Security policies, mixing app and "service" options, ping, PPTP and NAT?

L3 Networker

Security policies, mixing app and "service" options, ping, PPTP and NAT?

I've a bunch of Citrix servers that I need to have a security rule for.  I put together an address group for their public IPs, and I see that there is a "Citrix" application definition.

However, the Citrix servers also need port 8080 routed to them for the Citrix XML browsing service (these are Metaframe 4.5 servers).  Normally you'd run the XML service on port 80, but we changed to an alternate port to avoid potential overlaps in case we needed port 80 for something else.

What's the best way to write my rule for this?  If I use the application definition for Citrix that will handle the actual session traffic, but should I then create a service definition for port 8080 and put that on the same rule?  Or is it better to use two separate rules, one with the Application defined and another with an application of "any" and just defining the Service port?

Continuing in the same line, if I want to allow ICMP ping to these addresses, how?  I see there's an application for ICMP, but I don't want the entire protocol, just ping.

Finally, related to all of this, I have a server that is using microsoft VPN and acting as a PPTP endpoint for a small number of clients.  I plan to transition them to the PAN SSL VPN client later, but until I can do this I need to pass PPTP traffic through to an internal host.  I am not sure how to do this on the NAT rule (I know about TCP 1723, but there is also the GRE protocol that needs to be dealt with); the Security rule looks straightforward as I should just be able to add the PPTP application, right?

L3 Networker

Re: Security policies, mixing app and "service" options, ping, PPTP and NAT?

Our apply decoders will detect citrix over any port. What the rule would look like is application citrix service 8080. What this is saying is that we will allow citrix over port 8080.

as for your ping question we have an application call ping which you will need to select if your rule.

L3 Networker

Re: Security policies, mixing app and "service" options, ping, PPTP and NAT?

Regarding Citrix again - most of the traffic uses the normal predefined Citrix ports.  The only traffic we have on 8080 is the XML Browser traffic (i.e. the "HTTP" portion of TCP/HTTP when using a Citrix client).  Do I still need to configure the Service port, or can I just allow the Citrix app and this will be passed?  The description of the Citrix app itself doesn't mention the browsing portion of Citrix (or at least not the ports it runs on), hence my confusion.

The "standard ports" listed for Citrix are:

tcp/443,2512,2513,2598,1494, udp/2512,2513

XML browsing normally runs on 80, or 443 as an option (SSL-encrypted browsing).  However you can define it to whatever port you want.  I'm just not sure if the app signature will be able to identify the traffic, and I don't have the luxury of putting a Citrix server behind the PAN to test until I'm ready to go live with it.

As a general rule, is it "better" or more efficient to use Application, or Service definitions when talking about Security Rules on the PAN?

L4 Transporter

Re: Security policies, mixing app and "service" options, ping, PPTP and NAT?

Hi Bradenmcg,

In general you should try to use application instead of, or in addition to services if possible.

What I would do in your situation is create a separate port-based rule with the application as "any" above the other application rule.  Then after some time, review the logs and see what application is being identified on that port.  Then change application to the correct one.  If the application is being identified as the same application as the rule below, then you may not need this extra rule.

The cool thing is that the app-id still happens and is logged even if you don't use it in the rule.



L3 Networker

Re: Security policies, mixing app and "service" options, ping, PPTP and NAT?

Back to the PPTP then - I already have 1:1 NAT setup for the PPTP "server."  Do I just need a security rule for Application pptp then?  I'm not sure how to forward GRE traffic, unless the pptp App rule will take care of that?

Not related to any of the other questions - SSL-encrypted IMAP or SMTP, do those fall under the generic "ssl" Application?  I imagine that if I setup SSL decryption / MITM for the PAN, then it would be smart enough to expose the underlying apps, but otherwise I'll need to use "ssl" instead?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!