topic Re: Is it better to have policy rules base on application instead of service ports? in General Topics

Is it better to have policy rules base on application instead of service ports?

u7541 — Fri, 22 Jul 2011 10:16:42 GMT

I'm migrating a traditional layer 4 firewall policy to PAN firewall. I'm wondering if I should convert all policies to application id based, or I should leave it as service ports based, or I should do both (i.e. app-id + server ports)?

Thank you.

Re: Is it better to have policy rules base on application instead of service ports?

lardsa — Fri, 22 Jul 2011 11:33:29 GMT

Probably a mix of both, as PA doesn't know about all possible applications.

For web filetering rules, application based is good.

Now for datacenter/production needs ... what would happen if suddendly after an APP ID update , it won't recognize MSSQL protocol ? In addition, many apps aren't running on officially supported ports.

Re: Is it better to have policy rules base on application instead of service ports?

mjacobsen — Fri, 22 Jul 2011 14:58:35 GMT

In most cases, I would not recommend leaving the service/port definition as "any", particularly on inbound rules. For inbound rules, there is not really a good reason to wait to drop a session based on App-ID when you know you don't want the traffic coming in on that port in the first place. As a general rule, inbound policy should always include "application-default" or the specific port you know you have the service running on. For outbound rules, it is best to have the firewall policy reflect what your intention is. For example, if you want to allow users to run web-browsing or ssh on random ports, use "any" in the service column and they will be allowed to do that. I wouldn't necessarily recommend that, but the key is the write the policy that is appropriate for your environment. When you are protecting servers, allowing traffic on random ports is almost always a bad idea. When you are protecting users, it may still be a bad idea, but that will largely depend on your environment and the risk you are willing to allow and the threat protection you are employing on the outbound (and inbound response) traffic. Generally speaking, the smaller you can get the surface area of exposure, the better you can manage the risk. App-ID allows you to do that in important ways, but it doesn't mean you should increase the port-based surface area just because you can.

Mike

Re: Is it better to have policy rules base on application instead of service ports?

jleung — Sat, 06 Aug 2011 03:49:10 GMT

No solution can identify apps before the TCP 3 way handshaking completes. For traditional fw, the port based policy can make traffic deny decision by the syn packet which contains port no./service and IP information.

For PA, if you choose "any" for service, that means you are ignoring the port no. check and we will allow a lot of first few packets from connections coming in/ sending out until we identify the app after we receive the fourth or later packets. So in order to make PA to be really "more secure" than a traditional fw and allowing less packets that we should not allow than a traditional fw, you should put at least application-default for a policy.

Re: Is it better to have policy rules base on application instead of service ports?

u7541 — Fri, 12 Aug 2011 06:49:52 GMT

Thanks Jones. I have a more clear understanding now.