https://live.paloaltonetworks.com/t5/general-topics/dynamic-tcp-port-app-query/m-p/230005#M66127 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/57857">@ash83</a>&nbsp;wrote:<BR /><P><SPAN class="">What could be done if the app in use in enhanced-file-transfer?</SPAN></P><HR /></BLOCKQUOTE><P>Sorry, this one I don't understand. What do you want to do?</P> Fri, 07 Sep 2018 16:11:09 GMT Remo 2018-09-07T16:11:09Z https://live.paloaltonetworks.com/t5/general-topics/dynamic-tcp-port-app-query/m-p/229768#M66061 <P>Hi community, In a situation where there is a security policy allowing: SOURCE Source IP: any Source Zone: outside DESTINATION Destination IP: public IP 1.2.3.4 -&gt; NAT'd to private IP 10.10.10.10 (servername1) (the security policy is using the post NAT zone). The inbound NAT is also correctly configured, and NATing correctly. APP: appX -&gt; any APP which uses tcp/dynamic ACTION allow The service provided by servername1 has to be available to the world, and it is serving APP=appX content (using dynamic tcp ports) The above scenario will efectively allow any IP to access 1.2.3.4 -&gt; 10.10.10.10 (servername1) using APP=appX on ANY tcp port. Restricting the source IPs to some IPs, or country, continent etc is not an option, as it is a service that needs to be available to anyone on the internet. Is it not using appX -&gt; any APP which uses tcp/dynamic a huge security risk, as a it is allowing connection on any tcp port, and this will end up taking down 10.10.10.10 (servername1) after it cannot handle any more connections? The only solution I can think off is to stop using appX in the above scenario, and try to use service (L4 instead) - which is not really a Palo Alto friendly approach. Any idea(s) would be much appreciated. Thanks.</P> Thu, 06 Sep 2018 16:24:33 GMT https://live.paloaltonetworks.com/t5/general-topics/dynamic-tcp-port-app-query/m-p/229768#M66061 ash83 2018-09-06T16:24:33Z https://live.paloaltonetworks.com/t5/general-topics/dynamic-tcp-port-app-query/m-p/229791#M66064 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/57857">@ash83</a></P><P>&nbsp;</P><P>In the security policy you could specify a service in addition to the app. This way you can restrict the detection of the app to the port(s) you specify.</P> Thu, 06 Sep 2018 19:13:37 GMT https://live.paloaltonetworks.com/t5/general-topics/dynamic-tcp-port-app-query/m-p/229791#M66064 Remo 2018-09-06T19:13:37Z https://live.paloaltonetworks.com/t5/general-topics/dynamic-tcp-port-app-query/m-p/229995#M66124 <P><SPAN class="">Hi&nbsp;<A href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/16592" target="_self">vsys_remo</A>,</SPAN></P><P>&nbsp;</P><P><SPAN class="">What could be done if the app in use in enhanced-file-transfer?</SPAN></P><P>&nbsp;</P><P><SPAN class="">Thanks.</SPAN></P> Fri, 07 Sep 2018 14:51:51 GMT https://live.paloaltonetworks.com/t5/general-topics/dynamic-tcp-port-app-query/m-p/229995#M66124 ash83 2018-09-07T14:51:51Z https://live.paloaltonetworks.com/t5/general-topics/dynamic-tcp-port-app-query/m-p/230005#M66127 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/57857">@ash83</a>&nbsp;wrote:<BR /><P><SPAN class="">What could be done if the app in use in enhanced-file-transfer?</SPAN></P><HR /></BLOCKQUOTE><P>Sorry, this one I don't understand. What do you want to do?</P> Fri, 07 Sep 2018 16:11:09 GMT https://live.paloaltonetworks.com/t5/general-topics/dynamic-tcp-port-app-query/m-p/230005#M66127 Remo 2018-09-07T16:11:09Z