Why use Security Policy Optimizer and what are the benefits?
10054
Created On 07/26/19 01:52 AM - Last Modified 06/08/20 03:12 AM
Environment
- PAN-OS 9.0
- Security rules
- Panorama or firewall
Answer
Why do you want to use Security Optimizer?
- A feature introduced in 9.0 which allow more visibility into, control usage of, and safely enable applications in Security policy rules via the Policy Optimizer feature. This new feature identifies port-based rules so you can convert them to application-based whitelist rules or add applications to existing rules without compromising application availability.
- It also identifies rules configured with unused applications. Policy Optimizer information helps you analyze rule characteristics and prioritize which rules to migrate or clean up first.
What are the benefits?
- Allow for Converting port-based rules to application-based rules
- Allow and deny access to all other applications, which improves security posture (Security Policies have less Attack surface).
- To identify and clean up Unused Apps.
How to Enable/Disable Policy Optimizer
- GUI: Navigate to Device > Setup > Management > Policy Rulebase Settings > Policy Application Usage
- CLI: Input the below command in configuration mode
[edit] admin@LabPA-VM1# set deviceconfig setting management appusage-policy <yes|no>
Additional Information
Caveats:
- In PAN-OS 9.0 Policy Optimizer is enabled by default
- VM-50 Lite virtual firewalls do not support the Policy Optimizer feature
- Firewalls need to be running PAN-OS version 9.0 and have App-ID enabled
- Panorama needs to be running PAN-OS version 9.0 (can be used to optimize security rules for Firewalls running PAN-OS 8.1)