https://live.paloaltonetworks.com/t5/general-topics/risky-ports/m-p/216256#M62652 <P>in the new age of Next Generation firewalls, ports do not matter as much as they used to</P> <P>&nbsp;</P> <P>today a lot more protocols and applications use port 80 and 443 where older, more traditional, protocols would use their own port</P> <P>&nbsp;</P> <P>App-ID will assist tremendously in identifying exactly what is traversing the firewall, versus simply monitoring the ports</P> <P>each application comes with "application default" ports which will also help to close off 'unusual' ports</P> <P>&nbsp;</P> <P>So if you create, for example, a rule that allows web-browsing, ssl and DNS and set the service ports to 'application default', only ports 80,443 and 53 will be 'open' for this rule</P> <P>&nbsp;</P> <P>'threat' wise, ports 80 and 443 pose far more risks than any other ports combined, so leveraging App-ID with content scanning and threat protection would be a more secure route than relying on just ports</P> Fri, 01 Jun 2018 12:18:10 GMT reaper 2018-06-01T12:18:10Z https://live.paloaltonetworks.com/t5/general-topics/risky-ports/m-p/216244#M62649 <P>What are the risky ports we should not allow from user zone (internal network) to external network (internet / external network)? Like we don't&nbsp;allow 21/23 etc, please suggest other ports too.....</P> Fri, 01 Jun 2018 10:44:23 GMT https://live.paloaltonetworks.com/t5/general-topics/risky-ports/m-p/216244#M62649 SumitB 2018-06-01T10:44:23Z https://live.paloaltonetworks.com/t5/general-topics/risky-ports/m-p/216252#M62650 <P>Go the other way, only allow 80, 443 and maybe few others on explicit requests. And implement app policy.</P> Fri, 01 Jun 2018 11:09:08 GMT https://live.paloaltonetworks.com/t5/general-topics/risky-ports/m-p/216252#M62650 santonic 2018-06-01T11:09:08Z https://live.paloaltonetworks.com/t5/general-topics/risky-ports/m-p/216253#M62651 <P>I think 80 is also should not be allowed, we used to allow http/https app id instead of ports but what are the most critical ports we should allow anyhow like 21/23.</P> Fri, 01 Jun 2018 11:13:35 GMT https://live.paloaltonetworks.com/t5/general-topics/risky-ports/m-p/216253#M62651 SumitB 2018-06-01T11:13:35Z https://live.paloaltonetworks.com/t5/general-topics/risky-ports/m-p/216256#M62652 <P>in the new age of Next Generation firewalls, ports do not matter as much as they used to</P> <P>&nbsp;</P> <P>today a lot more protocols and applications use port 80 and 443 where older, more traditional, protocols would use their own port</P> <P>&nbsp;</P> <P>App-ID will assist tremendously in identifying exactly what is traversing the firewall, versus simply monitoring the ports</P> <P>each application comes with "application default" ports which will also help to close off 'unusual' ports</P> <P>&nbsp;</P> <P>So if you create, for example, a rule that allows web-browsing, ssl and DNS and set the service ports to 'application default', only ports 80,443 and 53 will be 'open' for this rule</P> <P>&nbsp;</P> <P>'threat' wise, ports 80 and 443 pose far more risks than any other ports combined, so leveraging App-ID with content scanning and threat protection would be a more secure route than relying on just ports</P> Fri, 01 Jun 2018 12:18:10 GMT https://live.paloaltonetworks.com/t5/general-topics/risky-ports/m-p/216256#M62652 reaper 2018-06-01T12:18:10Z