Services list

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Services list

L4 Transporter

Does anyone know if there is a list of services that come on the PA 5050 by default? I am in the process of removing unused service from my PA

14 REPLIES 14

L6 Presenter

Services?

Cyber Elite
Cyber Elite

@jdprovine,

The only pre-defined service is service-http and service-https. Any additional service included in your Services list would have been added. FYI, if you attempt to delete a service that is actively being used in a rule, the commit validation will fail. 

@BPry

 

I am in the process or doing some clean up of our firewall after have the PA healthcheck done and I have been doing a check using the migration tool. According to the migration tool we have 323 total service and 192 of those are not being used. So I have been using the global search to see if they are being used and then deleting them if they are not. 

I was not here when they migrated from the old ASA firewall to the PA but if there were only 2 redefined services, alot must have been created or migrated

 

@jdprovine,

The early migration tool was kind of terrible at migrating from an ASA to a PA, which is why I really haven't touched it since...despite being told it's way better than before. It wouldn't be uncommon for the earlier migration to create a large amount of services, simply because the ASA wasn't doing any application descovery and without a large amount of work, most people don't actually keep track of what port whatever actually did in their ASA security policies. 

I would start to migrate away from using Services and more towards creating custom applications if possible; they aren't that hard to build out and it's way easier to identify what is actually still needed going forward. 

@BPry

Definitley trying to move away from using service and making it do everything based on appid. I did find something interesting. If the PA classifies the applications as unknown, not-applicable or anything like that couldn't it give you a false reading? For example the echo services is being classified as not-applicable so it is saying a service is unused when it really is being used

@jdprovine,

You shold have that service then in a security policy that actually allows the traffic, in which case the service would be in use. 

good news I see it added to a policy as an application so that mean the service isn't  being used but the app is - good deal

@BPry

 

We do have an interesting situation, the service echo is configured as a service on a deny rule. So I guess you would say that service is being used and not used at the same time. I am of the thought that the services on the rule should probably be set to any and not deleaniating services

@jdprovine,

What exactly does the Deny rule look like right now? Some people will build a Deny rule specifically around Services to essentially block a port instead of an application. 

@BPry

 

Like this

 

deny.PNG

@jdprovine,

So without knowing what the rest of your security rulebase actually looks like I wouldn't remove those services and specify an 'any' rule, although you probably could. 

Essentially what this rule would be doing is specifying that traffic from OUTSIDE can't access anything within PNIC on any service object specified in the security policy. Since the Service object is essentially a port, all this rule is doing is denying OUTSIDE from accessing PNIC on any of the ports that the Service objects actually refer to. Someone likely did this so that they could generate traffic logs for outside traffic on these specific ports, but still keep the default interzone traffic rule logging disabled. 

@BPry

Well I was trying to remove the echo service because it is showing as unused in the migration tool. But since it is a part of an actual rule I can't

@jdprovine,

Ya, like I said I'm not a huge fan of the migration tool. I've noticed that anything in a deny rule is usually skipped by the migration tool, likely because the default actual would be to deny the traffic unless a security policy is created that actually allows the traffic flow. I would take anything you pull from the migration tool with a slight grain of salt. 

@BPry

 

Well I am also using the global search to verify if the services are really being used. I guess it would be just as easy to go through the services one by one and do the global search. One thing I do know is I have too many services and it would be good to replace them as much as possbile with applications

  • 3394 Views
  • 14 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!