https://live.paloaltonetworks.com/t5/general-topics/use-destination-networks-even-with-app-id-specified/m-p/306449#M79617 <P>Thanks for sharing your input&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>.!</P> Mon, 13 Jan 2020 09:12:30 GMT btenberge 2020-01-13T09:12:30Z https://live.paloaltonetworks.com/t5/general-topics/use-destination-networks-even-with-app-id-specified/m-p/306103#M79544 <P>I've been creating security rules to allow Traps Management (with the traps-management-service App-ID) pretty tightly by also defining destination networks (using FQDN objects for the multiple &lt;tenant&gt;<SPAN>.traps.paloaltonetworks.com and common contentprod and distributions hosts).</SPAN></P><P>&nbsp;</P><P><SPAN>According to the documentation on&nbsp;<A href="https://docs.paloaltonetworks.com/traps/tms/traps-management-service-admin/get-started-with-tms/enable-access-tms.html" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/traps/tms/traps-management-service-admin/get-started-with-tms/enable-access-tms.html</A>&nbsp;it should be enough to simply use the App-ID and keep it at that.</SPAN></P><P><SPAN>So now that got me thinking, does the traps-management-service App-ID take destination networks into account?</SPAN></P><P>Am I too paranoid doing things like this, or is it good practice to keep security rules as tight as possible, even with App-ID's?</P> Thu, 09 Jan 2020 11:34:40 GMT https://live.paloaltonetworks.com/t5/general-topics/use-destination-networks-even-with-app-id-specified/m-p/306103#M79544 btenberge 2020-01-09T11:34:40Z https://live.paloaltonetworks.com/t5/general-topics/use-destination-networks-even-with-app-id-specified/m-p/306185#M79563 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/19436">@btenberge</a>,</P><P>I believe that the traps-management-service signature actually takes the certificate of the connection into account, so the app-id itself should be relatively bulletproof.&nbsp;</P><P>Like anything else, how you should configure this really depends on your environments risk level. I have some organizations where I limit access to set destination addresses for any rule allowing outbound traffic; and I have others where the app-id itself is more than sufficient. If you utilize app-id to limit access, you are still allowing a handshake to take place at minimum. Some orgs will find that acceptable, others won't.&nbsp;</P><P>From an over-arching answer I'll say this, the vast majority of environments shouldn't feel like they need to limit app-id use to specified destinations. Even in highly secure environments, I generally would only go to the lengths you are going to on machines that actually have access to access sensitive information.&nbsp;</P> Thu, 09 Jan 2020 19:39:36 GMT https://live.paloaltonetworks.com/t5/general-topics/use-destination-networks-even-with-app-id-specified/m-p/306185#M79563 BPry 2020-01-09T19:39:36Z https://live.paloaltonetworks.com/t5/general-topics/use-destination-networks-even-with-app-id-specified/m-p/306449#M79617 <P>Thanks for sharing your input&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>.!</P> Mon, 13 Jan 2020 09:12:30 GMT https://live.paloaltonetworks.com/t5/general-topics/use-destination-networks-even-with-app-id-specified/m-p/306449#M79617 btenberge 2020-01-13T09:12:30Z