https://live.paloaltonetworks.com/t5/general-topics/service-versus-using-an-application-for-rule-match/m-p/236672#M67831 <P>Can you please confirm if this is write for application&nbsp;</P><P>&nbsp;</P><P><SPAN>When&nbsp; we&nbsp; use "application" in Rule that will allow the firewall to take action after enough packets are allowed&nbsp; for App-ID identification regardless of the ports being used&nbsp;</SPAN></P> Tue, 23 Oct 2018 13:55:10 GMT MP18 2018-10-23T13:55:10Z https://live.paloaltonetworks.com/t5/general-topics/service-versus-using-an-application-for-rule-match/m-p/236607#M67820 <P>&nbsp;</P><P>Need to know if we use application instead of service in security policy&nbsp;</P><P>&nbsp;</P><P>When we use service then that will enable the firewall to take immediate action with the first observed packet based on port number.</P><P>&nbsp;</P><P>When&nbsp; we&nbsp; use "application" in Rule that will allow the firewall to take action after enough packets are allowed&nbsp; for App-ID identification regardless of the ports being used ?</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 23 Oct 2018 04:47:02 GMT https://live.paloaltonetworks.com/t5/general-topics/service-versus-using-an-application-for-rule-match/m-p/236607#M67820 MP18 2018-10-23T04:47:02Z https://live.paloaltonetworks.com/t5/general-topics/service-versus-using-an-application-for-rule-match/m-p/236636#M67822 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/75039">@MP18</a></P> <P>&nbsp;</P> <P>Ideally both</P> <P>The services will be able to block/allow syn packets based on the destination port and applications will be able to identify if the packets flowing over port 80 are really web-browsing and not something else abusing the open port</P> <P>&nbsp;</P> <P>setting the service to 'application-default' instead of a set of ports will enforce even tighter controls as a mixed rule ( ie. ftp, ssh, dns, ...) will ensure tcp&nbsp;21 is only used by ftp&nbsp;and not ssh which is allowed in the same rule</P> <P>&nbsp;</P> Tue, 23 Oct 2018 07:56:29 GMT https://live.paloaltonetworks.com/t5/general-topics/service-versus-using-an-application-for-rule-match/m-p/236636#M67822 reaper 2018-10-23T07:56:29Z https://live.paloaltonetworks.com/t5/general-topics/service-versus-using-an-application-for-rule-match/m-p/236672#M67831 <P>Can you please confirm if this is write for application&nbsp;</P><P>&nbsp;</P><P><SPAN>When&nbsp; we&nbsp; use "application" in Rule that will allow the firewall to take action after enough packets are allowed&nbsp; for App-ID identification regardless of the ports being used&nbsp;</SPAN></P> Tue, 23 Oct 2018 13:55:10 GMT https://live.paloaltonetworks.com/t5/general-topics/service-versus-using-an-application-for-rule-match/m-p/236672#M67831 MP18 2018-10-23T13:55:10Z https://live.paloaltonetworks.com/t5/general-topics/service-versus-using-an-application-for-rule-match/m-p/236713#M67835 <P>Only if you set Service to any.&nbsp; Then it will allow those specific applications through, regardless of which port the traffic is going through.</P><P>&nbsp;</P><P>If you set Service to application-default, then it will only allow traffic through that matches the list of ports listed in the App-ID information for the application.</P><P>&nbsp;</P><P>If you set a specific port/set of ports in the Service, then it will only allow traffic through that matches the application on the listed ports.</P> Tue, 23 Oct 2018 17:22:56 GMT https://live.paloaltonetworks.com/t5/general-topics/service-versus-using-an-application-for-rule-match/m-p/236713#M67835 fjwcash 2018-10-23T17:22:56Z https://live.paloaltonetworks.com/t5/general-topics/service-versus-using-an-application-for-rule-match/m-p/236751#M67842 <P>Hello,</P><P>Also remember that the PAN lets the first few packets through so it can analize them. It will then apply the polcies that match. I try and write my policies as strict as possible and use Application everywhere I can so I dont run into an application that likes to port hop or spoof itself as Reaper mentioned.</P><P>&nbsp;</P><P>Regards,</P> Tue, 23 Oct 2018 19:38:17 GMT https://live.paloaltonetworks.com/t5/general-topics/service-versus-using-an-application-for-rule-match/m-p/236751#M67842 OtakarKlier 2018-10-23T19:38:17Z https://live.paloaltonetworks.com/t5/general-topics/service-versus-using-an-application-for-rule-match/m-p/236761#M67847 <P>Many thanks Everyone.</P> Tue, 23 Oct 2018 21:27:50 GMT https://live.paloaltonetworks.com/t5/general-topics/service-versus-using-an-application-for-rule-match/m-p/236761#M67847 MP18 2018-10-23T21:27:50Z