https://live.paloaltonetworks.com/t5/general-topics/restrict-any-any-from-security-policy/m-p/160279#M52266 <P>this article looks promising:&nbsp;<A href="https://popravak.wordpress.com/2014/08/27/palo-alto-ngfw-use-case-one-monitoring-traffic-tap-mode/" target="_blank">https://popravak.wordpress.com/2014/08/27/palo-alto-ngfw-use-case-one-monitoring-traffic-tap-mode/</A></P><P>&nbsp;</P><P>It's unfortunate now i cant identify zones too easily. But I can make intelligent guesses based on source/dest ips.</P> Thu, 08 Jun 2017 20:18:04 GMT nicford 2017-06-08T20:18:04Z https://live.paloaltonetworks.com/t5/general-topics/restrict-any-any-from-security-policy/m-p/160271#M52264 <P>Hi There,</P><P>&nbsp;</P><P>At one of our sites we fell vicitim and have the dreaded any any security policy in place. We are trying to determine the best course of action to lock it down.</P><P>&nbsp;</P><P>Would I create tap firewall ports and span all the traffic, then create new rules based on it in tap zones?&nbsp;</P><P>&nbsp;</P><P>Any guides out them to assist for this specific situation?</P> Thu, 08 Jun 2017 20:15:21 GMT https://live.paloaltonetworks.com/t5/general-topics/restrict-any-any-from-security-policy/m-p/160271#M52264 nicford 2017-06-08T20:15:21Z https://live.paloaltonetworks.com/t5/general-topics/restrict-any-any-from-security-policy/m-p/160278#M52265 <P>Check Monitor tab or run reports to see what applications pass this firewall.</P><P>Create rule to permit those applications you want.</P><P>You can also create second rule for known bad above any any.</P><P>Eventually nothing should hit any any rule and you can remove it.</P> Thu, 08 Jun 2017 20:16:55 GMT https://live.paloaltonetworks.com/t5/general-topics/restrict-any-any-from-security-policy/m-p/160278#M52265 Raido_Rattameister 2017-06-08T20:16:55Z https://live.paloaltonetworks.com/t5/general-topics/restrict-any-any-from-security-policy/m-p/160279#M52266 <P>this article looks promising:&nbsp;<A href="https://popravak.wordpress.com/2014/08/27/palo-alto-ngfw-use-case-one-monitoring-traffic-tap-mode/" target="_blank">https://popravak.wordpress.com/2014/08/27/palo-alto-ngfw-use-case-one-monitoring-traffic-tap-mode/</A></P><P>&nbsp;</P><P>It's unfortunate now i cant identify zones too easily. But I can make intelligent guesses based on source/dest ips.</P> Thu, 08 Jun 2017 20:18:04 GMT https://live.paloaltonetworks.com/t5/general-topics/restrict-any-any-from-security-policy/m-p/160279#M52266 nicford 2017-06-08T20:18:04Z https://live.paloaltonetworks.com/t5/general-topics/restrict-any-any-from-security-policy/m-p/160295#M52271 <P>Can you explain if Palo is in place and inline already as firewall or you have some legacy firewall and you want to put Palo into tap mode to listen what is going on?</P> Thu, 08 Jun 2017 21:02:54 GMT https://live.paloaltonetworks.com/t5/general-topics/restrict-any-any-from-security-policy/m-p/160295#M52271 Raido_Rattameister 2017-06-08T21:02:54Z https://live.paloaltonetworks.com/t5/general-topics/restrict-any-any-from-security-policy/m-p/160297#M52272 <P>Such as&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/15603">@Raido_Rattameister</a>&nbsp;said you need to slowly start chipping away at the rule by monitoring what's actually hitting the any any rule. Eventually it will get to the point where you can delete it and use it as a learning experiance of "this is why you don't do it like this, it took me weeks to fix it". Have fun!&nbsp;</P><P>&nbsp;</P><P>edit: You do realize that if you put it in tap mode you can't act on the traffic right?&nbsp;</P> Thu, 08 Jun 2017 21:04:47 GMT https://live.paloaltonetworks.com/t5/general-topics/restrict-any-any-from-security-policy/m-p/160297#M52272 BPry 2017-06-08T21:04:47Z