https://live.paloaltonetworks.com/t5/general-topics/best-practices-for-security-policies-with-app-default-and-custom/m-p/206765#M60655 <P>Hello,</P><P>While I do not have custom applications that I created. The solution I use is to build the policy with all the ports the application will need</P><P>&nbsp;</P><P>Here is an example of a policy I have with standard rules and non-standard ports:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 206px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14370iD8C2C4192F949388/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P><P>&nbsp;</P><P>This way the firewall has to see those applications, ssl or web-browsing, over the specified ports listed. Wile this might not answer your question, I hope to give another way of doing it suggestion.</P><P>&nbsp;</P><P>Cheers!</P> Wed, 21 Mar 2018 21:12:51 GMT OtakarKlier 2018-03-21T21:12:51Z https://live.paloaltonetworks.com/t5/general-topics/best-practices-for-security-policies-with-app-default-and-custom/m-p/206719#M60651 <P>Hello,</P><P>&nbsp;</P><P>I have been tasked with converting some legacy security rules from app=any, service=custom object to app=app-ID and service=application-default. However, some of our apps use custom ports over known applications, so straight conversion is not possible.&nbsp;</P><P>&nbsp;</P><P>For example. I have a basic rule to allow inbound applications web-browsing (tcp/80) and ssl (tcp/443) to one of our web servers using application-default for the service. This web server also supports HTTP over 8080, and HTTPS over 8443. Instead of creating one rule for the apps/application default, and another rule below it for the apps/custom service objects, I would prefer creating a single application default rule that incompases HTTP over both 80 and 8080, and SSL over 443 and 8443 in order to keep the firewall rules clean.&nbsp;<BR /><BR />To do this, I have created two custom applications objects, web-browsing-8080 using the web-browsing as the parent app over port 8080, and app object ssl-8443 using ssl as the parent app over port 8443. I do not have signatures defined for either custom apps, and we are not decrypting inbound SSL. Understandibly these custom apps are not recognized by the firewalls&nbsp;that otherwise matches web-browsing over 8080 and SSL over 8443. I am new to custom App-IDs so it's likely I'm approaching this wrong.</P><P>&nbsp;</P><P>What are the&nbsp;best practices regarding configuring applicaiton rules for both application-default and custom services objects? Is it recommended to create two rules, one with app-default and the second with the app and custom required ports, or is it better to create a single rule using custom app-IDs to enforce application-default?</P><P>&nbsp;</P><P>Thanks for your time!</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 21 Mar 2018 17:00:41 GMT https://live.paloaltonetworks.com/t5/general-topics/best-practices-for-security-policies-with-app-default-and-custom/m-p/206719#M60651 cenduit_jgolden 2018-03-21T17:00:41Z https://live.paloaltonetworks.com/t5/general-topics/best-practices-for-security-policies-with-app-default-and-custom/m-p/206765#M60655 <P>Hello,</P><P>While I do not have custom applications that I created. The solution I use is to build the policy with all the ports the application will need</P><P>&nbsp;</P><P>Here is an example of a policy I have with standard rules and non-standard ports:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 206px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14370iD8C2C4192F949388/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P><P>&nbsp;</P><P>This way the firewall has to see those applications, ssl or web-browsing, over the specified ports listed. Wile this might not answer your question, I hope to give another way of doing it suggestion.</P><P>&nbsp;</P><P>Cheers!</P> Wed, 21 Mar 2018 21:12:51 GMT https://live.paloaltonetworks.com/t5/general-topics/best-practices-for-security-policies-with-app-default-and-custom/m-p/206765#M60655 OtakarKlier 2018-03-21T21:12:51Z https://live.paloaltonetworks.com/t5/general-topics/best-practices-for-security-policies-with-app-default-and-custom/m-p/206855#M60671 <P>I think <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27580">@OtakarKlier</a>s solution makes the most sense, unless you have more specific custom apps: ones you can identify by their behavior, like a recurring header or payload string you can match in a signature</P> <P>&nbsp;</P> <P>if you need lots of these, I'd recommend grouping them in security rules by 'technology' so there's no unexpected port creep (sql over port 80)</P> Thu, 22 Mar 2018 11:01:26 GMT https://live.paloaltonetworks.com/t5/general-topics/best-practices-for-security-policies-with-app-default-and-custom/m-p/206855#M60671 reaper 2018-03-22T11:01:26Z https://live.paloaltonetworks.com/t5/general-topics/best-practices-for-security-policies-with-app-default-and-custom/m-p/206927#M60698 <P>Thanks for the feedback Otakar.Klier! I appreciate it! I will discuss this&nbsp;method with my team and update the post if required.</P><P>&nbsp;</P><P>-j</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 22 Mar 2018 15:58:17 GMT https://live.paloaltonetworks.com/t5/general-topics/best-practices-for-security-policies-with-app-default-and-custom/m-p/206927#M60698 cenduit_jgolden 2018-03-22T15:58:17Z