Policy Control

Secure Application Enablement.

The increased visibility into applications, users and content delivered by Palo Alto Networks simplifies figuring out which applications are traversing your network, who is using them, and the potential security risks. Armed with this data, you can apply secure enablement policies with a range of responses that are more finely tuned than the traditional 'allow or deny' approach.

 

Watch this video to see how better visibility makes your job easier.

 

Learn more about our security platform.

Balancing protection and enablement with fine-grained policy enforcement.

App-ID graphically displays the applications that are traversing your network. It allows you to see who is using applications and the potential security risks. This information empowers you to quickly deploy application-, application function-, and port-based enablement policies in a systematic and controlled manner. Your policies may range from open (allow), to moderate (enabling certain applications or functions, then scan, or shape, schedule, etc.), to closed (deny). Examples may include:

 

  • Allow or deny

  • Allow based on schedule, users, or groups

  • Apply traffic shaping through QoS

  • Allow certain application functions such as file transfer within instant messaging

  • Allow, but scan for viruses and other threats

  • Decrypt and inspect

  • Apply policy-based forwarding

  • Any combination of the above


Mixing next-generation policy criteria like applications, application functions, users, groups and regions, with traditional policy criteria such as source, destination and IP address, allows you to deploy the appropriate policy. See how you can deploy the right policy by watching these videos.

Selectively filter applications to quickly create policy control lists.

Our application browser allows you to add dynamic application filters to your security policy using a wide range of criteria including:
 
  • Category
  • Subcategory
  • Underlying technology
  • Behavioral characteristic (file transfer capabilities, known vulnerabilities, ability to evade detection, propensity to consume bandwidth, and malware transmission/propagation)


Additional application details you will receive include a description of the application, the commonly used ports, and a summary of the individual application characteristics. Using the application browser allows you to quickly research an application and immediately translate the results into a security policy.

Stop threats and unauthorized file/data transfer.

The same levels of fine-grained control that you can apply to a specific set of applications can also be extended to threat prevention. Using a very targeted approach, you can apply:
 

  • Antivirus and antispyware policies to allowed webmail applications
  • IPS policies can be applied to Oracle database traffic
  • Data filtering profiles can be enabled for file transfer within instant messaging

Traffic shaping ensures business applications are not bandwidth starved.

Secure application enablement may entail allowing bandwidth intensive applications such as streaming media. You can strike an appropriate balance by using QoS policies that ensure your business-critical applications are not starved of bandwidth by non-work related applications.

 

  • Guaranteed, maximum and priority bandwidth can be applied across eight traffic queues

  • Your policies can be applied to physical interface, IPSec VPN tunnels, applications, users, source, destination and more

  • Diffserv marking is supported, enabling application traffic to be controlled by a downstream or upstream networking device

Flexible, policy-based control over web usage.

To complement the application visibility and control enabled by our App-ID, you can use URL categories as a match criteria for your policies. Instead of creating policies limited to either 'allow all or block' all behavior, the ability to use URL category as a match criteria permits exception-based behavior. This increases your flexibility and gives you more granular policy enforcement capabilities. Examples of how URL categories can be used in your policy include:
 

  • Identify and allow exceptions to your general security policies for users who may belong to multiple groups within Active Directory (e.g., deny access to malware and hacking sites for all users, yet allow access to users that belong to the security group)

  • Allow access to streaming media category, but apply QoS to control your bandwidth consumption

  • Prevent file download/upload for URL categories that represent higher risk (e.g., allow access to unknown sites, but prevent upload/download of executable files from unknown sites to limit malware propagation)

  • Apply SSL decryption policies that allow encrypted access to finance and shopping categories, but decrypts and inspects traffic to all other categories

 

Systematically identify and control unknown traffic.

Every network has a small amount of unknown traffic. Usually, unknown traffic comes from an internal, custom developed application. In other cases, it is an unidentified commercial application, or, worst case, a threat. Regardless of the amount of unknown traffic, it is a concern for you.

 

Use the application control features built into Palo Alto Networks next-generation firewalls to systematically identify, investigate and manage unknown traffic on your network in a systematic way. You will notice a dramatic reduction in the risks posed to you by unknown traffic. Check out this webinar to see how to reduce threats from unknown traffic.