This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

application override VS service

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

application override VS service

HasanAljohi
L0 Member

‎03-27-2020 09:24 AM

I have new application.

I need to know what is the difference between application override policy and the security policy by using the service port number both are stateful inspection firewall at Layer-4?

 

Service:
Allows you to select a Layer 4 (TCP or UDP) port for the application. You can choose any, specify a port, or use application-default to permit use of the standards-based port for the application.

 

Application Override:
Identify sessions that you do not want processed by the App-ID engine, which is a Layer-7 inspection. Traffic matching an application override policy forces the firewall to handle the session as a regular stateful inspection firewall at Layer-4.

 

my reference:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/policy-types.html

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/security-policy/components-of-a-sec...

 

 

0 Likes Likes
2 REPLIES 2

reaper
Cyber Elite
Cyber Elite

‎03-29-2020 11:58 PM

the service port let's you determine on which port TCP is allowed to connect

 

so if you set port 80, tcp is allowed to connect on pot 80, app-id can then determine if the session is web-browsing  or ftp os ssh or something else. because you allowed port 80, the session will be allowed through and app-id will simply identify the app

 

if you use application-default, app-id will use it's knowledge of the data flow to determine if the port it sees in the tcp session matches what it sees in the payload, so if a tcp session on port 80 comes in, that's fine, but after it sends payload and app-id determines that the session is actually LDAP, it will drop the connection as it is using a non-default port

 

in both the above cases, app-id will keep track of the flow and make sure the application is behaving as expected, applying the right heuristics etc to determine if there are any threats or application switches happening

 

application-override tells app-id and content-id (if used with a custom app) to not inspect a session at all and simply label it as the custom app. so if you set app override on port 80, that opens up port 80 to all underlying applications and threats

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

OtakarKlier
Cyber Elite
Cyber Elite
In response to reaper

‎03-30-2020 10:05 AM

Hello,

I would suggest to stay away from overrides if you can. They bypass the threat engine so there could be potentially malicious traffic.

 

Regards,

0 Likes Likes
  • 2788 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks