https://live.paloaltonetworks.com/t5/general-topics/appid-rule-with-service-quot-any-quot/m-p/229362#M65932 <P>Hello,</P><P>&nbsp;</P><P>I want to now the risks of allowing an application with any services.</P><P>Below an example. Thank you in advance</P><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="apponly.png" style="width: 795px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/16416i2974F93A31C35CED/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="apponly.png" alt="apponly.png" /></span>Kind regards.</P> Tue, 04 Sep 2018 10:08:33 GMT wassim.bejaoui 2018-09-04T10:08:33Z https://live.paloaltonetworks.com/t5/general-topics/appid-rule-with-service-quot-any-quot/m-p/229362#M65932 <P>Hello,</P><P>&nbsp;</P><P>I want to now the risks of allowing an application with any services.</P><P>Below an example. Thank you in advance</P><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="apponly.png" style="width: 795px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/16416i2974F93A31C35CED/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="apponly.png" alt="apponly.png" /></span>Kind regards.</P> Tue, 04 Sep 2018 10:08:33 GMT https://live.paloaltonetworks.com/t5/general-topics/appid-rule-with-service-quot-any-quot/m-p/229362#M65932 wassim.bejaoui 2018-09-04T10:08:33Z https://live.paloaltonetworks.com/t5/general-topics/appid-rule-with-service-quot-any-quot/m-p/229379#M65937 <P>The 'risk' is low since you do filter on application and have security profiles in place</P> <P>&nbsp;</P> <P>It would be recommended and best practice to use "application-default" instead of "any" in most cases, because it is highly unusual and maybe even suspicious for any application to be detected on a different port than their default (why would DNS be transmitted over any other port than 53?)</P> <P>&nbsp;</P> <P>applications using a different port are either badly configured (and do you want to allowed badly configured services to pass through) or being used for reconnaissance or exfiltration</P> Tue, 04 Sep 2018 11:57:35 GMT https://live.paloaltonetworks.com/t5/general-topics/appid-rule-with-service-quot-any-quot/m-p/229379#M65937 reaper 2018-09-04T11:57:35Z https://live.paloaltonetworks.com/t5/general-topics/appid-rule-with-service-quot-any-quot/m-p/229394#M65949 <P>Hello, Reaper,</P><P>&nbsp;</P><P>I thank you for your quick response.</P><P>&nbsp;</P><P>Can you give me a real use case of exfiltration or&nbsp;<SPAN>reconnaissance</SPAN> in this type of rule.</P><P>&nbsp;</P><P>Best regards.</P> Tue, 04 Sep 2018 14:33:34 GMT https://live.paloaltonetworks.com/t5/general-topics/appid-rule-with-service-quot-any-quot/m-p/229394#M65949 wassim.bejaoui 2018-09-04T14:33:34Z https://live.paloaltonetworks.com/t5/general-topics/appid-rule-with-service-quot-any-quot/m-p/229397#M65951 <P>typically proxies and other protection mechanisms listen in on the default ports of applications, an attacker may do a port scan to find open ports or use legitimate connections to see if 'ports are open'</P> <P>&nbsp;</P> <P>if a non-standard port is open, it is very likely the 'target' is not scanning properly for threats, so information can be sent out through that port to avoid detection</P> <P>&nbsp;</P> <P>the fact that there's applications in your&nbsp;policy will make this a lot harder, but why allow it in the first place</P> Tue, 04 Sep 2018 14:54:45 GMT https://live.paloaltonetworks.com/t5/general-topics/appid-rule-with-service-quot-any-quot/m-p/229397#M65951 reaper 2018-09-04T14:54:45Z