Optimize Your Policies with PAN-OS 9.0 (Episode 17)

Printer Friendly Page

If you have ever second guessed yourself before removing an App-ID from a rule or if you have caused an outage by removing a policy rule prematurely then this episode is for you! Jason & Mitch explore the new PAN-OS 9.0 Policy Optimizer which might seem, on the surface, like a simple tool for telling you which rules see more or less traffic but it is much more than that!


The Policy Optimizer will help you save time and frustration in your efforts to achieve greater network security! If you have over provisioned rules without App-IDs (a.k.a just service/port definitions) or rules with too many App-IDs allowed, the Policy Optimizer can help! If you have unused rules that are no longer needed for currently sanctioned traffic, the Policy Optimizer can help! If you have firewalls running PAN-OS 8.1 and older but you have Panorama and are willing to upgrade Panorama to 9.0, You CAN use the Policy Optimizer!


We hope you find this demo-heavy episode of Learning Happy Hour entertaining and helpful!



Episode Feedback: learninghappyhour@paloaltonetworks.com


Episode Timeline:
0:00 - Introduction

1:05 - Opening Discussion

2:24 - How to reduce your attack surface by eliminating port-based rules

4:39 - Port-based rule analogy

5:54 - Whats the harm with TCP 80/443?

8:45 - Typical post-migration scenario

10:00 - Jason is a HUGE FAN of the BPA!

10:34 - Port-based rule optimization demo

19:10 - Decryption changes regarding service "application-default"

22:38 - New procedural options for updating App-ID as a result of the Policy Optimizer

29:20 - Unused Applications optimized with the Add to Rule and Match Usage functions

31:19 - Policy Optimizer in Panorama 9.0

33:40 - Safely identifying and removing unused policy rules

36:28 - Getting the rest of the organization to understand and support your change proposals

38:36 - Additional tools for firewall administration and configuration improvement

39:28 - What we learned

41:28 - Encore of cheerleader Jason


Episode Resources


Mitch's favorite YouTubers