https://live.paloaltonetworks.com/t5/next-generation-firewall/clarification-on-application-and-service-in-security-policy/m-p/556022#M1789 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/313004">@IBM-MSS</a>,</P> <P>Yes, and also not really ... but also yes ... but primarily no&nbsp;<span class="lia-unicode-emoji" title=":grinning_face:">😀</span></P> <P>&nbsp;</P> <P>What happens in that situation is that the firewall needs to allow enough traffic to pass to actually identify the application, so your rule will capture a whole lot more traffic than your actual intent. That being said, as soon as the firewall can identify the application and it&nbsp;<EM>isn't&nbsp;</EM>what you have specified the traffic will no longer match the rule and continue to be analyzed according to the rest of your security rulebase.</P> <P>I'd generally recommend being heavily cautious when you're creating these sort of policies, and make them as restrictive as reasonably possible. You&nbsp;<STRONG>are&nbsp;</STRONG>allowing traffic to pass to identify the actual application, there's no way around that when creating a policy like this.&nbsp;</P> Thu, 31 Aug 2023 15:06:37 GMT BPry 2023-08-31T15:06:37Z https://live.paloaltonetworks.com/t5/next-generation-firewall/clarification-on-application-and-service-in-security-policy/m-p/556021#M1788 <P>Hi,</P> <P>By restricting the security policy with specific application and allow ANY service leads to allow all traffic through that policy?</P> Thu, 31 Aug 2023 14:59:00 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/clarification-on-application-and-service-in-security-policy/m-p/556021#M1788 IBM-MSS 2023-08-31T14:59:00Z https://live.paloaltonetworks.com/t5/next-generation-firewall/clarification-on-application-and-service-in-security-policy/m-p/556022#M1789 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/313004">@IBM-MSS</a>,</P> <P>Yes, and also not really ... but also yes ... but primarily no&nbsp;<span class="lia-unicode-emoji" title=":grinning_face:">😀</span></P> <P>&nbsp;</P> <P>What happens in that situation is that the firewall needs to allow enough traffic to pass to actually identify the application, so your rule will capture a whole lot more traffic than your actual intent. That being said, as soon as the firewall can identify the application and it&nbsp;<EM>isn't&nbsp;</EM>what you have specified the traffic will no longer match the rule and continue to be analyzed according to the rest of your security rulebase.</P> <P>I'd generally recommend being heavily cautious when you're creating these sort of policies, and make them as restrictive as reasonably possible. You&nbsp;<STRONG>are&nbsp;</STRONG>allowing traffic to pass to identify the actual application, there's no way around that when creating a policy like this.&nbsp;</P> Thu, 31 Aug 2023 15:06:37 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/clarification-on-application-and-service-in-security-policy/m-p/556022#M1789 BPry 2023-08-31T15:06:37Z https://live.paloaltonetworks.com/t5/next-generation-firewall/clarification-on-application-and-service-in-security-policy/m-p/556029#M1790 <P>Thanks for the clarification.</P> <P>During my investigation, i identified that telnet and netmap traffic is allowing through this policy. I believe this is because service will check on Layer 3 and Application will check on layer 7.</P> Thu, 31 Aug 2023 16:14:55 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/clarification-on-application-and-service-in-security-policy/m-p/556029#M1790 IBM-MSS 2023-08-31T16:14:55Z https://live.paloaltonetworks.com/t5/next-generation-firewall/clarification-on-application-and-service-in-security-policy/m-p/556032#M1791 <P>If you test connectivity with telnet then firewall sees TCP 3way handshake and as there is no application traffic yet it will be permitted.</P> <P>You could set up some dummy rule to collect those incompletes and this avoids your app rule to match other traffic.</P> <P>This example works well for that purpose as ping is not actually TCP application and it never matches to outgoing pings <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Raido_Rattameister_0-1693499084673.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/53326i2D080A016F453035/image-size/medium?v=v2&amp;px=400" role="button" title="Raido_Rattameister_0-1693499084673.png" alt="Raido_Rattameister_0-1693499084673.png" /></span></P> <P>&nbsp;</P> Thu, 31 Aug 2023 16:25:42 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/clarification-on-application-and-service-in-security-policy/m-p/556032#M1791 Raido_Rattameister 2023-08-31T16:25:42Z