topic Re: 7.1 default behavior changes in General Topics

7.1 default behavior changes

jdprovine — Tue, 09 May 2017 20:10:49 GMT

So I was reading about OS 7.1 because I am planning on upgrading from 7.0.12 to 7.1 and found some information of the default behavior of app-id

Re: 7.1 default behavior changes

TranceforLife — Tue, 09 May 2017 20:28:25 GMT

Yep correct:

https://live.paloaltonetworks.com/t5/PAN-OS-7-1-Articles/PAN-OS-7-1-Policy-behavior-change-application-default/ta-p/75664

Re: 7.1 default behavior changes

jdprovine — Tue, 09 May 2017 20:47:40 GMT

So how is that any different that it used to be

Re: 7.1 default behavior changes

jdprovine — Tue, 09 May 2017 20:49:05 GMT

my other question is if it is a lot different is it going to break anything? How can I check to see what it may break

Re: 7.1 default behavior changes

TranceforLife — Tue, 09 May 2017 21:07:24 GMT

Hey,

This is from KB:

-----------------------------------------------------------------------------------------------------------------------------------------------------

In earlier PAN-OS release versions, the Service setting 'application-default' was not enforced when configured with the Application setting Any.

-----------------------------------------------------------------------------------------------------------------------------------------------------

So prior 7.1 if your policy has an application option configured as "any" all applications were permitted (even on none default ports).

After 7.1 if your policy has an application option configured as any and services "application-default", your all application will be permitted on standard (default) ports ONLY. Let's say if you are running a web server on port 8080, traffic will not match and most likely will be denied (al least l had this scenario :D).

Thx,

Myky

Re: 7.1 default behavior changes

jdprovine — Wed, 10 May 2017 13:09:06 GMT

I was operating under that thought that thats how it has always worked and I don't see it as a change. So are you saying application default was not really only the standard ports it was more like an any

Re: 7.1 default behavior changes

TranceforLife — Wed, 10 May 2017 13:57:35 GMT

Correct, before 7.1

before 7.1 application "any" = services "application-default" or "any" was the same thing and was allowing any app on any port

after 7.1 application "any" = services "application-default" allows app only on the default ports, if services "any" then on any port.

Re: 7.1 default behavior changes

jdprovine — Wed, 10 May 2017 14:00:37 GMT

so application-default was really an any?

Re: 7.1 default behavior changes

TranceforLife — Wed, 10 May 2017 14:03:18 GMT

Yes, correct before 7.1 services application-defaul=any BUT only if your policy has the application tab set to any.

Re: 7.1 default behavior changes

jdprovine — Wed, 10 May 2017 14:13:18 GMT

But if you have specific application named in your rule with application-default it goes my the specific applications and is not based on the services setting. So the change is only in regard to the services. I need to review my firewall and see how that will affect me when I upgrade

So what is going on in this rule for example

Re: 7.1 default behavior changes

TranceforLife — Wed, 10 May 2017 15:19:53 GMT

For your example, upgrade to the 7.1.X release will not take any effect. Look for this rules:

Re: 7.1 default behavior changes

jdprovine — Wed, 10 May 2017 15:30:39 GMT

So it will only apply to rules that have the service set to application-default

Re: 7.1 default behavior changes

Raido_Rattameister — Wed, 10 May 2017 20:01:22 GMT

Behaviour change affects you only if you have rule where application is "any" AND service is "application-default"

It does not affect if you have set application/application filter/application group or if you have manually set service to some port number.

Your example has no affect or change needed.