I have littel confiusion, need to know about that what will happen if i have rule where i have seleted application and custom (home grown application port) port in service tab.
Ex- in applicaiton tab i have- Ping,icmp and ssh.
in Service Tab- port 8080 and 8081 (custom web services object)
Will this work or traffic will Drop.
Thanks in Advance. i appriciate the quick answer
Solved! Go to Solution.
It'll work fine as long as the traffic is being identified with that app-id.
mssql-db on 62300/tcp works perfectly fine
mssql-mon on 1436/udp works perfectly fine.
As long as the app-id is being identified then you're good to go.
Thanks for Reply.
I am more concerned about same rule inspecting l4 and L7.
want make sure that firewall does not stuck on app-id and forget about L4 checking as i am not doing application override. just security rule which has both app-id info and L4 info.
i think it should work but want to confirm with experts comments
All rules inspect traffic up to lvl 7 (with 1 exception but irrelevant to this situation).
For example: if you put in the same rule application 'ssh' and in service coloumn 'tcp port 80' you aren't opening ssh and http traffic. You are only allowing ssh traffic on port 80. So ssh on port 22 won't be allowed by this rule. And http traffic on port 80 also won't be allowed. In other words traffic must match all coloumns of rule for that rule to apply.
Considering your example; never put icmp and ping in rule which has services listed as you can't make service for protocol. You need to specify 'application default' for application which don't use TCP or UDP protocol.
Thank you Santonic.
This means, I should create two seprate rule, one allowing Palo alto defined application and second allowing service tab (custom application port)
In the example that you provided above the answer would be yes.
You want one rule that allows application [ ping icmp ] on service application-default; then you want to set the next rule to application ssh service [ 8080/tcp 8081/tcp ]. This would allow all the traffic that you listed in your original post.
I appriciate you time to respnse..
I was trying mean in my first example that traffic will be drop or pass if i create one rule calling SSH in app tab and home grown web application on 8080 in service tab.
From your last comment- if i do the same, SSH in app and 8080 in service tab in single policy than SSH will work on 8080 neither my SSH on default 22 port nor web application on 8080 will work.
So just to finish this, i should create two rule specific to what i want. one for default ssh and another rule for web application on 8080 ? is this correct ?
I hope that now i am very clear on my question?
Just keep in mind this: traffic must match every coloumn in the rule for rule to hit.
Let's say you have a rule with app SSH and port 8080.
SSH on standard port 22 doesn't match the service field.
Web-browsing on port 8080 doesn't match the application field.
Only SSH aplication on port 8080 would match that rule.
If you want to have both in the same rule put both SSH and web-browsing in application field, and both port 22 and port 8080 in service field.
This is all assuming that your http application will be recognised as web-browsing.
An easy way to figure out how a Security Policy works is to remember:
All of the items in a column are OR'd together.
All of the columns are AND'd together.
So, ( application1 OR application2 ) AND ( service1 OR service2 ) must match to allow the traffic through.
In your specific case, you'd want to create two separate policies:
1. to allow web-browsing application on service 8080/tcp and 8081/tcp
2. to allow ssh application on service application-default
You could create a single policy with ssh and web-browsing applications, and 22/tcp, 8080/tcp, 8081/tcp, if you're okay with the possibility of SSH traffic being allowed on ports 8080/8081, and web browsing being allowed on port 22. This is where adding in the source / destination IPs can be used to lock the rule down further.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!