topic Re: how to create policy and how to identify which ports are being used on PAN in General Topics

how to create policy and how to identify which ports are being used on PAN

shafi021 — Mon, 27 Apr 2020 21:21:45 GMT

Hi Guys,

I am new to Palo Alto. I recently joined the firm and they are using any any as policy for internal to Public, Internal to WAN zone. My tasks is to identify the ports which are being used and apply the ACL.

My question to experts is how to find out which ports are being used and how should I apply this ACL on PAN.

I have little idea that I can check ports under traffic tab and need to create service object to apply on zones.

Guys please suggest me the best approach and guide me on how I should achieve this goal.

Thanks

Re: how to create policy and how to identify which ports are being used on PAN

BPry — Tue, 28 Apr 2020 02:11:25 GMT

@shafi021,

You shouldn't be looking at building out a port list, you should be looking at see what applications are being identified. Identify the applications that you are seeing come across the firewall and whether or not they should be allowed, and build out exceptions for any application that isn't being properly identified.

A couple notes:

- It's easiest if you simply build out two application-groups for sanctioned and unsanctioned applications.

- Your setup doesn't sound like they've done anything outside of just installing this box. Look at following the published best-practices and actually using your NGFW to its capabilities.

Re: how to create policy and how to identify which ports are being used on PAN

OwenFuller — Tue, 28 Apr 2020 15:18:59 GMT

If you're running 9.0 code, you can use the Policy Optimizer to help you identify what applications are currently being seen on the existing rule. It will easily allow you to apply just these apps to the rule, or clone a new rule with the selected applications.
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/app-id-features/policy-optimizer.html

Custom reports would also be very helpful to you. You can build and save report queries with all kinds of different options to pull info from the logs, and organize it into convenient summaries.
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/monitoring/view-and-manage-reports/custom-reports.html

Re: how to create policy and how to identify which ports are being used on

shafi021 — Thu, 14 May 2020 14:14:40 GMT

Thank you for your response guys

Re: how to create policy and how to identify which ports are being used on

shafi021 — Thu, 21 May 2020 02:42:20 GMT

Hi @OwenFuller , we are using PAN OS 8 and not going to be on 9 soon. I configured Netflow and I can see which ports are being used. Some of the applications on my flow analysis are showing as unknown App because my org is using some non standard ports, but I can find those ports under Traffic log on PAN. My question is, is it possible to use application and service object ( where I am going to add ports) together on Zone policy. we have 3 zones, Pub, Inside and WAN. what do you suggest , how should I proceed?

Re: how to create policy and how to identify which ports are being used on

OwenFuller — Thu, 21 May 2020 02:52:59 GMT

Yes, you can use “any” app with a particular service port instead of a pre-defined app. Another option is to define a custom application based on the ports used. I would also check the Monitor tab to see how Palo identifies the applications, and adjust your security policies accordingly.