This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

BPA - Sanctioned apps

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

BPA - Sanctioned apps

raji_toor
L4 Transporter

‎10-06-2020 12:37 PM

This might be a naïve question. But how does it help me/organization going through every single app and marking it sanctioned, tolerated or unsactioned. It seems to me of no use, other than for the reports for executives, while apps still get allowed only after the CAB approval. 

 

0 Likes Likes
4 REPLIES 4

ethiSEC
L2 Linker

‎10-06-2020 10:29 PM

It's very useful to tag the apps appropriately when you run reports e.g. the SaaS report. It helps highlight unusual applications when you're migrating or monitoring network traffic, it's not just for management security people can make use of the information too.

 

Jason

0 Likes Likes

raji_toor
L4 Transporter
In response to ethiSEC

‎10-07-2020 07:47 AM

Isn't that what ACC is providing us as security people.

Also PA doesn't make it easier to mark multiple applications as sanctioned.

0 Likes Likes

BPry
Cyber Elite
Cyber Elite
In response to raji_toor

‎10-07-2020 08:33 AM

@raji_toor,

So this is one of those features that I usually tell people is a mixed bag. I can go through and manually tag all of the app-ids as sanctioned if I want to allow them outbound with one security rulebase entry, or I can just manually specify the applications with the same amount of work in another single entry or multiple which honestly is easier due to the issue you've already mentioned. Honestly, I know of way more people that actually just create a group of applications that they don't want to allow because it's less work.

Now when you actually take the time to go through and tag everything as sanctioned, then create an application filter for any new app-ids prior to going through and properly categorizing them, you actually can make some really good reports. 

You can do all of the above either with application tagging or not. Tagging the app-id itself doesn't really give me any clear advantages over maintaining application groups, which is easier from a management point. I know that PAN likes to push this method as the "winner" so to speak, but to me personally there isn't any clear benefit doing things one way or another. 

 

raji_toor
L4 Transporter
In response to BPry

‎10-09-2020 02:40 PM

@BPry Thanks for coming back on this. We do the even more easier option, application filters. Yes some other unnecessary apps do get allowed with it, but we do use the same application filters to block anything rated risk 4/5. And allow these only as needed and approved. 

 

I don't know where my notifications are going 😉

0 Likes Likes
  • 3621 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks