PAN-OS 9.0 Release Features: Policy Optimizer and App-ID
on 02-12-201903:02 AM - last edited
a month ago
Read about the new Palo Alto Networks PAN-OS 9.0 and its new features including Policy Optimizer, App-ID, new behavior of Application-Default and HTTP/2 inspection. Learn how the new features of PAN-OS 9.0 can help you increase your security posture. Got Questions? Get Answers on Live Community.
The new PAN-OS version 9.0 was released, and we're all excited about the new features that are included. Before you update to PAN-OS 9, check out some of the big changes coming to App-ID.
A new addition to the policies and, most notably, the security policy is the addition of the Policy Optimizer.
This tool does three things:
It can find rules that have no applications configured. This could be the result of a lergacy migration or the need to simply make something work in the past. Best practice is to always leverage App-ID where possible, so this feature will help you find rules that may need attention.
It can find rules that have more applications allowed than necessary. While provisioning a policy to allow a certain application or project, you may have added more applications than eventually needed. The "Unused Apps" view will highlight which applications are configured but have not been seen, so you can consider removing those applications from the rule.
It also gives you three new "unused" views to help scope out how long it has been since a policy has been hit, seperating it into three different timeframes: last 30 days, last 90 days and since system boot.
Policy Optimizer view of the "No App Specified" view
Once the Policy Optimizer has been opened, you can select which timeframe you would like to see, and then drill down into the apps seen per policy and choose to add or delete from the policy.
Changes to Application-Default
Because an increasing amount of applications are getting SSL encrypted, either by tunneling through HTTPS or on their own secure ports, some challenges could arise by using the previously set Application-Default (SSL could become web-browsing after decryption, but the TCP session would be using port 443, which is not a default port for HTTP).
Starting from PAN-OS 9.0, "Secure Port" will also be loaded on applications. It's also known as Strict Default Port Usage, which will accomodate the port an application uses when it is encrypted versus what it would normally use when not encrypted.
Secure Port to accommodate the use of SSL port 443 for web browsing after decryption
You can now safely enable applications running over HTTP/2 without any additional configuration on the firewall. As more websites continue to adopt HTTP/2, the firewall can enforce Security Policy to detect and prevent threats on a per-stream basis. This visibility into HTTP/2 traffic enables you to secure web servers that provide services over HTTP/2 and allow your users to benefit from the speed and resource efficiency gains that HTTP/2 provides.