https://live.paloaltonetworks.com/t5/next-generation-firewall/how-to-check-not-detected-open-or-allowed-ports-in-service-rule/m-p/578698#M2734 <P>A thousand thank you&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/227075">@Claw4609</a>&nbsp;. Done specifying the 443 part the only thing I have not tried is testing the policy match, seems I can do this temporarily but there is another platform that can detect that is capable of collecting, searching and analyzing the open/allowed ports that were not detected on the Palo fw.</P> Wed, 28 Feb 2024 19:23:52 GMT giozapa 2024-02-28T19:23:52Z https://live.paloaltonetworks.com/t5/next-generation-firewall/how-to-check-not-detected-open-or-allowed-ports-in-service-rule/m-p/578691#M2732 <P><LI-PRODUCT title="NGFW" id="NGFW"></LI-PRODUCT>&nbsp;Hi, Any idea if there is a tool to trace in PA5220 to check the un-detected open or allowed ports in rule policy.&nbsp;</P> <P>For example from a source IP 192.168.x.x.x. to a destination public IP (web server) . In the service I only specify port 443 but upon checking there are a lot of open ports that were allowed. This poses a security vulnerability in my network.</P> <P>&nbsp;</P> <P>Any help would be much greatly appreciated. A thousand thank you in advance <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 28 Feb 2024 18:31:54 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/how-to-check-not-detected-open-or-allowed-ports-in-service-rule/m-p/578691#M2732 giozapa 2024-02-28T18:31:54Z https://live.paloaltonetworks.com/t5/next-generation-firewall/how-to-check-not-detected-open-or-allowed-ports-in-service-rule/m-p/578694#M2733 <P>Hello,</P> <P>&nbsp;</P> <P>First thought would be its either hitting a different rule or the service object is incorrect. If you look at the service object is the destination set to 443. Heres and example of the pre-defined one:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Claw4609_0-1709147005751.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/57902iBAC8C22CD1891A1F/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Claw4609_0-1709147005751.png" alt="Claw4609_0-1709147005751.png" /></span></P> <P>&nbsp;</P> <P>Otherwise it may be hitting a different rule. You can test example traffic and see which rule it would hit. If you for to Policies&gt;Security at the bottom there is a test policy match where you can enter information and see what rule it would hit.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Claw4609_1-1709147089157.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/57903i0454C626B53434A9/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Claw4609_1-1709147089157.png" alt="Claw4609_1-1709147089157.png" /></span></P> <P>&nbsp;</P> Wed, 28 Feb 2024 19:04:58 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/how-to-check-not-detected-open-or-allowed-ports-in-service-rule/m-p/578694#M2733 Claw4609 2024-02-28T19:04:58Z https://live.paloaltonetworks.com/t5/next-generation-firewall/how-to-check-not-detected-open-or-allowed-ports-in-service-rule/m-p/578698#M2734 <P>A thousand thank you&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/227075">@Claw4609</a>&nbsp;. Done specifying the 443 part the only thing I have not tried is testing the policy match, seems I can do this temporarily but there is another platform that can detect that is capable of collecting, searching and analyzing the open/allowed ports that were not detected on the Palo fw.</P> Wed, 28 Feb 2024 19:23:52 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/how-to-check-not-detected-open-or-allowed-ports-in-service-rule/m-p/578698#M2734 giozapa 2024-02-28T19:23:52Z