https://live.paloaltonetworks.com/t5/general-topics/thoughts-on-a-set-of-application-rules/m-p/15183#M11140 <HTML><HEAD></HEAD><BODY><P>Hi BobW,</P><P></P><P>It is an interesting take on using the risk value. In my experience we tend to only be interested in the risk value when looking into reports and what applications we have running on our networks (like a big fat red block for bit-torrent in the new ACC).</P><P></P><P>I would advise in taking a look at the security policy fundamentals documents </P><P><A href="https://live.paloaltonetworks.com/docs/DOC-7175">Fundamentals Guide: Security Policies</A></P><P></P><P>and also keeping a keen eye on the application and threats release notes. With PanOS 7, a new feature has been implemented in which you can see what modifications a new version will have to your device.</P><P></P><P>Let us know how you get on.</P><P></P><P>Thanks,</P><P>Ben</P></BODY></HTML> Tue, 14 Jul 2015 01:20:08 GMT bmorris1 2015-07-14T01:20:08Z https://live.paloaltonetworks.com/t5/general-topics/thoughts-on-a-set-of-application-rules/m-p/15182#M11139 <HTML><HEAD></HEAD><BODY><P>I was messing around in the interface today and had a thought as for rules and am curious what other might think.</P><P></P><P>I created a group of rules for a particular zone/AD User group.&nbsp; Something like this</P><P></P><P>Allow but do not log (DNS for example)</P><P>Allow these apps (Appgrp--custom application group)</P><P>Allow risk1 (custom app filter includes all "risk 1" apps)</P><P><SPAN style="font-size: 13.3333330154419px;">Allow risk2 (<SPAN style="font-size: 13.3333330154419px;">custom app filter includes all "risk 2" apps</SPAN>)</SPAN></P><P><SPAN style="font-size: 13.3333330154419px;">Allow risk3 (<SPAN style="font-size: 13.3333330154419px;">custom app filter includes all "risk 3" apps</SPAN>)</SPAN></P><P><SPAN style="font-size: 13.3333330154419px;">Allow risk4 (<SPAN style="font-size: 13.3333330154419px;">custom app filter includes all "risk 4" apps</SPAN>)</SPAN></P><P><SPAN style="font-size: 13.3333330154419px;">Deny risk5 (<SPAN style="font-size: 13.3333330154419px;">custom app filter includes all "risk 5" apps</SPAN>)</SPAN></P><P><SPAN style="font-size: 13.3333330154419px;">Block all</SPAN></P><P><SPAN style="font-size: 13.3333330154419px;"><BR /></SPAN></P><P><SPAN style="font-size: 13.3333330154419px;">My thinking is that I could monitor Risk 3,4,5 and add the appropriate apps to the custom app group "Appgrp" and eventully make levels 4 and 5 (possible risk 3) deny rules.</SPAN></P><P><SPAN style="font-size: 13.3333330154419px;"><BR /></SPAN></P><P><SPAN style="font-size: 13.3333330154419px;">Any thoughts would be appreciated,</SPAN></P><P><SPAN style="font-size: 13.3333330154419px;">Bob<BR /></SPAN></P></BODY></HTML> Thu, 09 Jul 2015 22:14:21 GMT https://live.paloaltonetworks.com/t5/general-topics/thoughts-on-a-set-of-application-rules/m-p/15182#M11139 BobW 2015-07-09T22:14:21Z https://live.paloaltonetworks.com/t5/general-topics/thoughts-on-a-set-of-application-rules/m-p/15183#M11140 <HTML><HEAD></HEAD><BODY><P>Hi BobW,</P><P></P><P>It is an interesting take on using the risk value. In my experience we tend to only be interested in the risk value when looking into reports and what applications we have running on our networks (like a big fat red block for bit-torrent in the new ACC).</P><P></P><P>I would advise in taking a look at the security policy fundamentals documents </P><P><A href="https://live.paloaltonetworks.com/docs/DOC-7175">Fundamentals Guide: Security Policies</A></P><P></P><P>and also keeping a keen eye on the application and threats release notes. With PanOS 7, a new feature has been implemented in which you can see what modifications a new version will have to your device.</P><P></P><P>Let us know how you get on.</P><P></P><P>Thanks,</P><P>Ben</P></BODY></HTML> Tue, 14 Jul 2015 01:20:08 GMT https://live.paloaltonetworks.com/t5/general-topics/thoughts-on-a-set-of-application-rules/m-p/15183#M11140 bmorris1 2015-07-14T01:20:08Z https://live.paloaltonetworks.com/t5/general-topics/thoughts-on-a-set-of-application-rules/m-p/15184#M11141 <HTML><HEAD></HEAD><BODY><P>The other consideration here is business risk for false positive blocks.&nbsp; Applications that are business critical my need to be treated with kid gloves on their action with threat profiles.&nbsp; Setting the action to alert rather than block to prevent fals positives from blocking critical workflows.&nbsp; </P><P></P><P>After which you need a regular procedure to review the alerts and insure all is well with the affected workstations.</P></BODY></HTML> Tue, 14 Jul 2015 12:16:57 GMT https://live.paloaltonetworks.com/t5/general-topics/thoughts-on-a-set-of-application-rules/m-p/15184#M11141 pulukas 2015-07-14T12:16:57Z