https://live.paloaltonetworks.com/t5/general-topics/difference-between-app-base-rule-and-service-base-rule/m-p/361912#M88240 <P>Hi All,</P><P>&nbsp;</P><P>Just some queries,</P><P>&nbsp;</P><P>1) what is the difference between the App base rule and Service base rule?</P><P>2) For security purpose which one is a more secure app or service base rule?</P><P>3) What is the benefit of using App base rules?</P><P>&nbsp;</P><P>Thanks in advance.</P> Tue, 10 Nov 2020 15:05:59 GMT OsamaKhan 2020-11-10T15:05:59Z https://live.paloaltonetworks.com/t5/general-topics/difference-between-app-base-rule-and-service-base-rule/m-p/361912#M88240 <P>Hi All,</P><P>&nbsp;</P><P>Just some queries,</P><P>&nbsp;</P><P>1) what is the difference between the App base rule and Service base rule?</P><P>2) For security purpose which one is a more secure app or service base rule?</P><P>3) What is the benefit of using App base rules?</P><P>&nbsp;</P><P>Thanks in advance.</P> Tue, 10 Nov 2020 15:05:59 GMT https://live.paloaltonetworks.com/t5/general-topics/difference-between-app-base-rule-and-service-base-rule/m-p/361912#M88240 OsamaKhan 2020-11-10T15:05:59Z https://live.paloaltonetworks.com/t5/general-topics/difference-between-app-base-rule-and-service-base-rule/m-p/361931#M88243 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/116059">@OsamaKhan</a>,</P> <P>1) what is the difference between the App base rule and Service base rule?</P> <P><FONT color="#FF0000">Service is only looking at layer-4, so if you open 25/tcp for example expecting to only allow SMTP traffic that doesn't really work. The only thing you're doing is allowing traffic to the specified host on 25/tcp.</FONT></P> <P><FONT color="#FF0000">App-ID is all signature based, so if you allow SMTP with application-default you'll only be allowing SMTP traffic. If that app-id's signature picks up anything else, the traffic won't match that rulebase entry.&nbsp;</FONT></P> <P>&nbsp;</P> <P>2) For security purpose which one is a more secure app or service base rule?</P> <P><FONT color="#FF0000">It's always going to be App-ID. App-ID is checking to make sure that the traffic that you're trying to allow is what is actually being identified. If you simply specify any application on a service object you're just opening a port.&nbsp;</FONT></P> <P>&nbsp;</P> <P>3) What is the benefit of using App base rules?</P> <P><FONT color="#FF0000">You're verifying that what you are trying to allow is what is actually being passed. If the traffic signature matches an app-id that you aren't allowing the traffic will be dropped.&nbsp;</FONT></P> Tue, 10 Nov 2020 17:17:44 GMT https://live.paloaltonetworks.com/t5/general-topics/difference-between-app-base-rule-and-service-base-rule/m-p/361931#M88243 BPry 2020-11-10T17:17:44Z https://live.paloaltonetworks.com/t5/general-topics/difference-between-app-base-rule-and-service-base-rule/m-p/362895#M88307 <P>Hello,</P> <P>Just to expand on question 3 a bit and what BPry already mentioned. Lets say you have a policy where you only want your internal DNS or domain controllers to access DNS from the internet using a secure DNS provider. Your Application based policy would ensure that the internal DNS servers are actually using DNS to go to the external secure DNS provider. This would prevent a malicious actor from exfiltrating data out from any system using port 53 or DNS.</P> <P>&nbsp;</P> <P>Hint: Please do this as it is very secure and often overlooked.</P> <P>&nbsp;</P> <P>Cheers!</P> Thu, 12 Nov 2020 23:08:58 GMT https://live.paloaltonetworks.com/t5/general-topics/difference-between-app-base-rule-and-service-base-rule/m-p/362895#M88307 OtakarKlier 2020-11-12T23:08:58Z