topic Blocking Application Filters in General Topics https://live.paloaltonetworks.com/t5/general-topics/blocking-application-filters/m-p/4031#M2978 <HTML><HEAD></HEAD><BODY><P>I've browsed through these forums regarding the best way to block applications.&nbsp; I've saw the posts of folks blocking applications by app filter. </P><P></P><P>I have AD integrated AD groups.&nbsp; These groups tie to individual Palo Alto security rules that allow any port any service as the destination, and then use group profiles to block specific categories.</P><P></P><P>I am in the process of creating a rule above most of these AD LDAP group rules that contains all my blocked applications filters.&nbsp;&nbsp; Since I'm allowing any destination port, not just 80 and 443, I'm not sure what exactly I should block by app-ID.&nbsp; I'm thinking of creating individual application filters based on the subcategories I want to block, such as voip-video, storage-backup, proxy, encrypted-tunnel, e-mail...&nbsp;&nbsp; And putting all these application filters in this block rule.&nbsp;&nbsp; I do understand that I run the risk of a new app-ID blocking things I did not want blocked.</P><P></P><P>I'm curious what others are doing.&nbsp; There are over 1500 app-IDs.&nbsp; Are you creating a application group and adding the 1000 you want blocked, or using filters?&nbsp;&nbsp; I'm interested in alternate approaches to this.</P><P></P><P>Thanks!</P></BODY></HTML> Thu, 09 Aug 2012 22:44:59 GMT EdwinD 2012-08-09T22:44:59Z Blocking Application Filters https://live.paloaltonetworks.com/t5/general-topics/blocking-application-filters/m-p/4031#M2978 <HTML><HEAD></HEAD><BODY><P>I've browsed through these forums regarding the best way to block applications.&nbsp; I've saw the posts of folks blocking applications by app filter. </P><P></P><P>I have AD integrated AD groups.&nbsp; These groups tie to individual Palo Alto security rules that allow any port any service as the destination, and then use group profiles to block specific categories.</P><P></P><P>I am in the process of creating a rule above most of these AD LDAP group rules that contains all my blocked applications filters.&nbsp;&nbsp; Since I'm allowing any destination port, not just 80 and 443, I'm not sure what exactly I should block by app-ID.&nbsp; I'm thinking of creating individual application filters based on the subcategories I want to block, such as voip-video, storage-backup, proxy, encrypted-tunnel, e-mail...&nbsp;&nbsp; And putting all these application filters in this block rule.&nbsp;&nbsp; I do understand that I run the risk of a new app-ID blocking things I did not want blocked.</P><P></P><P>I'm curious what others are doing.&nbsp; There are over 1500 app-IDs.&nbsp; Are you creating a application group and adding the 1000 you want blocked, or using filters?&nbsp;&nbsp; I'm interested in alternate approaches to this.</P><P></P><P>Thanks!</P></BODY></HTML> Thu, 09 Aug 2012 22:44:59 GMT https://live.paloaltonetworks.com/t5/general-topics/blocking-application-filters/m-p/4031#M2978 EdwinD 2012-08-09T22:44:59Z Re: Blocking Application Filters https://live.paloaltonetworks.com/t5/general-topics/blocking-application-filters/m-p/4032#M2979 <HTML><HEAD></HEAD><BODY><P>Appfilters is to create a custom "group" based on category, subcategory, risk or some other column.</P><P></P><P>When you setup an application group you add each appid you want into this group.</P><P></P><P>Also note that a flow can (today) only have a single appid.</P><P></P><P>Which gives that if you have security policies to allow traffic you will only need a "deny+log" as last rule to keep this tidy.</P><P></P><P>You could however use appfilter in combination with appgroup.</P><P></P><P>Such as:</P><P></P><P>rule1) Deny appgroup(youtube)</P><P></P><P>rule2) Allow appfilter(category:video)</P><P></P><P>this would allow all flows identified as "video" except youtube (which is part of video).</P><P></P><P>Generally speaking when denying traffic the policy should be as broad as possible while allow traffic the policy should be as narrow as possible.</P><P></P><P>As a sidenote I would recommend you to avoid using "service:any" but rather "service:default-application" to not open up more ports than necessary. Because appid detection might in some situations take a few packets before the flow is properly identified.</P></BODY></HTML> Mon, 20 Aug 2012 23:12:39 GMT https://live.paloaltonetworks.com/t5/general-topics/blocking-application-filters/m-p/4032#M2979 mikand 2012-08-20T23:12:39Z