service versus using an application for Rule match

Reply
L4 Transporter

service versus using an application for Rule match

 

Need to know if we use application instead of service in security policy 

 

When we use service then that will enable the firewall to take immediate action with the first observed packet based on port number.

 

When  we  use "application" in Rule that will allow the firewall to take action after enough packets are allowed  for App-ID identification regardless of the ports being used ?

 

 

 

 

MP
L7 Applicator

Re: service versus using an application for Rule match

Hi @MP18

 

Ideally both

The services will be able to block/allow syn packets based on the destination port and applications will be able to identify if the packets flowing over port 80 are really web-browsing and not something else abusing the open port

 

setting the service to 'application-default' instead of a set of ports will enforce even tighter controls as a mixed rule ( ie. ftp, ssh, dns, ...) will ensure tcp 21 is only used by ftp and not ssh which is allowed in the same rule

 

L4 Transporter

Re: service versus using an application for Rule match

Can you please confirm if this is write for application 

 

When  we  use "application" in Rule that will allow the firewall to take action after enough packets are allowed  for App-ID identification regardless of the ports being used 

MP
L4 Transporter

Re: service versus using an application for Rule match

Only if you set Service to any.  Then it will allow those specific applications through, regardless of which port the traffic is going through.

 

If you set Service to application-default, then it will only allow traffic through that matches the list of ports listed in the App-ID information for the application.

 

If you set a specific port/set of ports in the Service, then it will only allow traffic through that matches the application on the listed ports.

L7 Applicator

Re: service versus using an application for Rule match

Hello,

Also remember that the PAN lets the first few packets through so it can analize them. It will then apply the polcies that match. I try and write my policies as strict as possible and use Application everywhere I can so I dont run into an application that likes to port hop or spoof itself as Reaper mentioned.

 

Regards,

L4 Transporter

Re: service versus using an application for Rule match

Many thanks Everyone.

MP
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!