topic Re: Need to allow service for Ping application in General Topics

Need to allow service for Ping application

MohammedAsik — Tue, 27 Aug 2019 07:35:30 GMT

Hi Team

We have configured the one Destination NAT policy. My requirement is Ping the NAT IP (Public IP) from the external network.

I have configured one security policy with application as 'ping' and service as 'any'.

For the above configuration, I can able to ping the Public IP from the external network. But I want to allow the specific service for Ping application.

Note : If I configured the service as "any or application-default", I can able to ping from the external network. If I mention particular service, I couldn't able to ping from the external network.

My question is, What is the service need to allow only for PIng application?

If you need any further information, please let me know.

Regards

Mohammed Asik

Re: Need to allow service for Ping application

VinceM — Tue, 27 Aug 2019 12:21:12 GMT

Hi,

Ping is neither TCP nor UDP, it's protocol 1 then I think you are unable to configure your own service.

In some fw you can find port 0.

Rgds

Re: Need to allow service for Ping application

S.Cantwell — Tue, 27 Aug 2019 18:56:13 GMT

The correct way to enable all applications, is to use the service of "application-default".

So change from service of "any" to "application-default"

Thanks

Steve

Re: Need to allow service for Ping application

MohammedAsik — Wed, 28 Aug 2019 07:02:17 GMT

Hi Steve

I had already configured as application default and I could able to ping from external network.

But the issue is, we are receiving the lot of unwanted ports hit the server. Due to this, Server load become high. So that only we want to mention the particular the ports in service.

I want to block the unwanted port hit from firewall itself which will not hit the server.

Could you suggest me?

Regards

Mohammed Asik

Re: Need to allow service for Ping application

VinceM — Wed, 28 Aug 2019 07:22:30 GMT

Hi Mohammed,

Seem you are on public IP range on both your wan and your DMZ. then if you just want to allowed ping. You should only have security rule like

from zone: WAN1-TATA

To zone DMZ-1

To IP 203.196.171.56

Application: ping

Service: Application default

Action: Allow

Your Internet-DMZServers rule should be TO LARGE 🙂

Incomplete mean, syn arrive to your server and your server never answer.

Rgds

Re: Need to allow service for Ping application

MohammedAsik — Wed, 28 Aug 2019 08:21:54 GMT

Hi Vince

Incomplete mean, syn arrive to your server and your server never answer.

Yes you're correct, the syn arrived to the server. My requirement is syn should not reach the server, it should block from firewall.

How can we achieve it ?

Regards

Mohammed Asik

Re: Need to allow service for Ping application

VinceM — Wed, 28 Aug 2019 08:26:27 GMT

Hi,

No reason for syn on port TCP/445 to arrive on your server if you don't want it.

But it seem your security rule allow it.

what your security rule look like ??

Allow only app on application-default.

Re: Need to allow service for Ping application

MohammedAsik — Wed, 28 Aug 2019 09:22:46 GMT

Hi Vince

Yes, In security rule I have allowed the application Ping , SSL, FTP and service as Application-default.

Since the unwanted ports are hit the server without allowing the mentioned port

Regards

Mohammed

Re: Need to allow service for Ping application

VinceM — Wed, 28 Aug 2019 09:38:10 GMT

Hi,

You have to know that before beeing able to indifty a complete app, your firewall nedd to first allow session's first packet.

Mean allowing syn / syn-ack /ack + first apcket.

At the beginning session identification is based on 5-tuple (source zone, source IP subnet, destination zone, destination IP subnet, destination port). Mean, based on this criterim, session match first security rule which allow these packet.

If your rule is on top, it can explain strange traffic in your log.

look: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClS9CAK

Rgds