topic Re: Security Policy question setting application and services in General Topics

Security Policy question setting application and services

AdamCoombs — Fri, 18 Nov 2016 19:15:42 GMT

Hello, in the security policy that is setup. Is it best to set the application and services the same?

So this will help keep that security policy safe from outside device try to see what other application can be use on that security policy.

example would be a nmap script using get commands with additionals handshakes in the script, so the logging would look like

zone untrust zone trust source 1.1.1.1 dest 2.2.2.2 port 80 application is portmapper action is allow

you set the security policy to allow untrust zone to trust zone with application any services 80 and 443.

could this be use as a DOS attack if the application is not set the same as services is?

Re: Security Policy question setting application and services

TranceforLife — Sat, 19 Nov 2016 09:51:08 GMT

Very good video tutorial:

https://live.paloaltonetworks.com/t5/Featured-Articles/Configuring-Your-Security-Policy/ta-p/78659

APP-ID should recognise application even if it is running on the standard ports or pretend to be another application. It checks for signature etc., not just port numbers.

I do not advise you to allow anything initiated from the Untrust (Internet) zone > Trust zone (unless you want your internal server to be accessible from the Internet)

Re: Security Policy question setting application and services

AdamCoombs — Mon, 28 Nov 2016 19:22:25 GMT

Sorry for the late reply on this.

I did watch this video before posting a question, I did see it is a good idea to make sure set application.

Can not setting Application be used a DOS attack, will it make the processors work harder to determined what application it is?

If so could that lead to breaking Palo Alto device?

Re: Security Policy question setting application and services

BPry — Mon, 28 Nov 2016 20:31:22 GMT

The application inspection is actually one of the leading reasons that people buy a Palo Alto product, and while it does but an increase load under the processor it is something that they are designed to allow. Further, the Palo Alto can actually be better at mitegratting a DoS attack when setup properly because it can drop packets for applications that you do not have publically available.

If you are worried about a DoS attack I would recommend that you setup DoS Profiles and Zone Protection profiles on your untrust interface; both of these will allow you to not only be alerted when you have a potential DoS attempt, but will automatically start to drop packets if your set limits are exceeded.

To point out as well, the PA firewall will actually stop doing application inspection if your processor reaches a certain percentage on new requests. This feature is to allow the firewall to continue to pass traffic and not 'lock up' because it's busy decrypting and analyzing the applicaiton.