ID based rules. Policy Optimizer provides several methods of converting port-based rules to
App-ID based rules:
• Create Cloned Rule—Cloning a rule preserves the original port-based rule and places the new App-ID
based rule above the cloned rule. You can clone multiple App-ID based rules from one port-based rule.
For example, you can clone multiple App-ID rules based on application subcategories from a general
web-browsing rule to group applications that require similar access and threat treatment instead of
trying to control all web access for all users in all places in one general, unsecure rule.
There’s no risk to application availability because the port-based rule below the cloned rule acts like a
safety net. If the cloned (App-ID) based rule doesn’t match all the applications you need to allow, you’ll
see those applications hit the port-based rule below the cloned rule and you can make adjustments. You
can remove the port-based rule when no traffic you want to allow matches the port-based rule for a
reasonable period of time, completing the conversion of that rule to an App-ID based rule.
• Add to Rule—Adding applications to a rule replaces the port-based rule with an App-ID based rule, which
removes the port-based rule from the rulebase and doesn’t provide the safety net that cloning provides.
Use Add to Rule only when you’re sure you know all the applications you want the rule to control.
Rules that have seen only a few applications and for which you’re confident you know the required
applications for your business are candidates for Add to Rule. It’s safest to clone rules that have seen
many applications and rules that may see more applications you need to allow. If you miss adding an
application to a rule, you lose availability to that application unless another rule allows it, while cloning
the rule retains the port-based rule as a safety net.
• Match Usage—Matching a port-based rule’s usage replaces the port-based rule with an App-ID based
rule that contains all of the applications seen on the rule. Use Match Usage only when the rule has seen
a small number of well-known applications that have legitimate business purposes. A good example is
TCP port 22, which should only allow SSH traffic. If SSH is the only application seen on a port-based rule
for port 22, you can safely Match Usage and convert the rule to an App-ID rule.
To Create Cloned Rule or Add to Rule, you must select at least one application from Apps Seen.
Applications used only for quarterly or yearly events may not appear in the application
information if the history isn’t long enough to capture their latest activity. Be aware of these
types of applications when you convert rules.
When you convert a port-based rule to an application-based rule, Policy Optimizer makes no other changes
to the rule aside from converting services to App-IDs. In most cases, after you convert a rule, you should
change the Service to application-default so only the applications that legitimately use the port can access
it and prevent evasive applications from gaining network access by using a non-standard port.
If business needs require allowing applications such as internal custom applications on

non-standard ports between particular clients and servers, restrict the exception to only the
required applications, sources, and destinations. Consider rewriting custom applications to
use application-default ports.
Before you use Policy Optimizer to convert port-based rules to App-ID based rules:
1. Complete the like-for-like migration of the legacy configuration to a Palo Alto Networks next-generation
firewall or Panorama from Expedition.
2. Run the PAN-OS 9.0 device in your production network for about a week before you start converting
rules to App-ID so the device can begin to learn and categorize the applications on the network. You
can convert some simple rules quickly (for example, a port 22 rule should only allow SSH traffic and is
easy to convert), while you need to allow the firewall to gather application data from traffic for a longer
period of time for other rules, such as your internet access (port 80/433) rule.
3. Run the Best Practice Assessment (BPA) to set a baseline against which to compare progress.
4. Set realistic goals. Think about what you want the end result to look like. When you reach the goal, run
the BPA again to confirm that you reached the goal, and then reevaluate whether you can go farther and
make your network even safer. With Policy Optimizer, you don’t sacrifice availability for security, you
just improve security.
Convert rules in phases. You can convert some simple port-based rules that allow well-known applications
to App-ID based rules after the PAN-OS device has as little as one week of logs (Policy Optimizer discovers
Policy 13
the applications seen on rules by reading logs). For other rules that see many applications, such as a general
web access rule, wait at least 30 days to gather application information.
Professional Services has a wealth of migration experience. You can engage Professional
Services’ expertise to help you move a configuration from your legacy devices to Palo Alto
Networks next-generation firewalls.
• Convert Simple Rules with Well-Known Apps After One Week

• Rules to Begin Converting After 30 Days
Convert Simple Rules with Well-Known Apps After One Week

After a week of monitoring production traffic, you can safely begin to convert some simple port-based rules
to App-ID based rules. Good candidates include rules for which only one or a small number of well-known
applications should legitimately use the port because it’s fairly easy to determine which applications you
want to allow on a simple rule. Examples include port 21 (FTP), port 22 (SSH), and port 53 (DNS).
Install the latest Content Updates before you begin converting rules to ensure you have the latest
application signatures on the PAN-OS device. This example shows you how to sort port-based rules to find
candidates for safe conversion and the options for converting those port-based rules directly to App-ID
based rules.
STEP 1 | In Policies > Security > Policy Optimizer > No App Specified, select Apps Seen and Sort
Ascending to find the port-based rules that have seen the fewest applications.
The port-based rules that have seen the fewest applications are at the top of the No App Specified
display. You can safely convert rules for specific services such as SSH directly to application-based rules
and you can examine rules that have seen few applications to see if you can safely convert them.
The port-based rule intended to allow Server Message Block (SMB) traffic has seen only three
applications since migrating the configuration to the PAN-OS device and therefore is a candidate for
conversion.
STEP 2 | Click the Apps Seen number or click Compare to examine the applications seen on the rule.
Applications & Usage shows the three applications actually seen in the traffic that match the rule.
STEP 3 | Evaluate whether you want to allow all, some, or none of the applications seen on the rule and
select the applications you want to allow.
You can match the exact usage of the rule, future-proof the rule by adding the container apps, or select
individual applications to add to the rule:
• If you want the rule to allow all three applications exactly as matched on the rule:
1. Select them (click the check box next to Applications in Apps Seen).
2. Click Match Usage.
3. Click OK to convert the port-based rule to an App-ID based rule.
4. Set the Service to application-default so that no evasive, malicious applications can use the port.
• If you want to allow all of the applications seen on the rule and future-proof the rule by adding their
container applications (so all applications within each container are allowed and applications added to
the container app later are automatically allowed):
1. Leave all the applications selected and Add to Rule.
Policy 15
The gray-shaded applications are the container apps. The green-shaded applications are the
applications seen on the rule. The unshaded applications belong to the same container app but
have not been seen on the rule.
2. Click OK. Only the container apps appear in Apps on Rule because they include (allow) all of the
applications they contain:
3. Click OK to convert the rule.

• If you want to allow only some of the applications or if you want to select the applications to allow
within a container app:, select those applications and then click Add to Rule. For example, if you
decide not to allow msrpc-base and select only ms-ds-smbv2 and ms-ds-smb-base and Add to Rule,
Policy Optimizer shows you the related applications in the container app (ms-ds-smb, shaded gray)
and provides the opportunity to future-proof the rule by adding those applications:
1. Select the applications you want to allow and then click Add to Rule.
For example, if you decide not to allow msrpc-base and select only ms-ds-smbv2 and ms-ds-smb-
base and Add to Rule, Policy Optimizer shows you the related applications in the container app
(ms-ds-smb, shaded gray) and provides the opportunity to future-proof the rule by adding those
applications:
The green-shaded applications are the applications seen on the rule. The unshaded applications
belong to the same container app but have not been seen on the rule. In this case, you may
choose to allow ms-ds-smbv3 to future-proof the rule but not to allow ms-ds-smbv1 because it’s
an older protocol.
2. You can allow all of the applications or select which applications to allow.
To allow all of the applications, click OK. Apps on Rule shows the selected applications. Click OK
to convert the rule.
To allow only selected applications, deselect the undesired applications. If you deselect an
application in a container, the container app is also deselected so it doesn’t automatically allow its
child apps.
3. Click OK. Apps on Rule shows the selected applications.

4. Click OK to convert the rule.
Rules to Begin Converting After 30 Days

After 30 days of monitoring production traffic, you can safely begin to convert the rest of the port-based
rules to App-ID based rules and clean up the rulebase. A good place to start is with cleaning up unused
rules to reduce the attack surface. After that, start converting rules to App-ID at the perimeter with
Policy 17
your outbound internet access (port 80/443) rule, because that rule likely sees more traffic with more
applications than any other rule, which also means it’s the rule that carries the most risk.
Install the latest Content Updates before you begin converting rules to ensure you have the latest
application signatures on the PAN-OS device.
Policy Optimizer provides many intuitive ways to sort, filter, and prioritize which rules to convert first. After
removing unused rules and converting the web access rule to App-ID, the rules you choose to prioritize
depend on your business and security requirements. The following sections provide ideas and methods for
using the simple yet powerful sorting and filtering options to identify and prioritize rules to convert after the
first 30 days:
• Remove Unused Rules
• Convert the Most Stable Rules
• Convert the Internet Access Rules
• Convert Rules That See the Most Traffic
• Convert Rules With Few Apps Seen Over a Time Period
Remove Unused Rules

The migrated rulebase may contain rules that aren’t in use because no application traffic matches those
rules. Unused rules clutter the rulebase and offer avenues of attack to adversaries. Remove these rules to
clean up the rulebase and reduce the attack surface, or modify them so they apply to application traffic and
serve a legitimate purpose in the rulebase.
Unused rules may exist for a number of reasons. Rules governing services and applications that the business
once used but replaced with other applications may still be in the rulebase. A rule that precedes an unused
rule may control the applications that would otherwise match the unused rule. In some cases, unused rules
are old rules created by administrators who are no longer with the company and nobody knows the rule’s
intent.
View rules over any Timeframe you choose from Policies > Security > Policy Optimizer > Rule Usage. Set
the Usage to Unused to filter out rules that have seen application traffic.
STEP 1 | Identify unused rules.

In Policies > Security > Policy Optimizer > Rule Usage, set the Timeframe to All time, the Usage to
Unused (to display only rules with a Hit Count of zero), and Exclude rules reset during the last 30 days
(to prevent displaying recently reset rules that may not have seen traffic over a few days but that may
see traffic over a longer time period). The result is a list of rules that have seen no application traffic over
the selected Timeframe.
STEP 2 | Evaluate rules that have seen no traffic and determine if they are needed or if you can disable
them.
In this example, the business used Tsunami file transfer in the past, but investigation shows the business
no longer uses Tsunami and has replaced it with other file transfer applications, so there is no reason to
allow Tsunami application traffic on the network.
STEP 3 | Disable (or Delete) the rule.

In Policies > Security, select the Tsunami file transfer rule. Either Disable or Delete the rule.
Disabling the rule is safer to start with in case it turns out that the business needs the application, even
though it hasn’t seen any traffic. (This may happen if you don’t take quarterly and annual events into
account when investigating whether the business uses an application or if the application is required for
a contractor or partner whose traffic only accesses the network periodically.) After a reasonable period
of time, you can delete unused rules that you disabled earlier.
Convert the Most Stable Rules

Convert port-based rules that have not seen new applications for a reasonable period of time, which
means the rules have stabilized and you’re less likely to see new applications on them. Clone these rules to
ensure that if more applications match the rule later, the port-based rule remains in the rulebase as long as
necessary as a safety net.
Take applications used only for quarterly, annual, and other periodic events into account
when you evaluate whether you think new applications may match the rule.
STEP 1 | In Policies > Security > Policy Optimizer > No App Specfied, sort the rules (descending) to
show the rules with highest number of Days with No New Apps at the top of the list.
The first three rules have seen no new applications for fairly long periods of time and are candidates for
conversion to App-ID. Convert Simple Rules with Well-Known Apps After One Week covers converting
rules with few Apps Seen such as the smb rule, so this example focuses on the allow apps rule.
Also check the Modified date. Rules that haven’t been modified for a long time are also
likely to be more stable. Rules that have been modified recently may not have seen all the
applications that could match the rule.
Because more than a few applications have been seen on the rule, clone the rule instead of converting it
directly to an App-ID based rule.
STEP 2 | Click the number in the Apps Seen column to open the Applications & Usage dialog.
Policy 19
STEP 3 | Sort and filter the Apps Seen on the rule to determine how to handle the applications.
Sorting or filtering by subcategory helps you understand the traffic seen on a rules that see more
than a few applications. For example, you can filter by the infrastructure subcategory to see all the
infrastructure applications and clone an App-ID based rule to control them.
STEP 4 | Follow Steps 4-7 in Convert the Internet Access Rules to create a cloned rule to control each
subcategory (or related subcategories) of applications you want to treat similarly.
Convert the Internet Access Rules

An internet access rule controls traffic on port 80 (HTTP) and port 443 (HTTPS). This rule usually sees the
largest number of applications and the greatest amount of traffic in bytes. A port-based internet access rule
could allow applications you don’t want on your network and expose it to attacks, so you need to control
and safely enable the applications allowed to use those ports.
When you convert internet access rules from port-based rules to application-based rules, you need to
understand which applications your company sanctions for business use and which applications your
company tolerates for other purposes.
A good method of converting an internet access rule is to group applications that require similar treatment
in the same rule instead of creating separate rules for each application, which helps prevent rulebase bloat.
Use Policy Optimizer to sort the applications seen on a rule by application subcategory so you can see all
the applications on a rule for a particular subcategory, select the applications your business uses, and then
clone a rule to control those applications. Policy Optimizer offers many sorting and filtering options to
organize and analyze applications seen on a rule.
Clone the rule instead of directly converting it to ensure application availability. Cloning a rule retains the
original port-based rule and places the cloned application-based rule directly above the port-based rule
in the Security rulebase. This enables you to create different internet access rules from the original port-
based rule for groups of applications you want to treat differently, without risking application availability.
You can easily see which applications match the cloned rule and which applications filter through to the
original port-based rule and adjust the rules accordingly over time. When no applications you want to
allow match the port-based rule for a long enough period of time to be confident you’ve accounted for all
the applications the business requires, you can disable (or delete) the port-based rule, which finishes the
conversion without risking application availability.
You can use the same method to convert other rules that have seen more than a few well-known
applications. Use Policies > Security > Policy Optimizer > No App Specified information to help prioritize
which rules to convert after you convert the internet access rules. For example, you could prioritize by a
combination of most Apps Seen and most traffic over the last 30 days (Traffic (Bytes, 30 days)) to convert
the most-used rules, or you could look at Days with No New Apps and the Modified date to find rules that
have seen many applications but are also more stable.
This example shows you how to clone an application-based rule that controls email applications from a
port-based internet access rule. You can use the same cloning process to create application-based rules
safely for different subcatgories and individual applications seen on any port-based rule.
STEP 1 | Navigate to Policies > Security > Policy Optimizer > No App Specfied and find the port-based
rule(s) that control internet access.
Use the filter (service/member eq ‘service-http’) and (service/member eq
‘service-https’) to find the port-based rule(s) configured with service-http and service-https,
which are the internet access rule(s).
STEP 2 | Click Compare or the number in Apps Seen to open the Applications & Usage dialog.
STEP 3 | Sort Apps Seen by application subcategory to group similar applications that may be
appropriate to control in the same Security policy rule.
Sort by Subcategory to group the applications seen on the rule:
Policy 21
You can also filter by a particular subcategory to see only the applications that belong to that
subcategory. In this example, to create an App-ID based rule to control email applications, filter to view
only the email applications seen on the rule:
STEP 4 | Select the applications you want to allow and then Create Cloned Rule to clone the new
application-based rule from the port-based rule.
For example, if your company sanctions Gmail and Outlook for corporate use and tolerates Yahoo email
for personal use, but chooses not to allow GMX mail or Hotmail:
STEP 5 | In the Clone dialog, select the applications associated with each application that you want to
allow.
Give the new rule a Name that describes its purpose. Decide if you want to allow only specific
capabilities for each email application or if you want to allow the container app. If you allow the
container app, you allow all of the applications in the container. This future-proofs the rule by
automatically allowing new applications if they are added to the container app and helps ensure
application availability.By default, all of the applications are selected. The container app for each
application is shaded gray, applications that have been seen on the rule are shared green, and
applications in the container app that haven’t been seen on the rule are italicized and not shaded.
If you choose not to allow some applications in a container app, the container app is also deselected and
the rule only includes the specific applications you select.
Policy 23
Deselecting the gmail-call-phone and gmail-posting applications also deselected the gmail container app.
STEP 6 | Click OK to create the rule, which is placed above the port-based rule in the Security policy
rulebase (Policies > Security).
If you select the container apps, Policy Optimizer adds only the container apps to the rule because they
include all of the applications.
If you selected individual applications from the Clone dialog instead of the container apps, Policy
Optimizer adds only the selected applications to the new App-ID based rule.
STEP 7 | Click the rule Name or a Service and change the Service to application-default to prevent
evasive applications from gaining access on a non-standard port.
Convert Rules That See the Most Traffic

Sorting for rules that have seen the most traffic over the past 30 days (Traffic (Bytes, 30 days)) shows
you the current most active rules. (A longer time frame places more emphasis on older rules that remain
at the top of the list because they have large cumulative totals, even if they no longer see much traffic.)
Converting these rules to App-ID safeguards the largest amount of traffic for the effort.
If multiple rules see a lot of traffic, use the Policies > Security > Policy Optimizer > No App Specified
information to help prioritize which rules to convert first. For example, you could prioritize rules with the
most Apps Seen (could be the riskiest rules) or rules the with most Days with No New Apps and the oldest
Modified date (the most stable high-traffic rules).
STEP 1 | In Policies > Security > Policy Optimizer > No App Specfied, sort the rules descending by
Traffic (Bytes, 30 days) to place the most recently active rules at the top of the list.
STEP 2 | Select a rule to begin converting and click the number in its Apps Seen column.
STEP 3 | In the Applications & Usage dialog, sort and filter the Apps Seen on the rule to determine how
to handle the applications.
Sort or filter by application subcategory to group applications that may require similar treatment and can
be controlled in one application-based rule. Sort on Traffic (30 days) to see the amount of recent traffic
on individual applications to prioritize the current most active applications.
STEP 4 | Follow Steps 4-7 in Convert the Internet Access Rules to create a cloned rule to control each
subcategory (or related subcategories) of applications you want to treat similarly.
Convert Rules With Few Apps Seen Over a Time Period

Rules with relatively few Apps Seen and with no new applications seen over a long enough time period may
be easy to convert and relatively stable, and you can use filters to identify those rules.
STEP 1 | In Policies > Security > Policy Optimizer > No App Specfied, filter the rules to display only
rules with a low number of Apps Seen and that have seen no applications over the desired time
period.
Policy 25
This examples filters for rules that have seen three or fewer applications (apps seen count leq
‘3’) and for which no applications have been seen for at least 30 days (days no new app count
geq ‘30’).
STEP 2 | Select a rule to convert and click the number in its Apps Seen column.
STEP 3 | In the Applications & Usage dialog, decide whether you want to allow all of the applications
and if they should be in the same rule—that is, decide whether the applications require similar
treatment in terms of access and security.
If you want to allow all of the applications and they require similar treatment, you can Match Usage and
replace the port-based rule with the new App-ID based rule.
If you want to allow all of the applications but they require different treatment, clone the rule for each
set of applications that requires different treatment. For example, if a port-based rule allows three
applications and two of them are email applications and one is an infrastructure application, you may
want to clone one rule for the email applications and another for the infrastructure application.
If you want to allow some applications and deny others:
• Clone one or more rules for the applications you want to keep and monitor the original port-based
rule to ensure that the applications you don’t want to keep are the only ones that match that rule.
When enough time has passed to feel confident that no applications you want to allow match the
port-based rule, you can disable or delete it. Steps 4-7 in Convert the Internet Access Rules show
how to create a cloned rule.
• If you’re confident you know which applications you want to allow and which applications you want
to block:
• If the applications you want to allow require similar treatment, use Add to Rule to replace the
port-based rule with an application-based rule that allows only the applications you added to the
rule. The applications you don’t add to the rule are blocked unless you allow them in another rule.
• If the applications you want to allow require different treatment, clone application-based rules
for the applications you want to allow from the port-based rule. If you’re still confident it’s OK to
block the remaining applications, you can disable (or delete) the port-based rule.
Next Steps to Adopt Security Best Practices
After you finish the first pass at converting port-based rule to application-based rules, consider the
following next steps to strengthening the Security policy rulebase and improving network security:
• Use Expedition’s Rule Enrichment capability, which uses Machine Learning to examine and consolidate
your policy configuration.
• Run the Best Practice Assessment (BPA) regularly to measure progress toward achieving your App-ID
adoption goal and to identify additional weaknesses. When you reach your goal, use the BPA to identify
areas where you can continue to improve adoption and further safeguard your network.
• Policy Optimizer converts port-based rules to App-ID based rules, but doesn’t change anything else
about the rules. After you convert rules to App-ID, tighten them to reduce the attack surface and
increase visibility:
• Set the Service to application-default to prevent applications from using non-standard ports. For
internal custom applications, define default ports and then apply application-default.
• At the perimeter (internet gateway), for web applications, use URL Filtering categories to prevent
access to risky websites.
• Configure User-ID to control who has access to applications.
• Configure Log Forwarding to centralize the logs from multiple PAN-OS devices, to send email alerts
to specific administrators or groups for specific alerts, and preserve logs for historical analysis.
• Configure best practice Security profiles for Antivirus, Anti-Spyware, Vulnerability Protection, File
Blocking, and WildFire Analysis, and apply them to App-ID Security policy rules.
• Consider using Iron-Skillet templates, available on GitHub, to get started and bootstrap your initial
best practice configuration.
• Maintain the App-ID deployment. As you add rules for new applications, including internal custom
applications, create App-ID based rules that help keep your network safe. Don’t slip back into using port-
based rules that don’t give you visibility into application traffic or allow you to inspect and control it.
Learn more about App-ID in the PAN-OS Administrator’s Guide.
• As you tighten up the Security policy rulebase, consider applying other protections to your network,
such as best practices for decrypting traffic and for DoS and Zone protection.
If you need help migrating your legacy device configuration to Palo Alto Networks devices, call on Palo Alto
Networks’ Professional Services group, which has a wealth of migration experience you can leverage to
achieve a successful migration and a successful conversion to App-ID.
Policy 27

Best Practices For Migrating To Application Based Policy

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Best Practices For Migrating To Application Based Policy

Diunggah oleh

Hak Cipta:

Format Tersedia

Best Practices for Migrating to

About the Documentation

2 BEST PRACTICES FOR MIGRATING TO APPLICATION-BASED POLICY |

TABLE OF CONTENTS iii

> Enable Applications Safely Using a Phased Transition

STEP 1 | Review the legacy firewall configuration.

STEP 3 | Create a new Project in Expedition.

If business needs require allowing applications such as internal custom applications on

• Convert Simple Rules with Well-Known Apps After One Week

Convert Simple Rules with Well-Known Apps After One Week

3. Click OK to convert the rule.

3. Click OK. Apps on Rule shows the selected applications.

Rules to Begin Converting After 30 Days

Remove Unused Rules

STEP 1 | Identify unused rules.

STEP 3 | Disable (or Delete) the rule.

Convert the Most Stable Rules

Convert the Internet Access Rules

Convert Rules That See the Most Traffic

Convert Rules With Few Apps Seen Over a Time Period

Anda mungkin juga menyukai