https://live.paloaltonetworks.com/t5/general-topics/best-practice-allowing-a-known-application-together-with-a/m-p/261508#M74135 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/113856">@jeroenverstraeten</a> ,</P> <P>&nbsp;</P> <P>Yes you can combine applications with non-standard ports in one single rule :</P> <P><A href="https://live.paloaltonetworks.com/t5/Community-Blog/What-s-a-service-anyway/ba-p/155012" target="_blank" rel="noopener">What-s-a-service-anyway</A></P> <P>&nbsp;</P> <P>Cheers !</P> <P>-Kiwi.</P> <DIV id="ConnectiveDocSignExtentionInstalled" data-extension-version="1.0.4">&nbsp;</DIV> Fri, 17 May 2019 13:28:08 GMT kiwi 2019-05-17T13:28:08Z https://live.paloaltonetworks.com/t5/general-topics/best-practice-allowing-a-known-application-together-with-a/m-p/261496#M74133 <P>Let's say we have 2 zones seperated by our PA firewall, Zone A and Zone B. Traffic between Zone A and Zone B is only allowed for some applications/services from dedicated devices in Zone A to dedicated devices in Zone B.</P><P>&nbsp;</P><P>We have a custom Service which uses TCP port 7777 named CustomService1.</P><P>&nbsp;</P><P>Device 1 in Zone A needs to access Device 2 in Zone B on our custom service AND by https. Is this possible in 1 rule?</P><P>Or do we need to configure this like:</P><P>&nbsp;</P><P>rule 1 = zone: Zone A | Address: Device 1 | zone: Zone B | Address: Device 2 | Application: web-browsing | Service: application defaults | action: Allow</P><P>rule 2 =&nbsp;zone: Zone A | Address: Device 1 | zone: Zone B | Address: Device 2 | Application: any | Service: CustomService1 | action: Allow</P><P>&nbsp;</P> Fri, 17 May 2019 12:52:06 GMT https://live.paloaltonetworks.com/t5/general-topics/best-practice-allowing-a-known-application-together-with-a/m-p/261496#M74133 jeroenverstraeten 2019-05-17T12:52:06Z https://live.paloaltonetworks.com/t5/general-topics/best-practice-allowing-a-known-application-together-with-a/m-p/261506#M74134 <P>2 rules is going to be an OR.&nbsp; If you want it to match an application &amp; port, they need to be within the same rule.&nbsp; Everything you match on in the same rule is an AND.</P><P>&nbsp;</P><P>If you do those 2 seperate rules, it's going to allow ALL web browsing traffic on its default ports(80/443) as well as allow all traffic, web browsing or not, over tcp port 7777.&nbsp; You could test the single rule requiring both app web-browsing/ssl &amp; your custom service.</P> Fri, 17 May 2019 13:14:42 GMT https://live.paloaltonetworks.com/t5/general-topics/best-practice-allowing-a-known-application-together-with-a/m-p/261506#M74134 OGMaverick 2019-05-17T13:14:42Z https://live.paloaltonetworks.com/t5/general-topics/best-practice-allowing-a-known-application-together-with-a/m-p/261508#M74135 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/113856">@jeroenverstraeten</a> ,</P> <P>&nbsp;</P> <P>Yes you can combine applications with non-standard ports in one single rule :</P> <P><A href="https://live.paloaltonetworks.com/t5/Community-Blog/What-s-a-service-anyway/ba-p/155012" target="_blank" rel="noopener">What-s-a-service-anyway</A></P> <P>&nbsp;</P> <P>Cheers !</P> <P>-Kiwi.</P> <DIV id="ConnectiveDocSignExtentionInstalled" data-extension-version="1.0.4">&nbsp;</DIV> Fri, 17 May 2019 13:28:08 GMT https://live.paloaltonetworks.com/t5/general-topics/best-practice-allowing-a-known-application-together-with-a/m-p/261508#M74135 kiwi 2019-05-17T13:28:08Z