Identify the tools to optimize Security plicies.

Palo Alto Networks PCNSA Study Guide v10

Policy Optimizer

The policy optimizer helps to identify port based rules that can be converted to App-ID based rules for better visibility and security. It also calls out App-ID rules with unused applications (over-provisioned). Application based rules increase security by only allowing the applications you want and by limiting them to the port they are usually on to prevent evasion.

To find port-based rules, use the No App Specified option under Policy Optimizer. The compare option can then show you the applications usage for those rules.

You can add the discovered App-IDs to policy using one of the four options at the bottom of the Application & Usage window.

  • Create Cloned Rule: Creates a duplicate of the rule being examined with the application added.
  • Add to This Rule: Adds the application to the existing rule
  • Add to Existing Rule: Adds the application to another existing rule.
  • Match Usage: Replaces the policy with a new app-id-based rule.