This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Thoughts on a set of application rules?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Thoughts on a set of application rules?

BobW
L4 Transporter

‎07-09-2015 03:14 PM

I was messing around in the interface today and had a thought as for rules and am curious what other might think.

I created a group of rules for a particular zone/AD User group.  Something like this

Allow but do not log (DNS for example)

Allow these apps (Appgrp--custom application group)

Allow risk1 (custom app filter includes all "risk 1" apps)

Allow risk2 (custom app filter includes all "risk 2" apps)

Allow risk3 (custom app filter includes all "risk 3" apps)

Allow risk4 (custom app filter includes all "risk 4" apps)

Deny risk5 (custom app filter includes all "risk 5" apps)

Block all


My thinking is that I could monitor Risk 3,4,5 and add the appropriate apps to the custom app group "Appgrp" and eventully make levels 4 and 5 (possible risk 3) deny rules.


Any thoughts would be appreciated,

Bob

Labels:
0 Likes Likes
2 REPLIES 2

bmorris1
L4 Transporter

‎07-13-2015 06:20 PM

Hi BobW,

It is an interesting take on using the risk value. In my experience we tend to only be interested in the risk value when looking into reports and what applications we have running on our networks (like a big fat red block for bit-torrent in the new ACC).

I would advise in taking a look at the security policy fundamentals documents

Fundamentals Guide: Security Policies

and also keeping a keen eye on the application and threats release notes. With PanOS 7, a new feature has been implemented in which you can see what modifications a new version will have to your device.

Let us know how you get on.

Thanks,

Ben

0 Likes Likes

pulukas
L7 Applicator

‎07-14-2015 05:16 AM

The other consideration here is business risk for false positive blocks.  Applications that are business critical my need to be treated with kid gloves on their action with threat profiles.  Setting the action to alert rather than block to prevent fals positives from blocking critical workflows. 

After which you need a regular procedure to review the alerts and insure all is well with the affected workstations.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 2999 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks