https://live.paloaltonetworks.com/t5/general-topics/application-override-vs-service/m-p/319304#M81896 <P>the service port let's you determine on which port TCP is allowed to connect</P><P>&nbsp;</P><P>so if you set port 80, tcp is allowed to connect on pot 80, app-id can then determine if the session is web-browsing&nbsp; or ftp os ssh or something else. because you allowed port 80, the session will be allowed through and app-id will simply identify the app</P><P>&nbsp;</P><P>if you use <STRONG>application-default</STRONG>, app-id will use it's knowledge of the data flow to determine if the port it sees in the tcp session matches what it sees in the payload, so if a tcp session on port 80 comes in, that's fine, but after it sends payload and app-id determines that the session is actually LDAP, it will drop the connection as it is using a non-default port</P><P>&nbsp;</P><P>in both the above cases, app-id will keep track of the flow and make sure the application is behaving as expected, applying the right heuristics etc to determine if there are any threats or application switches happening</P><P>&nbsp;</P><P>application-override tells app-id and content-id (if used with a custom app) to <EM>not inspect a session at all</EM> and simply label it as the custom app. so if you set app override on port 80, that opens up port 80 to all underlying applications and <EM>threats</EM></P> Mon, 30 Mar 2020 06:58:57 GMT reaper 2020-03-30T06:58:57Z https://live.paloaltonetworks.com/t5/general-topics/application-override-vs-service/m-p/319053#M81862 <P>I have new application.</P><P>I need to know what is the difference between&nbsp;application override policy and the security policy by using the service port number both are stateful inspection firewall at Layer-4?</P><P>&nbsp;</P><P>Service:<BR />Allows you to select a Layer 4 (TCP or UDP) port for the application. You can choose any, specify a port, or use application-default to permit use of the standards-based port for the application.</P><P>&nbsp;</P><P>Application Override:<BR />Identify sessions that you do not want processed by the App-ID engine, which is a Layer-7 inspection. Traffic matching an application override policy forces the firewall to handle the session as a regular stateful inspection firewall at Layer-4.</P><P>&nbsp;</P><P>my reference:<BR /><A href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/policy-types.html" target="_blank">https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/policy-types.html</A></P><P><A href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/security-policy/components-of-a-security-policy-rule.html#id5ac93939-77c9-4981-af21-965414779af3_service" target="_blank">https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/security-policy/components-of-a-security-policy-rule.html#id5ac93939-77c9-4981-af21-965414779af3_service</A></P><P>&nbsp;</P><P>&nbsp;</P> Fri, 27 Mar 2020 16:24:49 GMT https://live.paloaltonetworks.com/t5/general-topics/application-override-vs-service/m-p/319053#M81862 HasanAljohi 2020-03-27T16:24:49Z https://live.paloaltonetworks.com/t5/general-topics/application-override-vs-service/m-p/319304#M81896 <P>the service port let's you determine on which port TCP is allowed to connect</P><P>&nbsp;</P><P>so if you set port 80, tcp is allowed to connect on pot 80, app-id can then determine if the session is web-browsing&nbsp; or ftp os ssh or something else. because you allowed port 80, the session will be allowed through and app-id will simply identify the app</P><P>&nbsp;</P><P>if you use <STRONG>application-default</STRONG>, app-id will use it's knowledge of the data flow to determine if the port it sees in the tcp session matches what it sees in the payload, so if a tcp session on port 80 comes in, that's fine, but after it sends payload and app-id determines that the session is actually LDAP, it will drop the connection as it is using a non-default port</P><P>&nbsp;</P><P>in both the above cases, app-id will keep track of the flow and make sure the application is behaving as expected, applying the right heuristics etc to determine if there are any threats or application switches happening</P><P>&nbsp;</P><P>application-override tells app-id and content-id (if used with a custom app) to <EM>not inspect a session at all</EM> and simply label it as the custom app. so if you set app override on port 80, that opens up port 80 to all underlying applications and <EM>threats</EM></P> Mon, 30 Mar 2020 06:58:57 GMT https://live.paloaltonetworks.com/t5/general-topics/application-override-vs-service/m-p/319304#M81896 reaper 2020-03-30T06:58:57Z https://live.paloaltonetworks.com/t5/general-topics/application-override-vs-service/m-p/319424#M81917 <P>Hello,</P><P>I would suggest to stay away from overrides if you can. They bypass the threat engine so there could be potentially malicious traffic.</P><P>&nbsp;</P><P>Regards,</P> Mon, 30 Mar 2020 17:05:17 GMT https://live.paloaltonetworks.com/t5/general-topics/application-override-vs-service/m-p/319424#M81917 OtakarKlier 2020-03-30T17:05:17Z