https://live.paloaltonetworks.com/t5/general-topics/adding-a-custom-application-ports-to-security-policy/m-p/44352#M32552 <HTML><HEAD></HEAD><BODY><P>Maybe my thought process is wrong so I am hoping somebody can set me straight. I have a few non-standard ports that need to be opened on the firewall. They don't belong to any application so I need to allow the ports. What I have done is created custom applications with basically just a name and the ports used (no signatures). I created an application override for these custom applications as well. I then added these custom applications to the security policy along with other known applications that need access.</P><P></P><P>Is this the best way to open a port on the Palo Altos?</P></BODY></HTML> Tue, 01 Oct 2013 23:05:24 GMT mario11584 2013-10-01T23:05:24Z https://live.paloaltonetworks.com/t5/general-topics/adding-a-custom-application-ports-to-security-policy/m-p/44352#M32552 <HTML><HEAD></HEAD><BODY><P>Maybe my thought process is wrong so I am hoping somebody can set me straight. I have a few non-standard ports that need to be opened on the firewall. They don't belong to any application so I need to allow the ports. What I have done is created custom applications with basically just a name and the ports used (no signatures). I created an application override for these custom applications as well. I then added these custom applications to the security policy along with other known applications that need access.</P><P></P><P>Is this the best way to open a port on the Palo Altos?</P></BODY></HTML> Tue, 01 Oct 2013 23:05:24 GMT https://live.paloaltonetworks.com/t5/general-topics/adding-a-custom-application-ports-to-security-policy/m-p/44352#M32552 mario11584 2013-10-01T23:05:24Z https://live.paloaltonetworks.com/t5/general-topics/adding-a-custom-application-ports-to-security-policy/m-p/44353#M32553 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>What you're doing will work, but you don't have to do an application override for this traffic. You can just configure a security policy, with application set to 'any' or 'custom-app' and define the service ports to allow this traffic through. By doing so you can also add security profiles to the traffic to enable inspection.</P><P></P><P>app-override will not perform any scanning on the traffic and this can cause threat especially if the traffic is to/from Internet.</P><P></P><P>Refer:</P><P><A href="https://live.paloaltonetworks.com/docs/DOC-2344">Does application override adversely affect Threat ID?</A></P><P></P><P>Hope that helps,</P><P>Aditi</P></BODY></HTML> Mon, 07 Oct 2013 03:15:35 GMT https://live.paloaltonetworks.com/t5/general-topics/adding-a-custom-application-ports-to-security-policy/m-p/44353#M32553 apasupulati 2013-10-07T03:15:35Z https://live.paloaltonetworks.com/t5/general-topics/adding-a-custom-application-ports-to-security-policy/m-p/44354#M32554 <HTML><HEAD></HEAD><BODY><P>That's exactly the information I was looking for. Thanks so much for the help.</P></BODY></HTML> Mon, 07 Oct 2013 15:35:35 GMT https://live.paloaltonetworks.com/t5/general-topics/adding-a-custom-application-ports-to-security-policy/m-p/44354#M32554 mario11584 2013-10-07T15:35:35Z https://live.paloaltonetworks.com/t5/general-topics/adding-a-custom-application-ports-to-security-policy/m-p/44355#M32555 <HTML><HEAD></HEAD><BODY><P>Another quick question, I am wondering if I can have applications and service ports being used on the same policy? For example, if I use the web-browsing application and create and use a service using ports 60000-65000, will it allow http traffic as well as traffic on ports 60000-65000? Or should I create a policy that allows web-browsing then a separate rule for the service?</P></BODY></HTML> Wed, 20 Nov 2013 00:31:29 GMT https://live.paloaltonetworks.com/t5/general-topics/adding-a-custom-application-ports-to-security-policy/m-p/44355#M32555 mario11584 2013-11-20T00:31:29Z https://live.paloaltonetworks.com/t5/general-topics/adding-a-custom-application-ports-to-security-policy/m-p/44356#M32556 <HTML><HEAD></HEAD><BODY><P>Hello Mario,</P><P></P><P>If you include web-browsing in the application column and 60000-65000 in the service column, that security policy would only allow web-browsing traffic on ports 60000-65000. You would need a separate rule to allow web-browsing on its default port (80). </P><P></P><P>Best would be to include web-browsing in the application column and mention all the ports in the service column (standard and non-standard ).</P><P></P><P>Hope that helps!</P><P></P><P></P><P></P><P>Thanks and regards,</P><P>Kunal Adak</P></BODY></HTML> Thu, 21 Nov 2013 01:11:10 GMT https://live.paloaltonetworks.com/t5/general-topics/adding-a-custom-application-ports-to-security-policy/m-p/44356#M32556 kadak 2013-11-21T01:11:10Z https://live.paloaltonetworks.com/t5/general-topics/adding-a-custom-application-ports-to-security-policy/m-p/44357#M32557 <HTML><HEAD></HEAD><BODY><P>Thanks again for the help. I just went ahead and created a second rule with a service using the ports 60000-65000 right after the policy I mentioned previously using web-browsing. My thought is traffic for 60000-65000 won't match the previous policy but will match the very next one which contains these ports. Seems like it's working! Thanks again! <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P></BODY></HTML> Thu, 21 Nov 2013 16:37:17 GMT https://live.paloaltonetworks.com/t5/general-topics/adding-a-custom-application-ports-to-security-policy/m-p/44357#M32557 mario11584 2013-11-21T16:37:17Z