Why Do I Need a Best Practice Internet Gateway Security Policy?
Unlike legacy port-based security policies that either block everything in the interest of network security, or enable everything in the interest of your business, a best practice security policy allows you to safely enable applications by classifying all traffic, across all ports, all the time, including encrypted traffic. By determining the business use case for each application, you can create security policy rules to allow and protect access to relevant applications. Simply put, a best practice security policy is a policy that leverages the next-generation technologies—App-ID, Content-ID, and User-ID—on the Palo Alto Networks enterprise security platform to:
Identify applications regardless of port, protocol, evasive tactic or encryption Identify and control users regardless of IP address, location, or device Protect against known and unknown application-borne threats Provide fine-grained visibility and policy control over application access and functionality
A best practice security policy uses a layered approach to ensure that you not only safely enable sanctioned applications, but also block applications with no legitimate use case. To mitigate the risk of breaking applications when moving from a port-based enforcement to an application-based enforcement, the best-practice rulebase provides built-in mechanisms to help you identify gaps in the rulebase and detect alarming activity and potential threats on your network. These temporary best practice rules ensure that applications your users are counting on don’t break, while allowing you to monitor application usage and craft appropriate rules. You may find that some of the applications that were being allowed through existing port-based policy rules are not necessarily applications that you want to continue to allow or that you want to limit to a more granular set of users.
Unlike a port-based policy, a best-practice security policy is easy to administer and maintain because each rule meets a specific goal of allowing an application or group of applications to a specific user group based on your business needs. Therefore, you can easily understand what traffic the rule enforces by looking at the match criteria. Additionally, a best-practice security policy rulebase leverages tags and objects to make the rulebase more scannable and easier to keep synchronized with your changing environment.

Related Documentation