https://live.paloaltonetworks.com/t5/general-topics/best-practice-for-blacklisting-app-ids/m-p/76952#M42472 <P>I think you have a good grasp of the issues with both approaches.</P> <P>&nbsp;</P> <P>The whitelist only that which is allowed does can be difficult to implement the first time. &nbsp;This is especially true on a large or diverse user base. &nbsp;Finding out all the allowed applications and getting them onto the white list can take time. &nbsp;And in the process impede productivity and generate anger at IT in the user base along with a lot of help desk tickets. &nbsp;But companies use this approach because it will give them the best protection and visibility in the long run. &nbsp;And once the white list is finalized there are fewer hours spent because the policies are well known by this point and only need to change with new application needs.</P> <P>&nbsp;</P> <P>The blacklist approach gives you a quick start to stopping the higher risk behavior. &nbsp;But as you note this can also be a permanent work load basically never ends. &nbsp;You have to keep up to date and review the new applications even after you have done the first task of choosing amoung the thousands of apps which to block.</P> <P>&nbsp;</P> <P>Basically every company has to choose the appoarch that will work best for their situation.</P> Sun, 24 Apr 2016 11:40:16 GMT pulukas 2016-04-24T11:40:16Z https://live.paloaltonetworks.com/t5/general-topics/best-practice-for-blacklisting-app-ids/m-p/76892#M42461 <P>What is the best practice for blacklisting potentially harmful Application ID's(from "trust" to "untrust" over 80/443)?</P> <P>&nbsp;</P> <P>I started blocking on specific App-ID's, but maintaining this blacklist per App-ID will be kind of cumbersome.</P> <P>&nbsp;</P> <P>I'm thinking about using Application Filters to block based on Application subcategory. &nbsp;The only issue here is if I wanted to block say the "encrypted-tunnel", it will block common applications like "ssl".</P> Fri, 22 Apr 2016 14:35:01 GMT https://live.paloaltonetworks.com/t5/general-topics/best-practice-for-blacklisting-app-ids/m-p/76892#M42461 jambulo 2016-04-22T14:35:01Z https://live.paloaltonetworks.com/t5/general-topics/best-practice-for-blacklisting-app-ids/m-p/76894#M42463 <P>Hi jambulo,</P> <P>&nbsp;</P> <P>Ideally you would want to allow only the applications you want in your network, everything else will fall down to the default interzone rule and be denied. If you implement decryption then you'll have better visibility on the 443 SSL applications.</P> <P>&nbsp;</P> <P>hope this helps,</P> <P>Ben</P> Fri, 22 Apr 2016 14:53:44 GMT https://live.paloaltonetworks.com/t5/general-topics/best-practice-for-blacklisting-app-ids/m-p/76894#M42463 bmorris1 2016-04-22T14:53:44Z https://live.paloaltonetworks.com/t5/general-topics/best-practice-for-blacklisting-app-ids/m-p/76900#M42465 <P>When allowing your users out to the internet, are you specifying each App-ID that they can use? Or do you allow anything on 80/443, then block the known bad App-IDs?</P> <P>&nbsp;</P> <P>Ideally, it would be nice to specify each App-ID allowed out to the internet, but that would be a management nightmare.</P> Fri, 22 Apr 2016 17:47:37 GMT https://live.paloaltonetworks.com/t5/general-topics/best-practice-for-blacklisting-app-ids/m-p/76900#M42465 jambulo 2016-04-22T17:47:37Z https://live.paloaltonetworks.com/t5/general-topics/best-practice-for-blacklisting-app-ids/m-p/76945#M42469 <P>Given that Palo can classify over 2400 applications it seems you'd be better off "Whitelsiting" applications versus trying to blacklist them.</P> Sun, 24 Apr 2016 03:29:34 GMT https://live.paloaltonetworks.com/t5/general-topics/best-practice-for-blacklisting-app-ids/m-p/76945#M42469 Brandon_Wertz 2016-04-24T03:29:34Z https://live.paloaltonetworks.com/t5/general-topics/best-practice-for-blacklisting-app-ids/m-p/76952#M42472 <P>I think you have a good grasp of the issues with both approaches.</P> <P>&nbsp;</P> <P>The whitelist only that which is allowed does can be difficult to implement the first time. &nbsp;This is especially true on a large or diverse user base. &nbsp;Finding out all the allowed applications and getting them onto the white list can take time. &nbsp;And in the process impede productivity and generate anger at IT in the user base along with a lot of help desk tickets. &nbsp;But companies use this approach because it will give them the best protection and visibility in the long run. &nbsp;And once the white list is finalized there are fewer hours spent because the policies are well known by this point and only need to change with new application needs.</P> <P>&nbsp;</P> <P>The blacklist approach gives you a quick start to stopping the higher risk behavior. &nbsp;But as you note this can also be a permanent work load basically never ends. &nbsp;You have to keep up to date and review the new applications even after you have done the first task of choosing amoung the thousands of apps which to block.</P> <P>&nbsp;</P> <P>Basically every company has to choose the appoarch that will work best for their situation.</P> Sun, 24 Apr 2016 11:40:16 GMT https://live.paloaltonetworks.com/t5/general-topics/best-practice-for-blacklisting-app-ids/m-p/76952#M42472 pulukas 2016-04-24T11:40:16Z