topic Can we create a rule to match only the selected application without selecting WEb-Browsing dependency in Next-Generation Firewall Discussions https://live.paloaltonetworks.com/t5/next-generation-firewall/can-we-create-a-rule-to-match-only-the-selected-application/m-p/549049#M1489 <P>Dear All,</P> <P>&nbsp;</P> <P>I need a community advice, we are migrating all our Firewalls from Checkpoint to Palo Alto.</P> <P>First Palo Alto was implemented 2 weeks ago, a PA 3420 version&nbsp;<SPAN>10.2.4-h2</SPAN></P> <P>&nbsp;</P> <P>We are trying to transform the imported rules into Palo alto style.</P> <P>For example I want to create a rule to allow only access to "TeamViewer" application for some computers but not allowing them to browse internet.</P> <P>&nbsp;</P> <P>So, first I implemented the SSL decrypt rule for thoses computers, decrypt is running fine.</P> <P>I create the filtering rule with Source = computers Ip's and Destination= TeamViewer application</P> <P>When I do that there are suggested applications dependency's that are SSL and Web-Browsing, so I add them also into the allowed Applications list. (Seem to be a best practice doing that)</P> <P>&nbsp;</P> <P>But when I do this, the effect of this rule is that these computers can actually browse the whole Internet, not just TeamViewer.</P> <P>&nbsp;</P> <P>So I read on some other posts that to filter correctly I should add an url list with (teamviewer.com and *.teamviewer.com) to the rule to filter only the Application teamviewer.</P> <P>&nbsp;</P> <P>But, so what's the point to use application if in parallel I have to combine them with Url list ?</P> <P>Because I could instead create a URL List based rule only (without speechifying the Application) i will have the same effect ?</P> <P>&nbsp;</P> <P>Many thanks for your advices.</P> <P>&nbsp;</P> <P>Regards</P> Wed, 12 Jul 2023 07:36:05 GMT PauloVenancio 2023-07-12T07:36:05Z Can we create a rule to match only the selected application without selecting WEb-Browsing dependency https://live.paloaltonetworks.com/t5/next-generation-firewall/can-we-create-a-rule-to-match-only-the-selected-application/m-p/549049#M1489 <P>Dear All,</P> <P>&nbsp;</P> <P>I need a community advice, we are migrating all our Firewalls from Checkpoint to Palo Alto.</P> <P>First Palo Alto was implemented 2 weeks ago, a PA 3420 version&nbsp;<SPAN>10.2.4-h2</SPAN></P> <P>&nbsp;</P> <P>We are trying to transform the imported rules into Palo alto style.</P> <P>For example I want to create a rule to allow only access to "TeamViewer" application for some computers but not allowing them to browse internet.</P> <P>&nbsp;</P> <P>So, first I implemented the SSL decrypt rule for thoses computers, decrypt is running fine.</P> <P>I create the filtering rule with Source = computers Ip's and Destination= TeamViewer application</P> <P>When I do that there are suggested applications dependency's that are SSL and Web-Browsing, so I add them also into the allowed Applications list. (Seem to be a best practice doing that)</P> <P>&nbsp;</P> <P>But when I do this, the effect of this rule is that these computers can actually browse the whole Internet, not just TeamViewer.</P> <P>&nbsp;</P> <P>So I read on some other posts that to filter correctly I should add an url list with (teamviewer.com and *.teamviewer.com) to the rule to filter only the Application teamviewer.</P> <P>&nbsp;</P> <P>But, so what's the point to use application if in parallel I have to combine them with Url list ?</P> <P>Because I could instead create a URL List based rule only (without speechifying the Application) i will have the same effect ?</P> <P>&nbsp;</P> <P>Many thanks for your advices.</P> <P>&nbsp;</P> <P>Regards</P> Wed, 12 Jul 2023 07:36:05 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/can-we-create-a-rule-to-match-only-the-selected-application/m-p/549049#M1489 PauloVenancio 2023-07-12T07:36:05Z Re: Can we create a rule to match only the selected application without selecting WEb-Browsing dependency https://live.paloaltonetworks.com/t5/next-generation-firewall/can-we-create-a-rule-to-match-only-the-selected-application/m-p/550934#M1580 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/302780">@PauloVenancio</a>&nbsp;,</P> <P>&nbsp;</P> <P>If teamviewer is using its default port i.e. TCP/UDP 5938 then, it would be easier for you to filter traffic based on the destination port along-with app-id. But anyway, if teamviewer can't connect over default port, it will next try to connect over 443.</P> <P>&nbsp;</P> <P>Coming to your questions-</P> <P>&nbsp;</P> <P>But, so what's the point to use application if in parallel I have to combine them with Url list ?</P> <P><EM><STRONG>-</STRONG>Most of admins use all the available options to restrict their security policies. So it will be good idea to use URL list in your case.</EM></P> <P>&nbsp;</P> <P>Because I could instead create a URL List based rule only (without speechifying the Application) i will have the same effect ?</P> <P><EM><STRONG>-</STRONG>Yes, that will also work based on the destination URLs allowed under the list.</EM></P> <P>&nbsp;</P> Tue, 25 Jul 2023 15:59:59 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/can-we-create-a-rule-to-match-only-the-selected-application/m-p/550934#M1580 SutareMayur 2023-07-25T15:59:59Z