This might be a naïve question. But how does it help me/organization going through every single app and marking it sanctioned, tolerated or unsactioned. It seems to me of no use, other than for the reports for executives, while apps still get allowed only after the CAB approval.
It's very useful to tag the apps appropriately when you run reports e.g. the SaaS report. It helps highlight unusual applications when you're migrating or monitoring network traffic, it's not just for management security people can make use of the information too.
So this is one of those features that I usually tell people is a mixed bag. I can go through and manually tag all of the app-ids as sanctioned if I want to allow them outbound with one security rulebase entry, or I can just manually specify the applications with the same amount of work in another single entry or multiple which honestly is easier due to the issue you've already mentioned. Honestly, I know of way more people that actually just create a group of applications that they don't want to allow because it's less work.
Now when you actually take the time to go through and tag everything as sanctioned, then create an application filter for any new app-ids prior to going through and properly categorizing them, you actually can make some really good reports.
You can do all of the above either with application tagging or not. Tagging the app-id itself doesn't really give me any clear advantages over maintaining application groups, which is easier from a management point. I know that PAN likes to push this method as the "winner" so to speak, but to me personally there isn't any clear benefit doing things one way or another.
@BPry Thanks for coming back on this. We do the even more easier option, application filters. Yes some other unnecessary apps do get allowed with it, but we do use the same application filters to block anything rated risk 4/5. And allow these only as needed and approved.
I don't know where my notifications are going
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!