The only pre-defined service is service-http and service-https. Any additional service included in your Services list would have been added. FYI, if you attempt to delete a service that is actively being used in a rule, the commit validation will fail.
I am in the process or doing some clean up of our firewall after have the PA healthcheck done and I have been doing a check using the migration tool. According to the migration tool we have 323 total service and 192 of those are not being used. So I have been using the global search to see if they are being used and then deleting them if they are not.
I was not here when they migrated from the old ASA firewall to the PA but if there were only 2 redefined services, alot must have been created or migrated
The early migration tool was kind of terrible at migrating from an ASA to a PA, which is why I really haven't touched it since...despite being told it's way better than before. It wouldn't be uncommon for the earlier migration to create a large amount of services, simply because the ASA wasn't doing any application descovery and without a large amount of work, most people don't actually keep track of what port whatever actually did in their ASA security policies.
I would start to migrate away from using Services and more towards creating custom applications if possible; they aren't that hard to build out and it's way easier to identify what is actually still needed going forward.
Definitley trying to move away from using service and making it do everything based on appid. I did find something interesting. If the PA classifies the applications as unknown, not-applicable or anything like that couldn't it give you a false reading? For example the echo services is being classified as not-applicable so it is saying a service is unused when it really is being used
We do have an interesting situation, the service echo is configured as a service on a deny rule. So I guess you would say that service is being used and not used at the same time. I am of the thought that the services on the rule should probably be set to any and not deleaniating services
What exactly does the Deny rule look like right now? Some people will build a Deny rule specifically around Services to essentially block a port instead of an application.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!