topic Re: What's the best way to permit app on non-standard port? in General Topics

What's the best way to permit app on non-standard port?

DaveNoonan — Thu, 26 May 2016 18:41:48 GMT

For instance, web browsing on port 8080. I don't want to just set the service as I also want to use port 80 and there are other apps in the rule and I'd like to use app-default as the service.

I defined a custom app with web-browsing as the parent and the port as tcp/8080. That worked until I upgraded to 7.1.2 and then it broke. I'm aware that 7.1 changed the behavior when the App = Any and the Svc = App-Default, but for my custom app, brilliantly named "web-browsing_8080", the default port is 8080, so why it no work?

BTW, in my mind this could be as simple as cloning the default web-browsing app and changing the port number but for unknown reasons that isn't allowed.

-- Thank you

Re: What's the best way to permit app on non-standard port?

reaper — Fri, 27 May 2016 08:14:43 GMT

Hi Dave

Is this proxy traffic or regular web-browsing on http ?

If it's proxy sessions (web-browsing directed at a proxy server), there's an app for that! Add http-proxy to your policy and you're good to go

If it's regular web-browsing on a different port, create a custom application with the desired attributes and set the parent app to web-browsing

Re: What's the best way to permit app on non-standard port?

DaveNoonan — Fri, 27 May 2016 12:23:28 GMT

Yeah, that's what I did and it worked until I updated to 7.1.

Adding a little more info the rule has an app group and that app group includes both web-browsing and my custom app (web-browsing_8080) and the service was set to app-default. That worked until the upgrade at which point I had to change the service to ANY as a quick fix.

Re: What's the best way to permit app on non-standard port?

reaper — Mon, 30 May 2016 09:13:23 GMT

in 7.1 the default behavior of 'application-default' has changed : PAN-OS 7.1 Policy behavior change application-default

so that it now enforces default ports for 'implied' applications (so 'any' app with app-default will allow all apps but only on their default ports)

did you make sure to define tcp/8080 as the default port for your custom application ?

you may wanna reach out to support to make sure there isn't an issue with this deployment

Re: What's the best way to permit app on non-standard port?

DaveNoonan — Thu, 02 Jun 2016 17:52:06 GMT

In the custom app definition under the Advanced tab it's set to port and tcp/8080. If there's another place to define the port I don't know about it.

I've opened a support ticket, then promptly took some time off so haven't talked to them yet. Hopefully tomorrow.