topic Re: Hardening the security rule for service ports in General Topics

Hardening the security rule for service ports

ghostrider — Sun, 06 Nov 2016 16:00:25 GMT

Hello Experts

In my firewall configuration, many security rules have specific application but service ANY. I would like to harden service part as well. Once I veiw the logs for particular security rule to check service ports, there are many pages, I have to manually go. Is there any way I can generate the report for that particular security rule for service ports OR there is any script I can run against paritcular security rule to pull all the service ports (destination ports) from logs?

Appreciated your reply

Re: Hardening the security rule for service ports

reaper — Mon, 07 Nov 2016 09:35:39 GMT

you could try a custom report like below, then verify where applications are using 'abnormal' ports (because for those applications you will need to build custom service ports) and set all the rules where the applications use their default ports to service 'application default'

here's a little video on security policy optimization

Tom

Re: Hardening the security rule for service ports

ghostrider — Mon, 07 Nov 2016 12:01:37 GMT

@reaper you are man ! Can I use PAN-Configrator to get the same result? I mean run against each rule and gets the ports from logs?

Re: Hardening the security rule for service ports

ghostrider — Tue, 08 Nov 2016 09:47:12 GMT

@reaper I would highly appreciate if you could recommend to convert SERVICE any to specific ports, how many days traffic logs are recommended? same for APPLICAITON any to specific application

Re: Hardening the security rule for service ports

reaper — Tue, 08 Nov 2016 10:13:05 GMT

Hi @ghostrider

that's a tricky question 😉

It would depend on how well you know your environment and how likely it is you encounter applications on 'weird' ports

If your organization is running mostly 'the usual' mix of applications, it would be safe to assume 99.9% of all 'good' applications run on their default port, and a month's worth of log for due diligence would suffice. if your environment is highly dynamic and a lot of custom services/servers/applications are used, you may want to invest more time and go back 6 months to make sure you cover all your bases

depending on the complexity of your firewall, you can use 'double' security policies: rule 1 has applications and service set to application-default, rule 2 is the original policy and has any app, any port: anything that hits rule 2 and is ok can be added to rule 1

this will only work in a not-too-complex deployment however 😉

Re: Hardening the security rule for service ports

ghostrider — Tue, 08 Nov 2016 20:05:24 GMT

@reaper Thanks 🙂 I run the report using for all rules having service any in qualifier and show the ports and applicaiton with rule name in filter but when I run the report, its just processing like became crazy 🙂 Is there any script I can run for this purpose?

Re: Hardening the security rule for service ports

ghostrider — Wed, 09 Nov 2016 12:08:29 GMT

@reaper The solution you gave, how I can run the report agains security rules who have SERVICE ANY?

Re: Hardening the security rule for service ports

reaper — Wed, 09 Nov 2016 13:01:48 GMT

ehm, i guess you could use the query builder to limit the report to certain rules only, but there is no operator for 'service = any'