topic Re: Application and services in security policy rules in General Topics

Application and services in security policy rules

jatin.singh06 — Thu, 09 Jun 2022 00:48:11 GMT

Hi I have a question,

Following rule,

Application allowed- DNS,SSL,WEB-Browsing

Service allowed - TCP port 22

I understand DNS, SSL and Web-browsing would be allowed on port 22, but my question is SSH traffic would be allowed by this rule as I am allowing port-22 via service.?

Also My second question, would DNS traffic be allowed on its standard port 53 via this rule?

My understanding is Palo matches Both Services and Application together, hence SSH traffic would be blocked in this case and DNS traffic on port 53 would also be blocked?

Referring this article - https://live.paloaltonetworks.com/t5/blogs/what-are-applications-and-services/ba-p/342508

Re: Application and services in security policy rules

reaper — Thu, 09 Jun 2022 08:49:48 GMT

The service configuration limits which ports the applications are allowed to use

Setting tcp-22 in the services limits ALL applications to only be allowed through tcp:22 (so DNS will need to use TCP 22 instead of UDP 53)

if DNS needs to be allowed too, you'll need to add udp53 to the services

Re: Application and services in security policy rules

OtakarKlier — Thu, 09 Jun 2022 14:59:56 GMT

Hello,

While there maybe a reason for restricting the application traffic, I would break these out into their own separate policies. This way you have tighter control over applications and which ports they can/should use.

Regards,

Re: Application and services in security policy rules

jatin.singh06 — Thu, 09 Jun 2022 23:09:37 GMT

Hi Reaper,

That makes sense but just confirming SSH traffic will also be blocked in the case as I have not allowed SSH in application section?

Please confirm

Re: Application and services in security policy rules

S_Alad — Fri, 10 Jun 2022 12:21:29 GMT

break application out into their own separate security policies and define whatever port you desire to use except you want all the app on the same port 22 and also define udp port.

Re: Application and services in security policy rules

OtakarKlier — Fri, 10 Jun 2022 17:22:47 GMT

Hello,

Correct, you will need to have ssh in the application field to allow the traffic. You will not need a 'service'/port since that is implied in the application.

https://applipedia.paloaltonetworks.com/

Regards,

Re: Application and services in security policy rules

Sec101 — Fri, 10 Jun 2022 20:11:49 GMT

It would be nice if you could get away with an "and" for app default- AND any port you specify in the rule.

Re: Application and services in security policy rules

OtakarKlier — Fri, 10 Jun 2022 20:14:52 GMT

Hello,

You absolutely can. However the point with the applications is that you dont have to. So instead of a policy that is like:

application = ssh and service = 22/tcp, you can just put in application = ssh.

Thats really it. The firewall knows and can see ssh and knows its only allowed on port 22/tcp by default.

Hope that helps.

Re: Application and services in security policy rules

Sec101 — Fri, 10 Jun 2022 20:32:51 GMT

I was under the impression that one rule was either app-default OR you pick the service.

Like
app=ssh

service
app-default OR tcp/22

Re: Application and services in security policy rules

jatin.singh06 — Fri, 10 Jun 2022 20:45:33 GMT

So that means.

Lets says I allowed 5 applications in my rule 1 with "application-default"

The traffic from that rule would be allowed on all standard ports.

Now I have another non standard port to allow.

So I have to make another rule and allow ALL apps on that TCP- NON-STANDARD port.

Does'it not open up all application traffic on that port.

Would'nt it be better if I use the non standard port in same rule 1 and somehow palo allows my 5 applications on their standard ports and also the non standard I added in services section.

That way I can have the traffic going to non standard port allowed and also applications to standard ports allowed in same rule.

That poses less secuirty risk rather than allowing all apps on that non standard port in a new rule?

@OtakarKlier @reaper

Re: Application and services in security policy rules

OtakarKlier — Fri, 10 Jun 2022 20:52:22 GMT

Hello,

Let me try this: Lets say you want to allow the following applications:

ssl, web-browsing, and dns and dont put in any service/ports. The firewall will allow traffic that is sees as DNS only on port 53, web-browsing only on port 80 and ssl only on port 443. If DNS tries to use any other port, it will be blocked.

if you put in a policy that allows applications: ssl, web-browsing, and dns and ports 53, 80, 443. Then the firewall will allow any of those applications over any of those ports, ie DNS over 443, 80, 53.

So by not using a specific service/port, you are making your security policy that much stronger. If you want to allow an application say DNS over port 443, you will need to have a special policy that allows that. The firewall reads policies top down, left to right. Once it finds a match, thats what it will use.

Hope that makes sense.