At one of our sites we fell vicitim and have the dreaded any any security policy in place. We are trying to determine the best course of action to lock it down.
Would I create tap firewall ports and span all the traffic, then create new rules based on it in tap zones?
Any guides out them to assist for this specific situation?
Check Monitor tab or run reports to see what applications pass this firewall.
Create rule to permit those applications you want.
You can also create second rule for known bad above any any.
Eventually nothing should hit any any rule and you can remove it.
this article looks promising: https://popravak.wordpress.com/2014/08/27/palo-alto-ngfw-use-case-one-monitoring-traffic-tap-mode/
It's unfortunate now i cant identify zones too easily. But I can make intelligent guesses based on source/dest ips.
Such as @Raido said you need to slowly start chipping away at the rule by monitoring what's actually hitting the any any rule. Eventually it will get to the point where you can delete it and use it as a learning experiance of "this is why you don't do it like this, it took me weeks to fix it". Have fun!
edit: You do realize that if you put it in tap mode you can't act on the traffic right?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!