An administrator is updating Security policy to align with best practices.
Which Policy Optimizer feature is shown in the screenshot below?
An administrator is updating Security policy to align with best practices.
Which Policy Optimizer feature is shown in the screenshot below?
Based on the screenshot, the Policy Optimizer feature shown indicates that the application set to 'any' is being evaluated. This suggests that the rules listed are port-based rules that need to be converted to application-based rules for better security. Therefore, the feature displayed is 'Rules without App Controls.' This allows administrators to identify and update port-based rules to include specific application controls.
New App Viewer, i just checked it in PA FW version 11.x
Answer is: D ( unused Apps) just checked the firewall. look at the top where it says "App Usage" go to --> Policies> Policy Optimizer > Unused Apps
I just checked one more time on the firewall and both answers are correct: Unused Apps and Without App Control. Both screens are similar and I could not see any difference in the format. However, the results outcome is different of course. so I am not quite sure which one should be correct in this case.
Answer = B https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/app-id/cloud-based-app-id-service/new-app-viewer-policy-optimizer
This is rules without app control
Answer : B
A. Rules without App Controls. Even if A and D have the same columns and in the same order, here we have rules with any as Apps Allowed, so it is considering Rules without App Controls.
As checked on the actual FW with PANOS 11.0.2, A and D are exactly with the same view in Policy Optimizer. A. Rules without App Controls D. Unused Apps
Answer is: D Unused app
Just checked on FW. There is column Application in New App viewer (3rd, between columns Service and Traffic), which is not present on this pic. This is only difference between New App V and Rules Wout App Cntrl.
I vote for B, new app viewer!
A is correct - Rules without Apps Control (or No App Specified in the previous PAN-OS version)
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/app-id/security-policy-rule-optimization/migrate-port-based-to-app-id-based-security-policy-rules
A little more on why it is Rules without Apps Control and not New App Viewer: Although both are true for this specific screenshot however the difference is that in New App Viewer, we get to see the rules which are configured with applications like web-browsing and such rules are not visible in Rules Without Apps Control. Thus, in New App Viewer, at times we get to see numbers under 'Apps Allowed' whereas on the other hand this column contains 'Any'. Moreover, the New Apps Allowed functionality requires PA Application Cloud Engine (ACE) SaaS subscription to get the App info from cloud DB. The Rules Without Apps Control is on-the-box functionality. Here's the definition from firewall's help page; New App Viewer—New cloud applications downloaded from the Application Control Engine if the firewall has a SaaS Security subscription. Rules Without App Controls—Rules that have the application set to any, so you can identify port-based rules to convert to application-based rules.
Cont.... Since the question is asked in simple way without details like conversion of applications (e.g. web-browsing to specific cloud based app), we can safely assume that it is not about New App Viewer. PS: You can read about Rules Without Apps Control from the link in the original post and for New App Viewer, go to https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/app-id/cloud-based-app-id-service/new-app-viewer-policy-optimizer.
I think you are right since by default the column "Application" is displayed in "New App Viewer", here in the screenshot it is not present (verified in PanOS 11 lab). That is why also the correct answer is "Rules without Apps Control" -> A