https://live.paloaltonetworks.com/t5/general-topics/security-policy-is-passing-the-service-which-is-not-configured/m-p/410395#M92591 <P>Hello,</P> <P>As a best practice, I would recommend you use the Application rather than the port.</P> <P>Regards,</P> Tue, 01 Jun 2021 18:29:41 GMT OtakarKlier 2021-06-01T18:29:41Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-is-passing-the-service-which-is-not-configured/m-p/410181#M92562 <P>We have created a VPN to Trust rule for just FTP and SSH Service for server in which we have Allowed only those services with application any. But the some of the traffic is passing with the some random service port with the same rule with application ftp which is not mention in security policy. Any Idea why is this happening.<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot (501)_LI.jpg" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/34149i7E8A9E3E8595E1D2/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Screenshot (501)_LI.jpg" alt="Screenshot (501)_LI.jpg" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot (502)_LI.jpg" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/34150iECEFE693B14BC86F/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Screenshot (502)_LI.jpg" alt="Screenshot (502)_LI.jpg" /></span></P> Mon, 31 May 2021 15:53:42 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-is-passing-the-service-which-is-not-configured/m-p/410181#M92562 MPESDC 2021-05-31T15:53:42Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-is-passing-the-service-which-is-not-configured/m-p/410184#M92563 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/183239">@MPESDC</a>&nbsp;</P> <P>This is a special case for the application ftp. In an initial ftp connection the actual data transfer port is sent in the payload of the controlconnection. The firewall reads this and opens the additional port dynamically. This is at least the explanation for this behaviour so far.</P> <P>I see it here probably as you do. If you have specified exactly one port, the firewall should not allow dynamically another one - even if this breaks the ftp connection. In this situation I recommend to open a TAC case for either finaly clarification or informing them about this behaviour.</P> Mon, 31 May 2021 16:20:34 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-is-passing-the-service-which-is-not-configured/m-p/410184#M92563 Remo 2021-05-31T16:20:34Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-is-passing-the-service-which-is-not-configured/m-p/410212#M92567 <P>You may check this article and your app configuration and you can you use app overide to not only to allow passive FTP but lso to block it:</P><P>&nbsp;</P><P>&nbsp;</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFeCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFeCAK</A></P> Mon, 31 May 2021 19:31:28 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-is-passing-the-service-which-is-not-configured/m-p/410212#M92567 nikoolayy1 2021-05-31T19:31:28Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-is-passing-the-service-which-is-not-configured/m-p/410395#M92591 <P>Hello,</P> <P>As a best practice, I would recommend you use the Application rather than the port.</P> <P>Regards,</P> Tue, 01 Jun 2021 18:29:41 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-is-passing-the-service-which-is-not-configured/m-p/410395#M92591 OtakarKlier 2021-06-01T18:29:41Z