topic Re: Application vs Services in General Topics

Application vs Services

NetworkGeek — Sat, 11 Mar 2017 14:17:47 GMT

Hi All,

I have probolem with dealing with security policy ..

i need to allow telnet to specific ports range (2001 - 2005) but by defining them at services field it is working fine but i cant use ping or any other applications even my application foedl is (ANY) , so wondering what is difference between both of them and what i do if want to enable ping and telnet tp sepcific ports at same time ..

Re: Application vs Services

TranceforLife — Sat, 11 Mar 2017 15:55:37 GMT

Hi,

Did you add "ping" and "ICMP" application within the same policy as telnet? Not sure but ping is not using any ports so maybe your policy is not matching because of this. Create a test policy purely for "ping" and "ICMP" applications with services as "any" and test

Re: Application vs Services

NetworkGeek — Sat, 11 Mar 2017 16:58:49 GMT

Yes i can ping when use "Ping" at application field with "Any" at services .. But this is not what i want as i need to enable both ping and telnet to sepcific ports

so how can i combine between services and application at one policy ..

Re: Application vs Services

NetworkGeek — Sat, 11 Mar 2017 17:14:10 GMT

Let me give you other example ..

Web server IP 20.1.1.2 can be accessed through port 8020 , so i added it on service field and it is working fine

but what if i need to ping server as well ? so when i added ping to application , it is failed for both web browsing and ping

Re: Application vs Services

TranceforLife — Sat, 11 Mar 2017 18:01:08 GMT

What PAN-OS are you on? The weird thing when you are adding an additional application to the policy web browsing fails :0 You sure you accessing the web-browser on custom port when it is fails?

Re: Application vs Services

NetworkGeek — Sat, 11 Mar 2017 17:27:32 GMT

I`m suing version 6 and tried on version 7 as well

after second test , it is working now but no Ping !!

Application field : ICMP,PING ,WEB-BROWSING

Services field: Port 8020

so now i can access web server on 8020 only but i can`t ping it

Re: Application vs Services

TranceforLife — Sat, 11 Mar 2017 18:05:33 GMT

As l said earlier ping doesn't use any port, but your policy has criteria on service to match specific port. My guess ping is not matching your policy.

Re: Application vs Services

NetworkGeek — Sat, 11 Mar 2017 18:07:49 GMT

Ok , is ther any workaround for this ?

Re: Application vs Services

TranceforLife — Sun, 12 Mar 2017 11:51:46 GMT

As per my previous comment add same rule for ping but with "any" as a service and put it above already existing rule for web-browsing or use service "any" in the already existing rule (less secure but your web server will only accept connection on the port you specified anyway).

Re: Application vs Services

NetworkGeek — Sun, 12 Mar 2017 05:44:41 GMT

I guess it will not provide any security , but still option

Thank you

Re: Application vs Services

TranceforLife — Sun, 12 Mar 2017 11:59:19 GMT

Hi,

It will provide still based on your others criterias but not based on the destination port.

Re: Application vs Services

NetworkGeek — Sun, 12 Mar 2017 13:54:07 GMT

Yes exactly , totally right

Thank you 🙂

Re: Application vs Services

reaper — Mon, 13 Mar 2017 09:17:16 GMT

the application and service fields are mutually inclusive (like an AND operation)

if you have

apps web-browsing, telnet , ping

service 8020

this means the applications must match web-browsing or telnet or ping AND their destination port must be 8020.

so if you add ping in a policy with a service set to a specific port, ping will fail as it can not match the destination port. any application not matching the destination port of 8020 will also fail

you'll need to create separate policies so ping can be set to application-default (because, if ping does match a port, something is terribly wrong)