https://live.paloaltonetworks.com/t5/general-topics/service-port-to-application-help/m-p/120732#M45969 <P>You are the man ! So If I understand correctly, the "specific application - rule", I need to put above the "any application - rule" and see if&nbsp;<SPAN>"any application - rule" still getting hit? If not then I can delete this. Right?</SPAN></P> Mon, 24 Oct 2016 10:12:54 GMT ghostrider 2016-10-24T10:12:54Z https://live.paloaltonetworks.com/t5/general-topics/service-port-to-application-help/m-p/120579#M45948 <P>Hello Experts</P><P>&nbsp;</P><P>We migrated Juniper netscreen firewall to PA. I am just struggling to make application based policies. User just send the ports to make security policies. Like:</P><P>&nbsp;</P><P>1- Allow port tcp 1549 on mysql db</P><P>2- Allow https://ebs:8000</P><P>&nbsp;</P><P>How I can handle this to put application only?</P><P>&nbsp;</P><P>Kindly help me with best practice with PA</P><P>&nbsp;</P><P>Regards,</P><P>&nbsp;</P><P>GR</P> Sat, 22 Oct 2016 21:17:16 GMT https://live.paloaltonetworks.com/t5/general-topics/service-port-to-application-help/m-p/120579#M45948 ghostrider 2016-10-22T21:17:16Z https://live.paloaltonetworks.com/t5/general-topics/service-port-to-application-help/m-p/120611#M45954 <P>Just create a policy with application and service as those specific port (application any, service tcp1549), run it for few hours|days|weeks and review the traffic log to check what application(s) are getting identify. &nbsp; Once you are comfortable, create another rule with those application(s) identify and service port (for example, application mysql, service tcp 1549 {since mysql default port is tcp 3306}) and place the newly created specific application rule on the existing application any, service specific port rule. &nbsp; Check again if the newly created rule missed any application and repeat the process until you are comfortable, and disable the service only rule.</P><P>&nbsp;</P><P>&nbsp;</P> Sat, 22 Oct 2016 23:56:44 GMT https://live.paloaltonetworks.com/t5/general-topics/service-port-to-application-help/m-p/120611#M45954 nextgenhappines 2016-10-22T23:56:44Z https://live.paloaltonetworks.com/t5/general-topics/service-port-to-application-help/m-p/120732#M45969 <P>You are the man ! So If I understand correctly, the "specific application - rule", I need to put above the "any application - rule" and see if&nbsp;<SPAN>"any application - rule" still getting hit? If not then I can delete this. Right?</SPAN></P> Mon, 24 Oct 2016 10:12:54 GMT https://live.paloaltonetworks.com/t5/general-topics/service-port-to-application-help/m-p/120732#M45969 ghostrider 2016-10-24T10:12:54Z https://live.paloaltonetworks.com/t5/general-topics/service-port-to-application-help/m-p/121164#M46023 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/42397">@ghostrider</a> &nbsp; That is correct. &nbsp;Hope this helps..</P> Tue, 25 Oct 2016 14:18:52 GMT https://live.paloaltonetworks.com/t5/general-topics/service-port-to-application-help/m-p/121164#M46023 nextgenhappines 2016-10-25T14:18:52Z https://live.paloaltonetworks.com/t5/general-topics/service-port-to-application-help/m-p/121513#M46054 <P>thank you</P> Wed, 26 Oct 2016 16:19:30 GMT https://live.paloaltonetworks.com/t5/general-topics/service-port-to-application-help/m-p/121513#M46054 ghostrider 2016-10-26T16:19:30Z