What Is a Best Practice Internet Gateway Security Policy?
A best practice internet gateway security policy has two main security goals:
Minimize the chance of a successful intrusion —Unlike legacy port-based security policies that either block everything in the interest of network security, or enable everything in the interest of your business, a best practice security policy leverages App-ID, User-ID, and Content-ID to ensure safe enablement of applications across all ports, for all users, all the time, while simultaneously scanning all traffic for both known and unknown threats. Identify the presence of an attacker —A best practice internet gateway security policy provides built-in mechanisms to help you identify gaps in the rulebase and detect alarming activity and potential threats on your network.
To achieve these goals, the best practice internet gateway security policy uses application-based rules to allow access to whitelisted applications by user, while scanning all traffic to detect and block all known threats, and send unknown files to WildFire to identify new threats and generate signatures to block them:
The best practice policy is based on the following methodologies. The best practice methodologies ensure detection and prevention at multiple stages of the attack life cycle.
Best Practice Methodology Why is this important?
Inspect All Traffic for Visibility Because you cannot protect against threats you cannot see, you must make sure you have full visibility into all traffic across all users and applications all the time. To accomplish this: Deploy GlobalProtect to extend the next-generation security platform to users and devices no matter where they are located. Enable SSL decryption so the firewall can inspect encrypted traffic (SSL/TLS traffic flows account for 40% or more of the total traffic on a typical network today). Enable User-ID to map application traffic and associated threats to users/devices. The firewall can then inspect all traffic—inclusive of applications, threats, and content—and tie it to the user, regardless of location or device type, port, encryption, or evasive techniques employed using the native App-ID, Content-ID, and User-ID technologies. Complete visibility into the applications, the content, and the users on your network is the first step toward informed policy control.
Reduce the Attack Surface After you have context into the traffic on your network—applications, their associated content, and the users who are accessing them—create application-based Security policy rules to allow those applications that are critical to your business and additional rules to block all high-risk applications that have no legitimate use case. To further reduce your attack surface, attach File Blocking and URL Filtering profiles to all rules that allow application traffic to prevent users from visiting threat-prone web sites and prevent them from uploading or downloading dangerous file types (either knowingly or unknowingly).
Prevent Known Threats Enable the firewall to scan all allowed traffic for known threats by attaching security profiles to all allow rules to detect and block network and application layer vulnerability exploits, buffer overflows, DoS attacks, and port scans, known malware variants, (including those hidden within compressed files or compressed HTTP/HTTPS traffic). To enable inspection of encrypted traffic, enable SSL decryption.
Detect Unknown Threats Forward all unknown files to WildFire for analysis. WildFire identifies unknown or targeted malware (also called advanced persistent threats or APTs) hidden within files by directly observing and executing unknown files in a virtualized sandbox environment in the cloud or on the WF-500 appliance. WildFire monitors more than 250 malicious behaviors and, if it finds malware, it automatically develops a signature and delivers it to you in as little as five minutes (and now that unknown threat is a known threat).

Related Documentation