topic Question about application group and custom service group in General Topics

Question about application group and custom service group

jmathew — Fri, 07 Oct 2016 21:33:12 GMT

Hi All,

First off I appologize if this question has been answered before.

I have a question regarding the use of application groups and custom service groups in the same security policy. Can traffic identified in the application group use a non standard port that is defined in the custom service group?

For example, Can traffic identified as kerberos in an application group use a non-standard port say 555 which is defined in the custom service group of the policy?

How would behaviour be different if I use application-default as the service in the policy which has application group? Can traffic identified as kerberos use the port UDP 123 since theres the app-id ntp in the same application group as kerberos?

Thanks in advance!

Re: Question about application group and custom service group

jmathew — Fri, 07 Oct 2016 21:54:09 GMT

I think I found the answer to this but want to confirm 🙂

by minow

another important thing to put in mind

1) if you choose application-default this will cause that only the identified application will be allowed on this port for example it you put ssh and web-browsing on the same rule, web-browsing wont be allowed on port 22 but if you will put on the service tab tcp-80 and tcp-22 both ssh and web-browsing will be allowed on both of the port

2) another thing is if you put a non tcp/udp application and you do specify a specific service this application wont be matched on that rule

Re: Question about application group and custom service group

reaper — Mon, 10 Oct 2016 08:30:20 GMT

indeed,application-default will enforce the default ports per application, so if you have a group of apps in a policy, they will not be able to use eachother's ports (ftp on port 80 will not work if app-default is enabled)