topic Re: Custom Application v default-Application in General Topics

Custom Application v default-Application

Light-Regions — Tue, 05 Sep 2017 14:37:20 GMT

Hi,

Am planning to replace the services in my environment with custom applications. My question is this?

(1) - Must I use application override to use custom application?

(2)- While using custom application, can I use default-application on the Service Column? Or should this column be set to Any since the default app is not in use

Thanks

Re: Custom Application v default-Application

TranceforLife — Tue, 05 Sep 2017 14:55:26 GMT

Hi,

A lot of a good article here as well as video training on youtube, but short answer on your questions below:

(1) - Must I use application override to use custom application? - No, not necessarily if your application will be identified by signature and parameters you specify.

(2)- While using custom application, can I use default-application on the Service Column? Or should this column be set to Any since the default app is not in use - "any" in service column means your app will be allowed on any port (PAN-OS 7.1.x and above), if "application-default" then your app is allowed only on standard/predefined ports.

https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Custom-applications-and-app-override/ta-p/71635

Re: Custom Application v default-Application

Light-Regions — Tue, 05 Sep 2017 15:04:25 GMT

Thanks a lot TranceforLife,

That was a quick turn around. I know that application-default is for standard/predefined ports?

What do I set that service column when using my custom applications?

Regards

Syl

Re: Custom Application v default-Application

TranceforLife — Tue, 05 Sep 2017 15:09:41 GMT

If your custom app will have a port number, then it is your choice. As I said earlier "any" will allow your custom app on any port (not recommended), "application-default" will allow your app only on the defined in custom app port number or range.

https://live.paloaltonetworks.com/t5/Learning-Articles/Tips-amp-Tricks-What-Does-Application-default-Under-Service-Mean/ta-p/54167

What do they mean?

Any - This simply means all ports: 1-65535, TCP or UDP. The selected applications are allowed or denied on any protocol or port.
Select - This means that you will have to specify exactly what TCP or UDP port that the application you want to allow or block is going to use. Choose an existing service or choose Service or Service Group to specify a new entry.
Application-Default - Choosing this means that the selected applications are allowed or denied only on their default ports defined by Palo Alto Networks. This option is recommended for allow policies because it prevents applications from running on unusual ports and protocols, which if not intentional, can be a sign of undesired application behavior and usage.

Re: Custom Application v default-Application

kiwi — Tue, 05 Sep 2017 15:26:37 GMT

Hi @Light-Regions,

It is recommended to use custom applications when creating app-overrides.

You don't need to use app-override on all your custom applications (unless you don't want layer-7 inspection).

By adding the port numbers for a custom application, you can create policy rules that use the application defaults rather than opening up additional ports on the firewall. This improves your security posture.

This getting started guide on custom applications and application override will probably help you :

https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Custom-applications-and-app-override/ta-p/71635

Cheers !

-Kiwi.

Re: Custom Application v default-Application

Light-Regions — Wed, 06 Sep 2017 07:11:10 GMT

Thanks very Much Kiwi,

That is a very clear answer with clear direction on what to do.

Much appreciated.

Re: Custom Application v default-Application

Light-Regions — Wed, 06 Sep 2017 07:13:23 GMT

Thank you TranceforLife,

I now understand it a lot clearer.

Very many thanks indeed!

Re: Custom Application v default-Application

ccfalkner — Tue, 02 Jun 2020 19:12:37 GMT

Re: Custom Application v default-Application

ccfalkner — Tue, 02 Jun 2020 19:19:50 GMT

To keep the security policy list clean, it would be great if I could create a custom application and just change/add my own default ports. This way I can just re-use the application anywhere, inside of perhaps one security policy with all applications for the zone. I want full analysis of the packet, so application-override isn't appealing. Once you start adding services, you either have to have an additional policy just for your app/custom service ports, or have to research all application-default ports for all applications you add to the policy, which is tedious and less secure. Even with service groups, the complication creeps up with duplication of the policy to other areas.

I haven't done a deep dive on this since PanOs 7.x, but still in 9.1, I can create an application and leave the custom signature blank without an error, but my new custom application still doesn't get any hits. Let's just say I want to use web-browsing with ports 8070, 8080 and 8090 for any similar web server throughout my enterprise. Is it possible to create a custom application for this, or any application? If not, I wish they would add that feature. Seems so logical and clean.