I have run into an issue with the way a specific application passes the firewall, and I need to put in a request to Palo Alto to have it modified.
The application is Subversion, and when I set the firewall to allow only "application default" services, the firewall blocks connections because this particular installation is running off an Apache server, not a standalone subversion server - which means that while the application is recognised as subversion, the *port* is different from the application definition, so if I turn on the strict service checking, the connections fail. I turn the service setting to "any", and it works - but, as has been pointed out before, this is not a good idea.
I'm reliably informed that this kind of installation is now far more common than the stand-alone subversion server installation which the applications looks at.
Can someone tell me if there is a process to contact Palo Alto and have the global application definition expanded to include running on the (now) more common port as well as the commonly defined ones?
Solved! Go to Solution.
Can't you just set the service in that rule to match the port the application is running on? That way it should match both the application and the port, even if it's not defined as standard for the application.
Not to sure if there's a standard process for contacting Palo Alto about this, but I would contact my SE as I do for feature requests.
I could possible define a service port for the given application, yes, but then I'd need an additional rule in my rulebase - one for the "modified" application/service, one for everything else on the server. not something I want to do.
If a standard configuration option for the application is to run on the port you utilize in your environment then modifying the application would likely be something we would do. It's understandable that application deployment practices can change over time and this type of change is possible. It is not clear what you mean by "reliably informed" that this configuration is standard practice for the application, but it is definitely something our applications team can research.
If the feedback from the developers was such that a modification would not be made, then creating a separate rule with the service defined would be the way to allow this traffic.
Please open a case with support with the information you have about this configuration and the developers can investigate further.
> It is not clear what you mean by "reliably informed" that this configuration is standard practice for the application, but it is definitely something our applications team can research.
Well, considering that Apache, the most popular web server in the world, has a specific, rather detailed FAQ on Subversion under Apache, I'd consider it reliable. :-) I've also spoken to some pretty active *nix developers who all respond "Nobody uses a stand-alone subversion server these days!".
Anyway, I'll drop a case to support and see what they say. Thanks/
Wouldn't the simple solution to this be to define a custom 'Service' named apache-subversion-nonstandard or something along those lines and define the port there, then populate the service column with that custom port definition?
I get what you're saying though... if it's a common practice to co-deploy SVN alongside Apache then the default App-ID ports should reflect that
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!