My first step in a mid-sized conversion from another firewall (PIX/ASA/Sonicwall) is to put the new PA's in monitor mode on both the inside and outside interfaces for 2-3 days. Then, I evaluate the inbound flows by filtering for each previosly allowed inbound port to see what applications are running over them. I'll add a rule for each, so that 95% of inbound connectivity should work right away. I'll also find the 20-30 most common outbound applications and add them as well to the base configuration. This way, when you first turn on the PA, you have a very good baseline for what should be running. As far as typical categories for outbound connectivity, I do the following: Create base Application Filters: Updates Proxies Peer2Peer (encrypted-tunnel, file-sharing) for peer-to-peer Games SocialNetworking Audio-Streaming Video-Streaming Application Groups: KnownGood web-browsing ssl ftp ping ntp dns flash MS-Networking (for inter-zone traffic as needed later) netbios-dg netbios-ss ms-ds-smb GoogleApps google-analytics google-calendar google-docs google-toolbar google-translate Base Policies would be Allow-SMTP-Outbound (mail server only) Deny-SMTP-All (everyone else SMTP on any port) Deny-KnownBad (Proxies, Peer2Peer) Deny-HighBandwidth (Audio-Streaming,Video-Streaming) Deny-BusinessInappropriate (Games, SocialNetworking) Allow-Unrestricted (flexnet-installanywhere, soap, ocsp, Updates) Allow-ByUserGroup (sharepoint-base, silverlight, office-live, linkedin-base, citrix, gotomeeting, facebook-base, gmail-base, gmail-enterprise, citrix-jedi, yahoo-toolbar, netsuite, KnownGood, GoogleApps) Allow-All (but just temporarily) Cleanup-Rule to deny all others and log This covers most of the business needs, and you modify from there. I even built a base template with everything above (and a lot more), and use that when deploying new customer firewalls.
... View more