Services list

L4 Transporter

Services list

Does anyone know if there is a list of services that come on the PA 5050 by default? I am in the process of removing unused service from my PA

L6 Presenter

Re: Services list

Services?

L7 Applicator

Re: Services list

@jdprovine,

The only pre-defined service is service-http and service-https. Any additional service included in your Services list would have been added. FYI, if you attempt to delete a service that is actively being used in a rule, the commit validation will fail. 

L4 Transporter

Re: Services list

@BPry

 

I am in the process or doing some clean up of our firewall after have the PA healthcheck done and I have been doing a check using the migration tool. According to the migration tool we have 323 total service and 192 of those are not being used. So I have been using the global search to see if they are being used and then deleting them if they are not. 

I was not here when they migrated from the old ASA firewall to the PA but if there were only 2 redefined services, alot must have been created or migrated

 

L7 Applicator

Re: Services list

@jdprovine,

The early migration tool was kind of terrible at migrating from an ASA to a PA, which is why I really haven't touched it since...despite being told it's way better than before. It wouldn't be uncommon for the earlier migration to create a large amount of services, simply because the ASA wasn't doing any application descovery and without a large amount of work, most people don't actually keep track of what port whatever actually did in their ASA security policies. 

I would start to migrate away from using Services and more towards creating custom applications if possible; they aren't that hard to build out and it's way easier to identify what is actually still needed going forward. 

L4 Transporter

Re: Services list

@BPry

Definitley trying to move away from using service and making it do everything based on appid. I did find something interesting. If the PA classifies the applications as unknown, not-applicable or anything like that couldn't it give you a false reading? For example the echo services is being classified as not-applicable so it is saying a service is unused when it really is being used

L7 Applicator

Re: Services list

@jdprovine,

You shold have that service then in a security policy that actually allows the traffic, in which case the service would be in use. 

L4 Transporter

Re: Services list

good news I see it added to a policy as an application so that mean the service isn't  being used but the app is - good deal

L4 Transporter

Re: Services list

@BPry

 

We do have an interesting situation, the service echo is configured as a service on a deny rule. So I guess you would say that service is being used and not used at the same time. I am of the thought that the services on the rule should probably be set to any and not deleaniating services

L7 Applicator

Re: Services list

@jdprovine,

What exactly does the Deny rule look like right now? Some people will build a Deny rule specifically around Services to essentially block a port instead of an application. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!