PAN-OS 9.0 - Policy Optimizer and App-ID

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Cyber Elite
Cyber Elite

PAN-OS 9.0 Release Features Policy Optimizer and App-IDPAN-OS 9.0 Release Features Policy Optimizer and App-ID

Read about the new Palo Alto Networks PAN-OS 9.0 and its new features including Policy Optimizer, App-ID, new behavior of Application-Default and HTTP/2 inspection. Learn how the new features of PAN-OS 9.0 can help you increase your security posture. 

 

PAN-OS 9.0 Release Features: Policy Optimizer and App-ID

The new PAN-OS version 9.0 was released, and we're all excited about the new features that are included. Before you update to PAN-OS 9, check out some of the big changes coming to App-ID.

 

Policy Optimizer

A new addition to the policies and, most notably, the security policy is the addition of the Policy Optimizer.

 

This tool does three things:

  • It can find rules that have no applications configured.
    This could be the result of a lergacy migration or the need to simply make something work in the past. Best practice is to always leverage App-ID where possible, so this feature will help you find rules that may need attention.

  • It can find rules that have more applications allowed than necessary.
    While provisioning a policy to allow a certain application or project, you may have added more applications than eventually needed. The "Unused Apps" view will highlight which applications are configured but have not been seen, so you can consider removing those applications from the rule.

  • It also gives you three new "unused" views to help scope out how long it has been since a policy has been hit, seperating it into three different timeframes: last 30 days, last 90 days and since system boot.

 Policy Optimizer view of the "No App Specified" viewPolicy Optimizer view of the "No App Specified" view

Once the Policy Optimizer has been opened, you can select which timeframe you would like to see, and then drill down into the apps seen per policy and choose to add or delete from the policy.

 

Changes to Application-Default

Because an increasing amount of applications are getting SSL encrypted, either by tunneling through HTTPS or on their own secure ports, some challenges could arise by using the previously set Application-Default (SSL could become web-browsing after decryption, but the TCP session would be using port 443, which is not a default port for HTTP).

 

Starting from PAN-OS 9.0, "Secure Port" will also be loaded on applications. It's also known as Strict Default Port Usage, which will accomodate the port an application uses when it is encrypted versus what it would normally use when not encrypted.

 

Secure Port to accommodate the use of SSL port 443 for web browsing after decryptionSecure Port to accommodate the use of SSL port 443 for web browsing after decryption

 

HTTP/2 Inspection

You can now safely enable applications running over HTTP/2 without any additional configuration on the firewall. As more websites continue to adopt HTTP/2, the firewall can enforce Security Policy to detect and prevent threats on a per-stream basis. This visibility into HTTP/2 traffic enables you to secure web servers that provide services over HTTP/2 and allow your users to benefit from the speed and resource efficiency gains that HTTP/2 provides.

 

 

Additional resources

All the new App-ID features in PAN-OS 9.0: App-ID Features

All of the new features in PAN-OS 9.0: What's New in PAN-OS 9.0

 

Take a closer look at our take on PAN-OS 9.0 features:

 

PAN-OS 9.0 Release Features: DNS Security and Content Inspection

PAN-OS 9.0 Release Features: Panorama

PAN-OS 9.0 Release Features: GlobalProtect

PAN-OS 9.0 Release Features: User-ID

PAN-OS 9.0 Release Features: Networking and Virtualization

PAN-OS 9.0 Release Features: Management

PAN-OS 9.0 Release Features: PA-7000 New Cards

PAN-OS 9.0: Got Questions? Get Answers!

 

Then ask a question, join a discussion, or answer someone else's inquiry—that's community!

 

Not a member of the Live Community yet? It's simple and easy to join. Just sign up with an email address. 

 

Follow us on Twitter.

 

Check out our YouTube channel and join more than 8,000 other subscribers learning about PAN-OS and more!

 

 

Feel free to ask any questions you might have in the comment section below.

 

Stay Frosty

Reaper out

  • 7207 Views
  • 0 comments
  • 2 Likes
Register or Sign-in
About the Author
I drink and I know things
Labels