Security Rule Behavior when Applications selected with Service select in same rule

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Security Rule Behavior when Applications selected with Service select in same rule

L1 Bithead

I have littel confiusion, need to know about that what will happen if i have rule where i have seleted application and custom (home grown application port) port in service tab.

 

Ex- in applicaiton tab i have- Ping,icmp and ssh.

      in Service Tab- port 8080 and 8081 (custom web services object)

 

Will this work or traffic will Drop.  

 

 

Thanks in Advance. i appriciate the quick answer

 

Thanks

Anshul Gupta

1 accepted solution

Accepted Solutions

@Anshul_Vertex,

In the example that you provided above the answer would be yes.

You want one rule that allows application [ ping icmp ] on service application-default; then you want to set the next rule to application ssh service [ 8080/tcp 8081/tcp ]. This would allow all the traffic that you listed in your original post.  

View solution in original post

8 REPLIES 8

Cyber Elite
Cyber Elite

@Anshul_Vertex,

It'll work fine as long as the traffic is being identified with that app-id. 

Example:

mssql-db on 62300/tcp works perfectly fine

mssql-mon on 1436/udp works perfectly fine. 


As long as the app-id is being identified then you're good to go. 

 

Thanks for Reply.

 

I am more concerned about same rule inspecting l4 and L7. 

 

want make sure that firewall does not stuck on app-id and forget about L4 checking as i am not doing application override. just security rule which has both app-id info and L4 info. 

 

i think it should work but want to confirm with experts comments

 

All rules inspect traffic up to lvl 7 (with 1 exception but irrelevant to this situation).

 

For example: if you put in the same rule application 'ssh' and in service coloumn 'tcp port 80' you aren't opening ssh and http traffic. You are only allowing ssh traffic on port 80. So ssh on port 22 won't be allowed by this rule. And http traffic on port 80 also won't be allowed. In other words traffic must match all coloumns of rule for that rule to apply.

 

Considering your example; never put icmp and ping in rule which has services listed as you can't make service for protocol. You need to specify 'application default' for application which don't use TCP or UDP protocol.

 

 

Thank you Santonic.

 

This means, I should create two seprate rule, one allowing Palo alto defined application and second allowing service tab (custom application port)

 

 

Please confirm. 

@Anshul_Vertex,

In the example that you provided above the answer would be yes.

You want one rule that allows application [ ping icmp ] on service application-default; then you want to set the next rule to application ssh service [ 8080/tcp 8081/tcp ]. This would allow all the traffic that you listed in your original post.  

I appriciate you time to respnse..

 

 

I was trying mean in my first example that traffic will be drop or pass if i create one rule calling SSH in app tab and home grown web application on 8080 in service tab. 

 

From your last comment- if i do the same, SSH in app and 8080 in service tab in single policy than SSH will work on 8080 neither my SSH on default 22 port nor web application on 8080 will work.

 

So just to finish this, i should create two rule specific to what i want. one for default ssh and another rule for web application on 8080 ?  is this correct ? 

 

I hope that now i am very clear on my question? 

 

 

Just keep in mind this: traffic must match every coloumn in the rule for rule to hit.

Let's say you have a rule with app SSH and port 8080.

 

SSH on standard port 22 doesn't match the service field.

Web-browsing on port 8080 doesn't match the application field.

Only SSH aplication on port 8080 would match that rule.

 

If you want to have both in the same rule put both SSH and web-browsing in application field, and both port 22 and port 8080 in service field.

 

This is all assuming that your http application will be recognised as web-browsing.

 

 

An easy way to figure out how a Security Policy works is to remember:

 

All of the items in a column are OR'd together.

All of the columns are AND'd together.

 

So, ( application1 OR application2 ) AND ( service1 OR service2 ) must match to allow the traffic through.

 

In your specific case, you'd want to create two separate policies:

  1. to allow web-browsing application on service 8080/tcp and 8081/tcp

  2. to allow ssh application on service application-default

 

You could create a single policy with ssh and web-browsing applications, and 22/tcp, 8080/tcp, 8081/tcp, if you're okay with the possibility of SSH traffic being allowed on ports 8080/8081, and web browsing being allowed on port 22.  This is where adding in the source / destination IPs can be used to lock the rule down further.

  • 1 accepted solution
  • 4740 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!