Why use Security Policy Optimizer and what are the benefits?

• PAN-OS 9.0
• Security rules
• Panorama or firewall

• A feature introduced in 9.0 which allow more visibility into, control usage of, and safely enable applications in Security policy rules via the Policy Optimizer feature. This new feature identifies port-based rules so you can convert them to application-based whitelist rules or add applications to existing rules without compromising application availability. 
• It also identifies rules configured with unused applications. Policy Optimizer information helps you analyze rule characteristics and prioritize which rules to migrate or clean up first.

• Allow for Converting port-based rules to application-based rules 
• Allow and deny access to all other applications, which improves security posture  (Security Policies have less Attack surface).
• To identify and clean up Unused Apps.

• GUI: Navigate to Device > Setup > Management > Policy Rulebase Settings > Policy Application Usage

• CLI: Input the below command in configuration mode

[edit]
admin@LabPA-VM1# set deviceconfig setting management appusage-policy <yes|no>

Caveats:

• In PAN-OS 9.0 Policy Optimizer is enabled by default
• VM-50 Lite virtual firewalls do not support the Policy Optimizer feature
• Firewalls need to be running PAN-OS version 9.0 and have App-ID enabled
• Panorama needs to be running PAN-OS version 9.0 (can be used to optimize security rules for Firewalls running PAN-OS 8.1)

• TechDocs - PAN-OS Administrator's Guide, Security Policy Rule Optimization
• YouTube video - Optimize Your Policies with PAN-OS 9.0 (Episode 17), Learning Happy Hour