Saturday, April 20, 2019

Palo Alto Networks - How to Safely Enable Applications - Part II

My previous post details the problems associated with a legacy layer 4-based security policy approach, and how organizations can move to a layer 7-based positive control model that reduces attack surface via a manual, but very methodical way. 

If you haven't read that post yet, I would recommend you do so prior to continuing with this one.

With the release of PAN-OS 9.0, a new feature called Policy Optimizer is now available. This capability allows for organizations to take the same approach that is detailed in my previous post, but in a much more automated way.

In the scenario above, there is a rule allowing any application over any port out to the Internet. On the same page (Policies tab), administrators can now navigate to Policy Optimizer to begin migrating legacy rules to App-ID.


Selecting the No App Specified option will allow administrators to begin to analyze applications hitting different security policy rules. Selecting the compare option of a specific rule will bring up the following window: 


As shown above, 81 different applications have matched the trust-untrust - allow - home rule since it was created, and can now be either be added to the existing rule, or used to create a clone. My recommendation is similar to my previous post from a process standpoint. The best option is to create a clone, as that will provide a failsafe for anything that is missed by the new rule to match the previous legacy rule below it and not disrupt production traffic (below). As time goes on, the original rule can slowly be phased out.


This approach essentially provides organizations with a way to take the same methodical approach described in my previous post, but in a more automated way.