https://live.paloaltonetworks.com/t5/general-topics/eval-question/m-p/26490#M19336 <HTML><HEAD></HEAD><BODY><P>In the Checkpoint firewall, you'll create a port-based rule that permits outbound TCP/80, TCP/443 traffic.&nbsp; Then, you'll leave the firewall policy and go to the AppBlade and create a 2nd policy that deals with applications.&nbsp; It's quite the pain.&nbsp; </P></BODY></HTML> Thu, 17 Apr 2014 22:58:36 GMT jvalentine 2014-04-17T22:58:36Z https://live.paloaltonetworks.com/t5/general-topics/eval-question/m-p/26489#M19335 <HTML><HEAD></HEAD><BODY><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">Given a flow and properly written policy to allow Facebook and its myriad apps/widgets on port 80/443, other than the admin management overhead (i.e., having to open ports 80 and 443), how is what Palo Alto does different from what Checkpoint does?</SPAN></P><P></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">This question addresses the quote below (found on the link shown).</SPAN></P><P></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;"><A href="http://researchcenter.paloaltonetworks.com/2012/12/app-id-cache-pollution-response/" title="http://researchcenter.paloaltonetworks.com/2012/12/app-id-cache-pollution-response/">http://researchcenter.paloaltonetworks.com/2012/12/app-id-cache-pollution-response/</A></SPAN></P><P></P><UL><LI><STRONG style="background-position: no-repeat no-repeat;">Port 80 allow – open the floodgates.</STRONG> The always-on nature of port-based traffic classification, means old-guard firewalls will <EM style="background-position: no-repeat no-repeat;">first</EM> need to open the application default port controlling the application. To control Facebook, you need to allow tcp/80 and tcp/443. Based on the <EM style="background-position: no-repeat no-repeat;">June</EM> <EM style="background-position: no-repeat no-repeat;">2012 Application Usage and Risk Report,</EM> <STRONG>you may be allowing more than 500 (42%) <EM style="background-position: no-repeat no-repeat;">other</EM> applications that you may or may not want on the network. This means the strength of a default deny all policy is significantly weakened.</STRONG> If you are using Check Point, or any other port-based firewall, ask them if the above statement is true and how they recommend managing it.</LI></UL><P></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">In other words, if I allow ports 80/443 in my port policy and an application policy to allow Facebook apps only, I expect Checkpoint to be able to identify Facebook and non-Facebook traffic--then allow only the Facebook traffic and discard/block the rest.&nbsp; I expect Palo Alto to do the same--with the exception that the admin would not incur the management overhead of dealing with explicitly opening ports.&nbsp; Can someone elaborate on how Checkpoint (or any firewall that claims NG capabilities) opens "the floodgates."? </SPAN></P><P></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">Just looking for an objective/technical answer.</SPAN></P><P></P><P><SPAN style="font-size: 10pt; font-family: Arial, sans-serif;">thanks</SPAN></P></BODY></HTML> Thu, 17 Apr 2014 22:28:56 GMT https://live.paloaltonetworks.com/t5/general-topics/eval-question/m-p/26489#M19335 derasa 2014-04-17T22:28:56Z https://live.paloaltonetworks.com/t5/general-topics/eval-question/m-p/26490#M19336 <HTML><HEAD></HEAD><BODY><P>In the Checkpoint firewall, you'll create a port-based rule that permits outbound TCP/80, TCP/443 traffic.&nbsp; Then, you'll leave the firewall policy and go to the AppBlade and create a 2nd policy that deals with applications.&nbsp; It's quite the pain.&nbsp; </P></BODY></HTML> Thu, 17 Apr 2014 22:58:36 GMT https://live.paloaltonetworks.com/t5/general-topics/eval-question/m-p/26490#M19336 jvalentine 2014-04-17T22:58:36Z