Scribd
Upload
188 views

Best Practices For Migrating To Application-Based Policy

Uploaded by

always_red
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
188 views

Best Practices For Migrating To Application-Based Policy

Uploaded by

always_red
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 32

Best Practices for Migrating to

Application-Based Policy
Version 10.0

paloaltonetworks.com/documentation
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support

About the Documentation


• For the most recent version of this guide or for access to related documentation, visit the Technical
Documentation portal www.paloaltonetworks.com/documentation.
• To search for a specific topic, go to our search page www.paloaltonetworks.com/documentation/
document-search.html.
• Have feedback or questions for us? Leave a comment on any page in the portal, or write to us at
documentation@paloaltonetworks.com.

Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com

© 2020-2021 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.

Last Revised
February 2, 2021

2 BEST PRACTICES FOR MIGRATING TO APPLICATION-BASED POLICY |


Table of Contents
Best Practices for Migrating to Application-Based Policy......................... 5
Safely Enable Applications Using a Phased Transition...................................................................... 7
Migrate a Port-Based Policy to PAN-OS Using Expedition.............................................................. 9
Migrate to Application-Based Policy Using Policy Optimizer........................................................ 12
Convert Simple Rules with Well-Known Apps After One Week......................................15
Rules to Begin Converting After 30 Days............................................................................. 20
Next Steps to Adopt Security Best Practices.................................................................................... 32

TABLE OF CONTENTS iii


iv TABLE OF CONTENTS
Best Practices for Migrating to
Application-Based Policy
You don’t have to sacrifice better security for application availability. Instead, use Expedition
and Policy Optimizer to automate and reduce the time and effort required to migrate from a
port-based Security policy on a legacy firewall to an application-based Security policy on a Palo
Alto Networks next-generation firewall or Panorama appliance in a phased, safe manner.

> Safely Enable Applications Using a Phased Transition


> Migrate a Port-Based Policy to PAN-OS Using Expedition
> Migrate to Application-Based Policy Using Policy Optimizer
> Next Steps to Adopt Security Best Practices

5
6 BEST PRACTICES FOR MIGRATING TO APPLICATION-BASED POLICY | Best Practices for Migrating to
Application-Based Policy
© 2021 Palo Alto Networks, Inc.
Safely Enable Applications Using a Phased
Transition
The glaring weaknesses of port-based Security policy are well known: you can’t see which applications use
a port, so any malicious application can gain access to your network on open ports such as port 80 (HTTP)
or port 53 (DNS). This makes it easier for attackers to install malware, move laterally through the network,
exfiltrate data, and compromise your network because you have no visibility into the applications on your
network and no ability to prevent the threats that their traffic conceals.
In contrast, application-based Security policy using App-ID™ provides visibility into applications regardless
of port, protocol, encryption (SSL or SSH), or evasive tactics, so you know exactly which applications are
on your network and you can inspect their traffic for threats. Application-specific policies enable safe
access because you can configure Security policy rules that allow only the right users to access the right
applications in the right places and you can apply threat prevention profiles to those rules. Using App-ID to
classify applications reduces the attack surface because you allow only the applications required to support
your business on the network and automatically block unwanted applications. Allowing what you want
and blocking everything else is much easier and safer than the endless task of attempting to block all the
individual applications you don’t want.
Migrate to App-ID in phases:

1. Use Expedition to import a legacy rulebase, clean it up, and achieve a like-for-like migration to a Palo
Alto Networks next-generation firewall or Panorama appliance. Expedition is distributed as a virtual
machine (VM).
2. Run the PAN-OS firewall or appliance in your network production environment so it can learn and
categorize the applications on your network.
3. After at least one week of logging traffic, run the Best Practice Assessment (BPA) to set a baseline, and
then use Policy Optimizer to begin safely converting port-based rules to application-based rules and
securing your network. (You can convert some simple rules that allow well-known applications after
about a week; for other rules that see many applications, such as a general outbound internet access
rule, wait at least 30 days to gather application information.) Take a phased approach to safely convert
the rules based on your business needs and priorities.
4. (Optional) After you use Policy Optimizer convert the rulebase to App-ID, reimport the configuration in
to Expedition and use the Rule Enrichment features to further simplify and refine the rulebase.

BEST PRACTICES FOR MIGRATING TO APPLICATION-BASED POLICY | Best Practices for Migrating to Application-Based
Policy 7
© 2021 Palo Alto Networks, Inc.
5. Maintain the App-ID deployment as you introduce new applications to your network. Run the BPA after
the first conversion pass through the port-based rules and periodically thereafter to measure progress
and discover other areas to improve security.

Policy Optimizer is available starting with PAN-OS 9.0. If you use Panorama to manage
your next-generation firewalls, you don’t have to upgrade managed firewalls to PAN-OS 9.0
to use Policy Optimizer. You only need to upgrade Panorama to PAN-OS 9.0, send traffic
logs from the managed firewalls to Panorama or Log Collectors running PAN-OS 9.0, and
push policy from Panorama to the firewalls. Managed firewalls need to run PAN-OS 8.1 or
later, and if they connect to Log Collectors, the Log Collectors must run PAN-OS 9.0. This
provides a fast path for qualification so you can use Policy Optimizer to adopt policy based
on App-ID quickly.
Cortex Data Lake supports Policy Optimizer for Panorama devices that run PAN-OS 10.0.4
or later with Cloud Services plugin 2.0 or later.
PA-7000 Series Firewalls support two logging cards, the PA-7000 Series Firewall Log
Processing Card (LPC) and the high-performance PA-7000 Series Firewall Log Forwarding
Card (LFC). Unlike the LPC, the LFC does not have disks to store logs locally. Instead,
the LFC forwards all logs to one or more external logging systems, such as Panorama or
a syslog server. If you use the LFC, the application usage information for Policy Optimizer
does not display on the firewall because traffic logs aren’t stored locally. If you use the LPC,
the traffic logs are stored locally on the firewall, so the application usage information for
Policy Optimizer displays on the firewall. In both cases, the PA-7000 firewall can run PAN-
OS 8.1 (or later) as long as the Log Collectors and Panorama run PAN-OS 9.0 or later.

8 BEST PRACTICES FOR MIGRATING TO APPLICATION-BASED POLICY | Best Practices for Migrating to
Application-Based Policy
© 2021 Palo Alto Networks, Inc.
Migrate a Port-Based Policy to PAN-OS Using
Expedition
Use Expedition to import a legacy rulebase, clean it up, and achieve a like-for-like migration to a Palo
Alto Networks next-generation firewall or a Panorama appliance as the first phase in your migration to
an application-based Security policy. Expedition is a great tool for performing bulk operations on multiple
objects in a configuration and supports importing legacy configurations from most major firewall vendors.

This topic summarizes the Expedition workflow. The Live community supports Expedition,
including how to obtain the tool and detailed documentation on how to use the tool.
Palo Alto Networks technical support (TAC) does not provide support for Expedition.

For Expedition migration workflow details, refer to the Expedition User Guide, which also includes
information about how to import objects into a configuration using CSV files and how to import a Day 1
Iron-Skillet configuration.
For managing Expedition, refer to the Expedition Admin Guide, which also includes some user interface
information, and to the Expedition Hardening Guide, which provides advice on how to protect the
Expedition VM.
Before you begin a migration, ensure you meet the following prerequisites:
• Download Expedition to a management device that supports running a VM.
• SSH and/or SSL connectivity to the Palo Alto Networks Panorama and firewalls to which you’re
migrating. SSH access is for connectivity to the CLI and SSL access is for connectivity to the web
interface and to push API commands.
• Operational access to the Palo Alto Networks Panorama and firewalls to which you’re migrating so you
can push the like-for-like configuration to the PAN-OS applicance.

Professional Services has a wealth of migration experience. You can engage the Professional
Services team to help you move a configuration from your legacy devices to Palo Alto
Networks next-generation firewalls and Panorama appliances.

STEP 1 | Review the legacy firewall configuration.


Understand the goals of the legacy rulebase. Document items you need to know for the migration, such
as disabled interfaces on a Juniper SRX device or verifying that traffic is allowed between interfaces with
the same security levels, verifying the state of IPSec tunnels, and gathering pre-shared keys on a Cisco
ASA device.

STEP 2 | Import the legacy configuration into Expedition and make any required modifications to the
configuration.

STEP 3 | Create a new Project in Expedition.

STEP 4 | Import the migrated source (legacy) configuration into the Project and inspect it.
Check the file format, ensure all required files are included, and check Expedition logs and events to
ensure the migrated configuration file loaded correctly. If necessary, modify the migrated source file to
fix issues and then check again. Repeat this step until all issues are fixed.

BEST PRACTICES FOR MIGRATING TO APPLICATION-BASED POLICY | Best Practices for Migrating to Application-Based
Policy 9
© 2021 Palo Alto Networks, Inc.
STEP 5 | Import a PAN-OS configuration into the Project to be the Base configuration for the migration.
Get the latest content updates and then import the Base configuration from an existing PAN-OS
appliance (an existing configuration file or the factory default PAN-OS configuration file).

The configuration file should match the PAN-OS version you want to use. For example, to
run PAN-OS 9.0, import a PAN-OS 9.0 configuration file.

STEP 6 | Clean up the migrated configuration to prepare to merge it with the Base PAN-OS
configuration.
• Remove or replace invalid service objects. PAN-OS recognizes only TCP and UDP service ports, and
Expedition automatically migrates TCP and UDP service objects to applications. Search for non-IP-
based applications and services, such as ping and ICMP, which some legacy devices see as services
rather than applications. Replace them with App-ID to classify them as applications and gain visibility
into, inspect, and control the traffic.
• To simplify the configuration and reduce its size, remove or replace other invalid objects and unused
objects and merge duplicate objects.
• Find and remove disabled rules so they don’t clutter the configuration.
• Rename interfaces to match the interfaces on the PAN-OS appliance. The interface names imported
from the legacy device typically don’t match PAN-OS naming conventions.
• When you import the legacy configuration, Expedition automatically assigns zone names. Rename
zones so that their names describe the purpose they fulfill when you migrate the configuration to the
PAN-OS appliance. Ensure zones are mapped correctly to interfaces.
In addition, check the virtual router for static routes. If many static routes exist, use Expedition to
migrate the routes to the PAN-OS configuration. If there are only a few static routes, note them and
then create them manually after you migrate the configuration.

STEP 7 | Merge the migrated configuration with the PAN-OS Base configuration by dragging and
dropping objects from the migrated configuration into the Base configuration.

STEP 8 | Check the merged configuration for duplicate objects that the merge may have created and
remove or merge them.

STEP 9 | Before you export the merged configuration to the PAN-OS appliance, clear the ARP cache
on switches and routers connected to the PAN-OS appliance and on the PAN-OS appliance to
update their ARP tables.
On PAN-OS devices, use the clear arp all CLI command. (If necessary, you can clear the ARP cache
on a per-interface basis using the clear arp <interface> CLI command.)

STEP 10 | Export the merged configuration to the PAN-OS appliance and load the merged configuration.
The method you use depends on how you want to migrate the merged configuration:
• For a new installation on a PAN-OS appliance, Generate XML & Set Output, import the XML file
(configuration), and then load it onto the PAN-OS appliance.
• For an existing PAN-OS installation or if you want to migrate the configuration one part at a time
instead of all at one time, Generate XML & Set Output, import the XML file (configuration), and then
use the load config partial CLI command to select a specific portion of the configuration to
load. You need SSH access to use the CLI on a PAN-OS appliance.
• If the PAN-OS appliance is connected to Expedition, you can also use API calls to send portions of or
the entire configuration to the appliance.

10 BEST PRACTICES FOR MIGRATING TO APPLICATION-BASED POLICY | Best Practices for Migrating to
Application-Based Policy
© 2021 Palo Alto Networks, Inc.
STEP 11 | After you export the merged configuration to a PAN-OS appliance and load the configuration,
use Policy Optimizer to convert the port-based policy to application-based policy.

BEST PRACTICES FOR MIGRATING TO APPLICATION-BASED POLICY | Best Practices for Migrating to Application-Based
Policy 11
© 2021 Palo Alto Networks, Inc.
Migrate to Application-Based Policy Using
Policy Optimizer
After using Expedition to migrate a like-for-like configuration to a PAN-OS appliance, the next phase is
using Policy Optimizer to simplify the migration to App-ID based Security policy rules. Policy Optimizer
makes the conversion from legacy port-based rules much easier because it automates presenting
application information for each rule with the context you need to understand the information and create
intelligent application-based rules in a single view. Policy Optimizer:
• Learns and remembers all applications seen in traffic for each rule automatically, which eliminates the
need to comb through and analyze reams of log data. Even if logs roll over, Policy Optimizer retains the
application information, so you can be confident you’re seeing all of the applications on a rule.
• Enables you to safely migrate to App-ID without risking application availability.
• Is native to and supported on PAN-OS appliances, so you don’t have to move configurations and data
between the appliance and a non-native tool.
• Provides easy, intuitive sorting and filtering options to help you identify and prioritize which rules are
easiest and safest to convert first.
• Runs on Panorama appliances as well as on individual next-generation firewalls. If you manage your
next-generation firewalls running PAN-OS 8.1 with Panorama, you only have to upgrade Panorama (and
any Log Collectors connected to the managed firewalls) to PAN-OS 9.0 to use and gain the benefits of
Policy Optimizer, so you can qualify and adopt Policy Optimizer faster than if you had to qualify all your
firewalls.
Cortex Data Lake supports Policy Optimizer on Panorama devices that run PAN-OS 10.0.4 or later with
Cloud Services plugin 2.0 or later.
These capabilities result in an easy-to-use tool that saves time and prevents errors when converting port-
based rules to App-ID based rules. Policy Optimizer provides several methods of converting rules:

12 BEST PRACTICES FOR MIGRATING TO APPLICATION-BASED POLICY | Best Practices for Migrating to
Application-Based Policy
© 2021 Palo Alto Networks, Inc.
• Create Cloned Rule—Cloning a rule preserves the original port-based rule and places the new App-ID
based rule above the cloned rule. You can clone multiple App-ID based rules from one port-based rule.
For example, you can clone multiple App-ID rules based on application subcategories from a general
web-browsing rule to group applications that require similar access and threat treatment instead of
trying to control all web access for all users in all places in one general, unsecure rule.
There’s no risk to application availability because the port-based rule below the cloned rule acts like a
safety net. If the cloned (App-ID) based rule doesn’t match all the applications you need to allow, you’ll
see those applications hit the port-based rule below the cloned rule and you can make adjustments. You
can remove the port-based rule when no traffic you want to allow matches the port-based rule for a
reasonable period of time, completing the conversion of that rule to an App-ID based rule.
• Add to This Rule—Adding applications to the rule replaces the port-based rule with an App-ID based
rule, which removes the port-based rule from the rulebase and doesn’t provide the safety net that
cloning provides. Use Add to This Rule only when you’re sure you know all the applications you want
the rule to control. Rules that have seen only a few applications and for which you’re confident you
know the required applications for your business are candidates for Add to This Rule. It’s safest to clone
rules that have seen many applications and rules that may see more applications you need to allow.
If you miss adding an application to a rule, you lose availability to that application unless another rule
allows it, while cloning the rule retains the port-based rule as a safety net.
• Add to Existing Rule—Adding applications to an existing rule does not replace the original port-based
rule, which remains in the rulebase. Add to Existing Rule enables you to select any previously configured
rule and add applications to it.
When you add applications to an existing application-based rule, the firewall removes those applications
from the port-based rule and adds them to the selected application-based rule. The added applications
use the same Source, Destination, Service, etc., as the other applications on the application-based rule.
When you add applications to another existing port-based rule, the firewall removes those applications
from the original port-based rule and adds them to the other port-based rule. This converts the other
port-based rule to an application-based rule that controls only the applications you added to the rule.

BEST PRACTICES FOR MIGRATING TO APPLICATION-BASED POLICY | Best Practices for Migrating to Application-Based
Policy 13
© 2021 Palo Alto Networks, Inc.
If you convert part of a port-based rule this way, go to the rule and change the Service to application-
default to prevent the applications from using non-standard ports (also, the Service configured on the
rule may not match the application).
• Match Usage—Matching a port-based rule’s usage replaces the port-based rule with an App-ID based
rule that contains all of the applications seen on that rule. Use Match Usage only when the rule has seen
a small number of well-known applications that have legitimate business purposes. A good example is
TCP port 22, which should allow only SSH traffic. If SSH is the only application seen on a port-based rule
for port 22, you can safely Match Usage and convert the rule to an App-ID rule.
To Create Cloned Rule, Add to This Rule, or Add to Existing Rule, you must select at least one application
from Apps Seen.

Applications used only for quarterly or yearly events may not appear in the application
information if the history isn’t long enough to capture their latest activity. Be aware of these
types of applications when you convert rules.

When you convert a port-based rule to an application-based rule, Policy Optimizer makes no other changes
to the rule aside from converting services to App-IDs. In most cases, after you convert a rule, you should
change the Service to application-default so that only the applications which legitimately use the port can
access the port and to prevent evasive applications from gaining network access by using a non-standard
port.

If business needs require allowing applications such as internal custom applications on


non-standard ports between particular clients and servers, restrict the exception to only the
required applications, sources, and destinations. Consider rewriting custom applications to
use application-default ports.

Before you use Policy Optimizer to convert port-based rules to App-ID based rules:
1. Complete the like-for-like migration of the legacy configuration to a Palo Alto Networks next-generation
firewall or Panorama appliance from Expedition.
2. Run the PAN-OS appliance in your production network for about a week before you start converting
rules to App-ID so the appliance can begin to learn and categorize the applications on the network. You
can convert some simple rules quickly (for example, a port 22 rule should only allow SSH traffic and is
easy to convert), while you need to allow the firewall to gather application data from traffic for a longer
period of time for other rules, such as your internet access (port 80/433) rule.
3. Run the Best Practice Assessment (BPA) to set a baseline against which to compare progress.
4. Set realistic goals. Think about what you want the end result to look like. When you reach the goal, run
the BPA again to confirm that you reached the goal, and then reevaluate whether you can go farther and
make your network even safer. With Policy Optimizer, you don’t sacrifice availability for security, you
just improve security.
Convert rules in phases. You can convert some simple port-based rules that allow well-known applications
to App-ID based rules after the PAN-OS appliance has as little as one week of logs (Policy Optimizer
discovers the applications seen on rules by reading logs). For other rules that see many applications, such as
a general web access rule, wait at least 30 days to gather application information.

Professional Services has a wealth of migration experience. You can engage the Professional
Services team to help you move a configuration from your legacy appliances to Palo Alto
Networks next-generation firewalls and Panorama appliances.

• Convert Simple Rules with Well-Known Apps After One Week


• Rules to Begin Converting After 30 Days

14 BEST PRACTICES FOR MIGRATING TO APPLICATION-BASED POLICY | Best Practices for Migrating to
Application-Based Policy
© 2021 Palo Alto Networks, Inc.
Convert Simple Rules with Well-Known Apps After One Week
After a week of monitoring production traffic, you can safely begin to convert simple port-based rules to
App-ID based rules. Good candidates include rules for which only one or a small number of well-known
applications should legitimately use the port because it’s fairly easy to determine which applications you
want to allow on a simple rule. Examples include port 21 (FTP), port 22 (SSH), and port 53 (DNS).
Install the latest Content Updates before you begin converting rules to ensure you have the latest
application signatures on your PAN-OS appliance. This example shows you how to sort port-based rules to
find candidates for safe conversion and the options for converting those port-based rules directly to App-ID
based rules.

STEP 1 | In Policies > Security > Policy Optimizer > No App Specified, select Apps Seen and Sort
Ascending (or click Apps Seen to reverse the current display order) to find the port-based rules
that have seen the fewest applications.

The port-based rules that have seen the fewest applications are at the top of the No App Specified
display. You can safely convert rules for specific services, such as SSH, directly to application-based rules
and you can examine rules that have seen few applications to see if you can safely convert them.
The port-based rule intended to allow Server Message Block (SMB) traffic has seen only three
applications since migrating the configuration to the PAN-OS appliance and therefore is a candidate for
conversion.

STEP 2 | Click the Apps Seen number or Compare to examine the applications seen on the rule.
Applications & Usage shows the applications actually seen in the traffic that match the rule.

BEST PRACTICES FOR MIGRATING TO APPLICATION-BASED POLICY | Best Practices for Migrating to Application-Based
Policy 15
© 2021 Palo Alto Networks, Inc.
STEP 3 | Evaluate whether you want to allow all, some, or none of the applications seen on the rule and
select the applications you want to allow.
You can match the exact usage of the rule, future-proof the rule by adding the container apps, or select
individual applications to add to the rule.
• If you want the rule to allow all applications exactly as matched on the rule:
1. Select all Applications in Apps Seen).
2. Click Match Usage.
3. Click OK to convert the port-based rule to an App-ID based rule.
4. Set the Service to application-default so that no evasive, malicious applications can use the port.
• If you want to allow all or some of the applications seen on the rule or future-proof the rule by
adding their container applications (so all applications within each container are allowed and
applications added to the container app later are automatically allowed):
1. Select all the applications and then Add to This Rule.

16 BEST PRACTICES FOR MIGRATING TO APPLICATION-BASED POLICY | Best Practices for Migrating to
Application-Based Policy
© 2021 Palo Alto Networks, Inc.
The gray-shaded applications are the container apps. The green-shaded applications are the
applications seen on the rule. The unshaded applications belong to the same container app but
have not been seen on the rule.
By default, Add container app is selected, so all of the applications in the container are also
selected by default.
2. If you only want the rule to include the applications that matched the rule, select Add container
app. Only applications seen on the rule are added to the rule. The container app and the
applications on the rule that have not matched the rule are not selected. Click OK to select just
the applications seen on the rule.

BEST PRACTICES FOR MIGRATING TO APPLICATION-BASED POLICY | Best Practices for Migrating to Application-Based
Policy 17
© 2021 Palo Alto Networks, Inc.
If you want to include the container app and all of its applications in the rule, leave the selection
as Add container app and then click OK. Only the container apps appear in Apps on Rule because
they include (allow) all of the applications they contain, which also “future proofs” the rule by
allowing applications added to the container in the future:

3. Click OK on the Usage tab to convert the rule.


4. Set the Service to application-default so that no evasive, malicious applications can use the port.

18 BEST PRACTICES FOR MIGRATING TO APPLICATION-BASED POLICY | Best Practices for Migrating to
Application-Based Policy
© 2021 Palo Alto Networks, Inc.
• If you want to select the applications to allow within a container app, select those applications and
then click Add to This Rule. For example, if you decide not to allow msrpc-base and select only ms-
ds-smbv2 and ms-ds-smbv3 and Add to Rule, Policy Optimizer shows you the related applications in
the container app (ms-ds-smb, shaded gray) and provides the opportunity to future-proof the rule by
adding those applications:
1. Select the applications you want to allow and then click Add to This Rule.
For example, if you decide not to allow msrpc-base and select only ms-ds-smbv2 and ms-ds-
smbv3 and Add to This Rule, Policy Optimizer shows you the related applications in the container
app (ms-ds-smb, shaded gray) and provides the opportunity to future-proof the rule by the
container app with all of its current and future applications:

The green-shaded applications are the applications seen on the rule. The unshaded applications
belong to the same container app but have not been seen on the rule.
2. You can allow all of the applications or select which applications to allow.
To allow all the container app and all of its current and future applications, click OK. Apps on Rule
shows the selected applications. Click OK to convert the rule.
To allow only selected applications, deselect the undesired applications. If you deselect an
application in a container, the container app is also deselected so that it doesn’t automatically
allow its child apps.

BEST PRACTICES FOR MIGRATING TO APPLICATION-BASED POLICY | Best Practices for Migrating to Application-Based
Policy 19
© 2021 Palo Alto Networks, Inc.
3. Click OK. Apps on Rule shows the selected applications.
4. Click OK to convert the rule.
5. Set the Service to application-default so that no evasive, malicious applications can use the port.

Rules to Begin Converting After 30 Days


After 30 days of monitoring production traffic, you can safely begin to convert the rest of the port-based
rules to App-ID based rules and clean up the rulebase. A good place to start is with cleaning up unused
rules to reduce the attack surface. After that, start converting rules to App-ID at the perimeter with
your outbound internet access (port 80/443) rule, because that rule likely sees more traffic with more
applications than any other rule, which also means it’s the rule that carries the most risk.
Install the latest Content Updates before you begin converting rules to ensure you have the latest
application signatures on your PAN-OS appliance.
Policy Optimizer provides many intuitive ways to sort, filter, and prioritize which rules to convert first. After
you remove unused rules and convert the web access rule to App-ID, the rules you choose to prioritize
depend on your business and security requirements. The following sections provide ideas and methods for
using simple yet powerful sorting and filtering options to identify and prioritize rules to convert after the
first 30 days:
• Remove Unused Rules
• Convert the Most Stable Rules
• Convert Internet Access Rules
• Convert Rules That See the Most Traffic
• Convert Rules with Few Apps Seen Over a Time Period

20 BEST PRACTICES FOR MIGRATING TO APPLICATION-BASED POLICY | Best Practices for Migrating to
Application-Based Policy
© 2021 Palo Alto Networks, Inc.
Remove Unused Rules
The migrated rulebase often contains rules that aren’t in use because no application traffic matches those
rules. Unused rules clutter the rulebase and offer avenues of attack to adversaries. Remove these rules to
clean up the rulebase and reduce the attack surface, or modify them so they apply to application traffic and
serve a legitimate purpose in the rulebase.
Unused rules may exist for a number of reasons. Rules governing services and applications that the business
once used but replaced with other applications may be in the rulebase. A rule that precedes an unused rule
may control the applications that would otherwise match the unused rule. In some cases, unused rules are
old rules created by administrators who are no longer with the company and no current administrators
know the rule’s intent.
View rules over any Timeframe you choose (Policies > Security > Policy Optimizer > Rule Usage). Set the
Usage to Unused to filter out rules that have seen application traffic.

STEP 1 | Identify unused rules.


In Policies > Security > Policy Optimizer > Rule Usage, set the Timeframe to All time, set the Usage
to Unused (to display only rules with a Hit Count of zero), and Exclude rules reset during the last 30
days (to prevent displaying recently reset rules that may not have seen traffic over the last few days but
that may see traffic over a longer time period). The result is a list of rules that have not seen application
traffic over the selected Timeframe.

STEP 2 | Evaluate rules that have seen no traffic and determine if they are needed or if you can disable
them.
In this example, the business used Tsunami file transfer in the past, but investigation shows that the
business no longer uses Tsunami, so there is no reason to allow Tsunami application traffic on the
network.

STEP 3 | Disable or Delete the rule.


In Policies > Security, select the Tsunami file transfer rule and either Disable or Delete the rule.
Disabling the rule is safer in case it turns out that your business needs the application, even though it
hasn’t seen any traffic. (This may happen if you don’t take quarterly and annual events into account
when investigating whether the business uses an application or if the application is required for a
contractor or partner whose traffic only accesses the network periodically.) After a reasonable period of
time, delete unused rules that you disabled earlier.

BEST PRACTICES FOR MIGRATING TO APPLICATION-BASED POLICY | Best Practices for Migrating to Application-Based
Policy 21
© 2021 Palo Alto Networks, Inc.
Convert the Most Stable Rules
Convert port-based rules that have not seen new applications for a reasonable period of time, which
means the rules have stabilized and you’re less likely to see new applications on them. Clone these rules to
ensure that if more applications match the rule later, the port-based rule remains in the rulebase as long as
necessary as a safety net.

Take applications used only for quarterly, annual, and other periodic events into account
when you evaluate whether you think new applications will match the rule.

STEP 1 | In Policies > Security > Policy Optimizer > No App Specfied, sort the rules (descending) to
show the rules with highest number of Days with No New Apps at the top of the list.

The first three rules have seen no new applications for more than 30 days and are candidates for
conversion to App-ID. (Convert Simple Rules with Well-Known Apps After One Week describes
converting rules with few Apps Seen, such as the smb rule, so this example focuses on the allow-apps
rule.)

Check the Modified date because rules that haven’t been modified for a long time are
also likely to be more stable. Rules that were modified recently may not have seen all the
applications that could match the rule.

Because more than a few applications have been seen on the rule, clone the rule instead of converting it
directly to an App-ID based rule.

STEP 2 | Click the number of Apps Seen to open the Applications & Usage dialog.

22 BEST PRACTICES FOR MIGRATING TO APPLICATION-BASED POLICY | Best Practices for Migrating to
Application-Based Policy
© 2021 Palo Alto Networks, Inc.
STEP 3 | Sort and filter the Apps Seen on the rule to determine how to handle the applications.
Sorting or filtering by subcategory helps you understand the traffic seen on rules that see more
than a few applications. For example, you can filter by the infrastructure subcategory to see all the
infrastructure applications and clone an App-ID based rule to control them.

BEST PRACTICES FOR MIGRATING TO APPLICATION-BASED POLICY | Best Practices for Migrating to Application-Based
Policy 23
© 2021 Palo Alto Networks, Inc.
STEP 4 | Follow Step 4 through Step 7 in Convert Internet Access Rules to create a cloned rule that
controls each subcategory (or related subcategories) of applications you want to treat similarly.

Convert Internet Access Rules


An internet access rule controls traffic on port 80 (HTTP) and port 443 (HTTPS). This rule usually sees the
largest number of applications and the greatest amount of traffic in bytes. A port-based internet access
rule may allow applications you don’t want on your network and expose it to attacks. Control and safely
enable the applications you allow on those ports by converting the port-based internet access rule to a set
of application-based rules. To do this, you need to understand which applications your company sanctions
for business use and which applications your company tolerates for other purposes.
A good conversion method is to group applications that require similar treatment in the same rule instead
of creating separate rules for each application to help prevent rulebase bloat. Use Policy Optimizer to sort
the applications seen on a rule by application subcategory so you can see all the applications on a rule for
a particular subcategory, select the applications your business uses, and then clone a rule to control those
applications. Policy Optimizer offers many sorting and filtering options to organize and analyze applications
seen on a rule.
Clone the rule instead of directly converting it to ensure application availability. Cloning a rule retains
the original port-based rule and places the cloned application-based rule directly above the port-based
rule in the Security rulebase. Create different internet access rules from the original port-based rule for
groups of applications you want to treat differently, without risking application availability. Easily see which
applications match the cloned rule and which applications filter through to the original port-based rule and
then adjust the rules as needed. When no applications you want to allow match the port-based rule for
a long enough period of time to be confident that you’ve accounted for all the applications the business
requires, you can disable (or delete) the port-based rule, which finishes the conversion without risking
application availability.

24 BEST PRACTICES FOR MIGRATING TO APPLICATION-BASED POLICY | Best Practices for Migrating to
Application-Based Policy
© 2021 Palo Alto Networks, Inc.
Use the same method to convert other rules that have seen more than a few well-known applications.
Use Policies > Security > Policy Optimizer > No App Specified information to help prioritize which
rules to convert after you convert the internet access rules. For example, you could prioritize based on a
combination of most Apps Seen and most traffic over the last 30 days (Traffic (Bytes, 30 days)) to convert
the most-used rules, or you could look at Days with No New Apps and the Modified date to find rules that
have seen many applications but are also more stable.
This example shows you how to clone an application-based rule that controls general business applications
from a port-based internet access rule. Use the same cloning process to create application-based rules
safely for different subcatgories and individual applications seen on any port-based rule.

STEP 1 | Navigate to Policies > Security > Policy Optimizer > No App Specfied and find the port-based
rule(s) that control internet access.
Use the filter (service/member eq ‘service-http’) and (service/member eq
‘service-https’) to find the port-based rule(s) configured with service-http and service-https,
which is the internet access rule (or rules).

STEP 2 | Click Compare or the number of Apps Seen to open the Applications & Usage dialog.

STEP 3 | Sort Apps Seen by application subcategory to group similar applications that may be
appropriate to control in the same Security policy rule.
Sort by Subcategory to group the applications seen on the rule:

BEST PRACTICES FOR MIGRATING TO APPLICATION-BASED POLICY | Best Practices for Migrating to Application-Based
Policy 25
© 2021 Palo Alto Networks, Inc.
You can also filter by a particular subcategory to see only the applications that belong to that
subcategory. In this example, to create an App-ID based rule to control general-business applications,
filter to view only the general business applications seen on the rule:

26 BEST PRACTICES FOR MIGRATING TO APPLICATION-BASED POLICY | Best Practices for Migrating to
Application-Based Policy
© 2021 Palo Alto Networks, Inc.
STEP 4 | Select the applications you want to allow and then Create Cloned Rule to clone the new
application-based rule from the port-based rule.
In this example, the company uses four of the applications but has not used one of the applications for a
long period of time, which you can see in the Last Seen and Traffic (30 Days) columns. Based on usage
and company-sanctioned applications, the company chooses not to allow the application that it isn’t
using.

BEST PRACTICES FOR MIGRATING TO APPLICATION-BASED POLICY | Best Practices for Migrating to Application-Based
Policy 27
© 2021 Palo Alto Networks, Inc.
STEP 5 | In the Clone dialog, select the applications associated with each container app that you want to
allow.
Give the new rule a Name that describes its purpose—in this example, general-business-apps. Decide
if you want to allow only specific applications from each container app or if you want to allow the
container app. Allowing the container app allows all of the applications in the container. This future-
proofs the rule by automatically allowing new applications if they are added to the container app, which
helps ensure application availability. By default, all of the applications are selected. The container apps
are shaded gray, applications that have been seen on the rule are shaded green, and applications in the
container app that haven’t been seen on the rule are italicized and not shaded.
In this example’s illustration, you can see the gray-shaded container apps “adobe-creative-cloud” and
“windows-azure”, applications seen on the rule in green (“adobe-creative-cloud-base” and “windows-
azure-base”), and two applications that have not been seen on the rule in italics (“adobe-creative-cloud-
uploading” and “azure-log-analytics”). The example shows that the application “adobe-creative-cloud-
uploading” is deselected, which also automatically deselects its container app (“adobe-creative-cloud”)
while all of the “windows-azure” applications remain selected, so the “windows-azure” container app
remains selected.

28 BEST PRACTICES FOR MIGRATING TO APPLICATION-BASED POLICY | Best Practices for Migrating to
Application-Based Policy
© 2021 Palo Alto Networks, Inc.
Deselect an application if you don’t want users to have access to that particular application. However,
if new applications are added to the “adobe-creative-cloud” container app, the firewall will not
automatically allow them because the container app is deselected. Conversely, if new applications are
added to the “windows-azure” container app, the firewall will automatically allow them, which future-
proofs the rule.

STEP 6 | Click OK to return to the Security policy rule Usage tab and then click OK again to create
the rule. The firewall places the rule above the port-based rule in the Security policy rulebase
(Policies > Security).

BEST PRACTICES FOR MIGRATING TO APPLICATION-BASED POLICY | Best Practices for Migrating to Application-Based
Policy 29
© 2021 Palo Alto Networks, Inc.
If you select a container app, Policy Optimizer adds only the container app to the rule because the
container app includes all of the applications. The red gear for “adobe-creative-cloud-base” indicates that
it is an individual application, not a container app.

STEP 7 | Click the rule Name or a Service and change the Service to application-default to prevent
evasive applications from gaining access on a non-standard port.

STEP 8 | Whenever you need to allow other sanctioned general business applications, add them to the
general-business-apps rule, and remove applications from the rule if you no longer use them.

Convert Rules That See the Most Traffic


Sorting for rules that have seen the most traffic over the past 30 days (Traffic (Bytes, 30 days)) shows you
the current most active rules. (A longer time frame places can mislead you by emphasizing older rules that
remain at the top of the list because they have large cumulative totals, even if they no longer see much
traffic.) Converting these rules to App-ID based rules safeguards the largest amount of traffic for your
effort.
If multiple rules see a lot of traffic, use the Policies > Security > Policy Optimizer > No App Specified
information to help prioritize which rules to convert first. For example, you could prioritize rules with the
most Apps Seen (potentially the riskiest rules) or rules the with most Days with No New Apps and the
oldest Modified date (the most stable high-traffic rules).

STEP 1 | In Policies > Security > Policy Optimizer > No App Specfied, sort the rules in descending order
by Traffic (Bytes, 30 days) to place the most recently active rules at the top of the list.

STEP 2 | Select a rule to begin converting and click the number of Apps Seen.

STEP 3 | In the Applications & Usage dialog, sort and filter the Apps Seen on the rule to determine how
to handle the applications.
Sort or filter by application subcategory to group applications that may require similar treatment and can
be controlled in one application-based rule. Sort on Traffic (30 days) to see the amount of recent traffic
on individual applications to prioritize the currently most active applications.

STEP 4 | Follow Step 4 through Step 7 in Convert Internet Access Rules to create a cloned rule that
controls each subcategory (or related subcategories) of applications you want to treat similarly.

Convert Rules with Few Apps Seen Over a Time Period


Rules with relatively few Apps Seen and with no new applications seen over a long enough time period may
be easy to convert, relatively stable, and easy to identify using filters.

30 BEST PRACTICES FOR MIGRATING TO APPLICATION-BASED POLICY | Best Practices for Migrating to
Application-Based Policy
© 2021 Palo Alto Networks, Inc.
STEP 1 | In Policies > Security > Policy Optimizer > No App Specfied, filter the rules to display only
rules with a low number of Apps Seen and that have seen no applications over a specific time
period.

This example filters for rules that have seen three or fewer applications (apps seen count leq
‘3’) and for which no applications have been seen for at least 30 days (days no new app count
geq ‘30’).

STEP 2 | Select a rule to convert and click the number of Apps Seen.

STEP 3 | In the Applications & Usage dialog, decide whether you want to allow all of the applications
and if they should be in the same rule—that is, decide whether the applications require similar
treatment in terms of access and security.
If you want to allow all of the applications and they require similar treatment, you can Match Usage and
replace the port-based rule with the new App-ID based rule.
If you want to allow all of the applications but they require different treatment, clone the rule for each
set of applications that requires different treatment. For example, if a port-based rule allows three
applications and two of them are email applications and one is an infrastructure application, you may
want to clone one rule for the email applications and another for the infrastructure application.
If you want to allow some applications and deny others:
• Clone one or more rules for the applications you want to keep and monitor the original port-based
rule to ensure that the applications you don’t want to keep are the only ones that match that rule.
When enough time has passed that you feel confident no applications you want to allow match the
port-based rule, you can disable or delete it. Step 4 through Step 7 in Convert Internet Access Rules
show how to create a cloned rule.
• If you’re confident you know which applications you want to allow and which applications you want
to block:
• If the applications you want to allow require similar treatment, use Add to This Rule to replace the
port-based rule with an application-based rule that allows only the applications you added to the
rule. The applications you don’t add to the rule are blocked unless you allow them in another rule.
• If the applications you want to allow require different treatment, clone application-based rules
for the applications you want to allow from the port-based rule. If you’re still confident it’s OK to
block the remaining applications, you can disable (or delete) the port-based rule.

BEST PRACTICES FOR MIGRATING TO APPLICATION-BASED POLICY | Best Practices for Migrating to Application-Based
Policy 31
© 2021 Palo Alto Networks, Inc.
Next Steps to Adopt Security Best Practices
After you finish your first pass at converting port-based rules to application-based rules, consider the
following steps to strengthen your Security policy rulebase and improve network security:
• Use Expedition’s Rule Enrichment capability, which uses machine learning to examine and consolidate
your policy configuration.
• Run the Best Practice Assessment (BPA) regularly to measure progress toward achieving your App-ID
adoption goal and to identify additional weaknesses. When you reach your goal, use the BPA to identify
areas where you can continue to improve adoption and further safeguard your network.
• Policy Optimizer converts port-based rules to App-ID based rules but doesn’t change anything else
about the rules. After you convert legacy rules to App-ID based rules, tighten the rules to reduce the
attack surface and increase visibility:
• Set the Service to application-default to prevent applications from using non-standard ports. For
internal custom applications, define default ports and then apply application-default.
• At the perimeter (internet gateway), for web applications, use URL Filtering categories to prevent
access to risky websites.
• Configure User-ID to control who has access to applications.
• Configure Log Forwarding to centralize the logs from multiple PAN-OS appliances, to send email
alerts to specific administrators or groups for specific alerts, and to preserve logs for historical
analysis.
• Configure best practice Security profiles for Antivirus, Anti-Spyware, Vulnerability Protection, File
Blocking, and WildFire Analysis, and apply them to App-ID Security policy rules.
• Consider using Iron-Skillet templates, available on GitHub, to get started and bootstrap your initial
best practice configuration.
• Maintain the App-ID deployment. As you add rules for new applications, including internal custom
applications, create App-ID based rules that help keep your network safe. Don’t revert to using port-
based rules that don’t give you visibility into application traffic or allow you to inspect and control it.
Learn more about App-ID in the PAN-OS Administrator’s Guide.
• As you tighten up the Security policy rulebase, consider applying other protections to your network,
such as best practices for decrypting traffic and for DoS and Zone protection.
If you need help migrating your legacy device configuration to Palo Alto Networks appliances, contact
the Palo Alto Networks’ Professional Services group, which has a wealth of migration experience you can
leverage to achieve a successful migration and a successful conversion to App-ID.

32 BEST PRACTICES FOR MIGRATING TO APPLICATION-BASED POLICY | Best Practices for Migrating to
Application-Based Policy

You might also like