topic Using application-default with application override in General Topics

Using application-default with application override

nthen — Tue, 28 May 2013 21:26:20 GMT

According to product help for application-default: The selected applications are allowed or denied only on their default ports defined by Palo Alto Networks. This option is recommended for allow policies because it prevents applications from running on unusual ports and protocols, which if not intentional, can be a sign of undesired application behavior and usage. Note that when you use this option, the device still checks for all applications on all ports, but with this configuration, applications are only allowed on their default ports/protocols.

When I use an application override rule, can I still use application-default or do I need to use ANY?

Re: Using application-default with application override

kfindlen — Tue, 28 May 2013 21:32:31 GMT

When you create a custom application you can also specify the default ports that the application will use. When you create or modify a custom application navigate to the Advanced tab and under the Defaults section you can define the default port definitions.

When the security policy is defined with the custom application, and service is set to application-default, the firewall will use the application's defined default ports.

Hope this helps.

Re: Using application-default with application override

UhMayYeah — Tue, 28 May 2013 21:35:51 GMT

With Application Override,firewall would be bypassing Signature based application Identification.

If the Custom-App defined includes the default ports used by the application,you should be able to use app-default.

I would suggest using any as the traffic is already being allowed based on ports.

ref : https://live.paloaltonetworks.com/docs/DOC-1071

-Ameya

Re: Using application-default with application override

mbutt — Tue, 28 May 2013 21:36:18 GMT

Hi,

When you are using application override you are create a customer app with a port number defined in it.

Moreover you also create an services and select that particular service in that application.

Since when app override is created it does not pass through firewalls app engine i think it would be best to either user any or define the service.

Hope this helps

Thank you

Re: Using application-default with application override

nthen — Wed, 29 May 2013 13:34:11 GMT

These posts are helpful. I'll go into a bit more detail to see how others would go about it. We use EDI to send information to and from our mainframe with vendors. The EDI uses the AS2 application with Palo Alto detects. However our port is not in the list of default ports for the application. The default ports for this app are 80,443,4080,5443. We use TCP 5060. I was first thinking an application override policy and give a different port to the app, but based on the comments above that may not be such a good idea. I can see using ANY as the service, but that could potentially open other ports. In this case would it be better to use something like:

For traffic coming from outside to inside to my EDI server, set the application to AS2. Since my port is 5060 do not use ANY but create a custom service for 5060. This way I am only allow AS2 on 5060 and nothing more?

Would this be a better option?

Re: Using application-default with application override

jvalentine — Wed, 29 May 2013 14:16:04 GMT

Generally speaking, "Application Override" is a tool you can use to override what application the firewall detects. In your case here, the firewall is already detecting the application properly as AS2, so you don't need to use an Application Override. Keep in mind that all of Palo Alto's "AppIDs" are running on all ports at all times - so it has the ability to detect the AS2 application even on port 5060.

However, if you create a rule that says "permit outbound AS2 on application-default", that won't work because you're running this application on a non-standard port. Your suggestion of creating a security policy rule that permits application AS2 on a custom service port (5060) are correct. That would achieve what you're looking for - allowing AS2 on port 5060 and nothing more.

Re: Using application-default with application override

nthen — Wed, 29 May 2013 14:19:27 GMT

Perfect! This is a big help. Thanks for your input!