How Application-Default in the Rulebase Changes the Way Traffic is Matched
Resolution
Overview
This document applies an example policy to describe how traffic is matched to a security policy, on the Palo Alto Networks firewall, depending on whether application-default is used or not.
Details
The following shows an example policy from the web UI (Policies > Security):
The policies above are converted to following configuration on the firewall (part of the command output has been omitted):
> show running security-policy
r1 {
from l3-trust;
source any;
to l3-untrust;
destination any;
application/service ping/icmp/any/any;
action allow;
}
r2 {
from l3-trust;
source any;
to l3-untrust;
destination any;
application/service ping/any/any/any;
action allow;
}
r3 {
from l3-trust;
source any;
to l3-untrust;
destination any;
application/service web-browsing/tcp/any/80;
action allow;
}
r4 {
from l3-trust;
source any;
to l3-untrust;
destination any;
application/service web-browsing/tcp/any/8888;
action allow;
}
r5 {
from l3-trust;
source any;
to l3-untrust;
destination any;
application/service web-browsing/any/any/any;
action allow;
}
r6 {
from l3-trust;
source any;
to l3-untrust;
destination any;
application/service [ ssh/tcp/any/22 ping/icmp/any/any ];
action allow;
}
"r7 deny" {
from any;
source any;
to any;
destination any;
application/service any/any/any/any;
action deny;
}
The application/service fields in the output show: application/protocol/source port/destination port.
As seen above, the firewall converted the field "service" to specific values. The "application-default" service was converted to precisely defined protocols and ports. For example in rule "r6", traffic which is either protcol icmp or tcp with dport 22 will be matched. Where service is left as any (as in the rule, "r2"), the firewall will accept any protocol and port.
Next, the following traffic is sent through the firewall:
echo request,
tcp syn to ports 80,1222,8888,9999
http request to ports 80,8888,9999,
ssh to ports 22,1222
As seen in the log entries below:
- icmp-echo matched "r1"
- tcp syn all matched "r2". Since the firewall only saw the TCP-SYN and this rule allows any port at that moment in time, it matched the rule. As there was no other traffic in the connection, it timed out and the firewall logged the application as "incomplete" with rule "r2" as the one which permitted the traffic.
- http requests matched: port 80 - "r3": application-default for web-browsing is indeed tcp/80. Port 8888 does not match "r3" but it matches "r4". Port 9999 does not match "r2" and "r3" but it does match "r5", as it allows web-browsing on any port.
- ssh to port 22 matches "r6". However, ssh to port 1222 did not match "r6" since it only allows the default port tcp/22. Instead, that traffic hit the deny rule, "r7".
See Also
Incomplete, Insufficient data and Not-applicable in the application field
owner: rweglarz