topic Re: Services in General Topics

Services

jdprovine — Mon, 24 Apr 2017 15:33:34 GMT

Is there anyway in the traffic monitor, or the ACC or any other logs to see what services are being hit? I can see applications but not specifically services though to can add specific services in the rules

Re: Services

BPry — Mon, 24 Apr 2017 16:07:06 GMT

Not that I'm aware. You could just modify the port information since that essentially will determine the service; but the PA being application base the end-goal would really be to app-id all traffic and create custom app-ids where needed.

Re: Services

Raido_Rattameister — Mon, 24 Apr 2017 16:19:16 GMT

By service you mean destination port?

If yes then just add this column into Monitor > Traffic view.

Re: Services

jdprovine — Mon, 24 Apr 2017 16:49:51 GMT

no I mean services, I have it set to show my port in my traffic monitor already, but I want to be sure what palo alto is defining as services since they give the option to add it in their rules I was surprised there was no option to filter by services

Re: Services

Raido_Rattameister — Mon, 24 Apr 2017 17:32:31 GMT

Service field under Policies > Security and is just destination port number.
If you want to filter traffic in Monitor > Traffic then just use filer.

For example filter below will show traffic towards port 443

( port.dst eq 443 )

Re: Services

TranceforLife — Mon, 24 Apr 2017 17:35:20 GMT

Services = port number (eg TCP port 80)

@Raido_Rattameister you were quicker :0

Re: Services

jdprovine — Mon, 24 Apr 2017 18:06:56 GMT

Okay

So if I have the application web-browsing or http are they alway port 80

or if I have https or ssl are they always port 443

I guess I am curious why it is interchangeable to either use the application or the the port

Re: Services

Raido_Rattameister — Mon, 24 Apr 2017 18:15:06 GMT

If you create policy to allow tcp/80 then this will allow any application that is capable of running over port 80 (even Skype).

If you allow application web-browsing and service application-default then web-browsing can run only on default port.

Now if you need to access website that runs on some random port then you need to create policy where application is web-browsing and service is destination port you need.

Good example is if you decrypt SSL.

In this case first you need to permit SSL on default port that is 443.

Now if Palo removes decryption then inside SSL there is web-browsing.

But on what port it runs on? 443

So you need dedicated rule to allow web-browsing on tcp/443 as 443 is not in default list of web-browsing application.

So service is just port number.

Application is Layer 7 application identified by the firewall.

Re: Services

jdprovine — Mon, 24 Apr 2017 18:31:42 GMT

Thats was a greate response Radio so what do you think is going on in this example that is from a reul on my firewall

Re: Services

BPry — Mon, 24 Apr 2017 18:40:25 GMT

@jdprovine

Under the applications tab under objects every application will list the 'standard' ports that the application will utilize. In the case of web-browsing then yes the only port allowed is tcp/80; SSL only lists tcp/443; SMTP will list tcp/25,587.

The application and port/service settings are not really 'interchangable', yes SMTP will function fine if I open tcp-25 but then anything else could also potentially use tcp-25.

A better example would be something like a large SQLenvironment where I have a large amount of non-standard ports open for the different database connections; in this case I will specify the application as mssql-db/mon depending on the connection and then specify a custom service for something like tcp-64280 or tcp-63180. Obviously I don't want every single application that could use these ports to actually be allowed, so as long as I have mssql specified I can rest realatively easy knowing that only the sql connections will actually be allowed. If you simply allow the service and specify 'application any' then you are missing the vast majority of the advantages that come with a Palo Alto firwall.

Re: Services

Raido_Rattameister — Mon, 24 Apr 2017 18:43:16 GMT

If you go to Objects > Services you can see that service-http includes ports 80 and 8080 by default and service-https includes port 443 by default.

With this rule you allow any application to run over those ports.

If you check Objects > Applications and search for 80 it shows 1435 and 443 it shows 1137 applications that Palo identifies and that uses this specific port.

All of them are allowed.

Re: Services

BPry — Mon, 24 Apr 2017 18:45:07 GMT

@jdprovine,

I'll generally have this rule included from my Trust to Untrust zones with an application deny rule in front of it. Any application that I specifically don't want to be allowed outside of my network will simply be placed in a deny rule above on that looks like this; as long as the traffic doesn't match the deny rule then it simply gets allowed through the network.

It's a simple way to allow anything but specifically denied traffic to the outside. Now if this wasn't from my trust to my untrust zones and this was allowing traffic to access devices located in my trust or dmz zones then it would be an issue.

Re: Services

BPry — Mon, 24 Apr 2017 18:46:31 GMT

@Raido_Rattameister,

You're either just really quick today or I need to stop trying to drink this coffee while replying to posts 😉

Re: Services

jdprovine — Mon, 24 Apr 2017 18:50:24 GMT

So in the example I sent you, that rule is allowing every application that can use http and https not just web browsing and ssl. I did not create this rule so I guess I need to figure out why they chose to do http and https instead of the web-browsing and ssl applications

Re: Services

jdprovine — Mon, 24 Apr 2017 18:52:11 GMT

Great information of all of you even though Raido seems to be posting faster than Bpry LOL

Re: Services

BPry — Mon, 24 Apr 2017 18:57:15 GMT

@jdprovine,

If you build out the same rule but specify the applicaiton field as [ ssl web-browsing ] then any application that gets identified further would be denied, which is generally why someone would put in this type of rule.

For example even when you have ssl-decryption disabled applications such as twitter-base, pinterest-base, facebook-base, google-base, and all of that are going to be denied. Once the firewall identifies the application then you would need to have a rule that either specifies the service/port that the application is using with 'any' app allowed or you would need to include said application in a security policy that actually allows the traffic.

Re: Services

jdprovine — Mon, 24 Apr 2017 19:00:51 GMT

BPry I could try to identify the applications,through the ACC, and create another rule above the rule with the any -applications and services http,https and see if I can create a stricter rule and the eliminate the less strict rule

Re: Services

Raido_Rattameister — Mon, 24 Apr 2017 19:05:23 GMT

Forget http and https.

This has nothing to do with application but it is just how default built-in service object is called in firewall.

And Service is just port - nothing to do with Layer 7 application.

So if you permit Service called service-http then you permit tcp/80 and tcp/8080 and if you permit Service called service-https then you permit tcp/443.

Re: Services

jdprovine — Mon, 24 Apr 2017 19:14:09 GMT

so create a similar rule with out the services and only add the applications that it is using as seen in the ACC

Re: Services

Raido_Rattameister — Mon, 24 Apr 2017 19:25:59 GMT

So lets assume you have only 1 security policy that permits only web-browsing application and Service is application-default.

This permits web-browsing on tcp 80.

You open web browser and try to browse web.
Client computer will send TCP SYN.
Firewall will check if this SYN goes on port 80 (that is only port that traffic is permitted out). If not then it is blocked and application is logged as not-applicable (firewall never got to application identification as it is already dropped by not using correct port).
If SYN came on port 80 then it is permitted through.
Server will reply with SYN ACK.
Client will send ACK and complete TCP 3way handshake.
Client will then send HTTP GET (but we don't trust client to identify application).
Server will send back website. Palo will identify if traffic is web-browsing based on what comes back. So in case of HTTP first 4 packet go through firewall without actually knowing application and just relying on Service tcp/80.
If after that firewall identifies it is not web-browsing then session is blocked and application that firewall identified is marked in session log.

You can create top rule to allow web-browsing and Service application-default.

And below that fallback rule to allow any application with Service service-http (or create your custom tcp-80 service).
And then you can run report to see what traffic matched against second rule.