https://live.paloaltonetworks.com/t5/general-topics/restricting-application-port/m-p/24376#M17770 <HTML><HEAD></HEAD><BODY><P>I would like to create a custom App for SMTP submission. All I really want to do is restrict the "smtp" App to use 587/tcp only. It's usual "default ports" action is to allow 25/tcp or 587/tcp.</P><P></P><P>I just tried to create a Custom App based on "smtp," but have the only default port be "tcp/587." As I seemed to vaguely recall the other times I've tried to do this, without a signature section, the App does not match anything. SMTP traffic still matches "smtp," not my App.</P><P></P><P>Sure, I can create a whole new policy rule in the rule base with "smtp" as the application and a "submission" service on 587/tcp, but it would be a lot easier and more manageable to just drop a custom application into an existing application group.</P><P></P><P>Is there a way to create a custom App to change the default port behavior of a built-in App? (Note that this is not an Application Override thing. (Right?) I still want the PAN to do it's App ID voodoo, just change the default ports allowed.)</P></BODY></HTML> Fri, 28 Jun 2013 18:13:02 GMT cosx 2013-06-28T18:13:02Z https://live.paloaltonetworks.com/t5/general-topics/restricting-application-port/m-p/24376#M17770 <HTML><HEAD></HEAD><BODY><P>I would like to create a custom App for SMTP submission. All I really want to do is restrict the "smtp" App to use 587/tcp only. It's usual "default ports" action is to allow 25/tcp or 587/tcp.</P><P></P><P>I just tried to create a Custom App based on "smtp," but have the only default port be "tcp/587." As I seemed to vaguely recall the other times I've tried to do this, without a signature section, the App does not match anything. SMTP traffic still matches "smtp," not my App.</P><P></P><P>Sure, I can create a whole new policy rule in the rule base with "smtp" as the application and a "submission" service on 587/tcp, but it would be a lot easier and more manageable to just drop a custom application into an existing application group.</P><P></P><P>Is there a way to create a custom App to change the default port behavior of a built-in App? (Note that this is not an Application Override thing. (Right?) I still want the PAN to do it's App ID voodoo, just change the default ports allowed.)</P></BODY></HTML> Fri, 28 Jun 2013 18:13:02 GMT https://live.paloaltonetworks.com/t5/general-topics/restricting-application-port/m-p/24376#M17770 cosx 2013-06-28T18:13:02Z https://live.paloaltonetworks.com/t5/general-topics/restricting-application-port/m-p/24377#M17771 <HTML><HEAD></HEAD><BODY><P>If you do not want to stop layer 7 processing then you can just create a security rule with SMTP allowed in it and specify the ports that you need in the service.</P><P></P><P>That way Palo Alto will detect SMTP based on layer 7 data but will only restrict the Application to be allowed when using the ports specified by you.</P><P></P><P>****Custom app without signature will work only if you override traffic on the expected port to your Customized APP.</P></BODY></HTML> Fri, 28 Jun 2013 18:20:38 GMT https://live.paloaltonetworks.com/t5/general-topics/restricting-application-port/m-p/24377#M17771 Chatri 2013-06-28T18:20:38Z https://live.paloaltonetworks.com/t5/general-topics/restricting-application-port/m-p/24378#M17772 <HTML><HEAD></HEAD><BODY><P>I recently did something similar to this.&nbsp; Since the appliance will detect all applications regardless of the port they are running on you can make a custom service object.&nbsp; Instead of using Application Default with allows both 25 and 587, choose your custom service for just 587.</P></BODY></HTML> Mon, 01 Jul 2013 19:11:20 GMT https://live.paloaltonetworks.com/t5/general-topics/restricting-application-port/m-p/24378#M17772 nthen 2013-07-01T19:11:20Z