https://live.paloaltonetworks.com/t5/general-topics/working-process-behind-policy-with-multiple-depended/m-p/218799#M63227 <P>If you have 3 apps and 3 ports, then any of the apps can match any of the listed services.</P><P>App A could be communicating on port 1, 2 or 3. Same for app B and app C.</P><P>When grouping multiple items in a policy element, it's an OR statement. The traffic must match application A OR B OR C and it must match service 1 OR 2 OR 3. So A + 3 or B +1 are both valid matches.</P><P>If you need to restrict App A to a single port, you'll need to use a unique security policy rule.</P> Fri, 22 Jun 2018 05:27:14 GMT rmfalconer 2018-06-22T05:27:14Z https://live.paloaltonetworks.com/t5/general-topics/working-process-behind-policy-with-multiple-depended/m-p/218787#M63225 <P>I was little ambigous on how Palo alto processes a policy. let say i have a policy with 3 applications(a,b,c) in application field and multiple service ports(1,2,3) is there a chance that one of the application(a or b or c) specified in my application field is also being allowed on ports other than what it meant be allowed (say A must be allowed on port 1,but it is also communicating via 2 or 3).&nbsp; &nbsp;&nbsp;</P> Fri, 22 Jun 2018 01:01:14 GMT https://live.paloaltonetworks.com/t5/general-topics/working-process-behind-policy-with-multiple-depended/m-p/218787#M63225 SandeepChinta 2018-06-22T01:01:14Z https://live.paloaltonetworks.com/t5/general-topics/working-process-behind-policy-with-multiple-depended/m-p/218799#M63227 <P>If you have 3 apps and 3 ports, then any of the apps can match any of the listed services.</P><P>App A could be communicating on port 1, 2 or 3. Same for app B and app C.</P><P>When grouping multiple items in a policy element, it's an OR statement. The traffic must match application A OR B OR C and it must match service 1 OR 2 OR 3. So A + 3 or B +1 are both valid matches.</P><P>If you need to restrict App A to a single port, you'll need to use a unique security policy rule.</P> Fri, 22 Jun 2018 05:27:14 GMT https://live.paloaltonetworks.com/t5/general-topics/working-process-behind-policy-with-multiple-depended/m-p/218799#M63227 rmfalconer 2018-06-22T05:27:14Z https://live.paloaltonetworks.com/t5/general-topics/working-process-behind-policy-with-multiple-depended/m-p/218813#M63229 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/55733">@rmfalconer</a>s statement is correct regarding the 'OR' property of any object added to the same field in a secureity policy (app A or B or C)</P> <P>&nbsp;</P> <P>but</P> <P>&nbsp;</P> <P>if you enable 'application-default' in the services, instead of using singular service objects, all applications used in security policy will only be matched against their own default ports (visible in the application properties) while other apps will not be allowed to re-use those ports unless they are listed in their own properties</P> <P>&nbsp;</P> <P>as an example look at rule A and B below. they are identical except for the services:</P> <P>&nbsp;</P> <P>Rule B will allow facebook, ssl and web-browsing on tcp 22 and ssh on tcp 80 and 443</P> <P>Rule A will allow ssh on tcp 22, but <EM>not</EM> tcp 80 or 443, web browsing (cleartext http) on tcp 80 but <EM>not</EM> 443 or 22, ssl on port 443, but not 22 or 80</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="example services.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/15569i1F82B1917A04C867/image-size/large?v=v2&amp;px=999" role="button" title="example services.png" alt="example services.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>so you will not need to create a single rule per application, you only need to use application-default to prevent applications re-using other applications' ports</P> Fri, 22 Jun 2018 08:24:58 GMT https://live.paloaltonetworks.com/t5/general-topics/working-process-behind-policy-with-multiple-depended/m-p/218813#M63229 reaper 2018-06-22T08:24:58Z