Tips & Tricks: What Does Application-default Under Service Mean?

by on ‎06-30-2015 01:30 PM - edited on ‎09-14-2015 04:17 AM by (16,568 Views)

 

What does Application-default under Service mean?

When it comes to creating rules, there are a lot of components that make up the rules. One of the more confusing ones I have been asked about is "Application Default" under Services.

tnt-2015-06-30-p1.png

 

The "Service/URL Category" section is where you can define the port that the application uses.

For example: The application Web-browsing (http) uses TCP port 80.

tnt-2015-06-30-p2.png

Inside of any rule, under the Service/URL Category tab, you will have a drop down menu on the left-hand side of the screen.

You will see these following three options:

  1. Any
  2. Select
  3. Application-default

 

What do they mean?

  1. Any - This simply means all ports: 1-65535, TCP or UDP. The selected applications are allowed or denied on any protocol or port.
  2. Select - This means that you will have to specify exactly what TCP or UDP port that the application you want to allow or block is going to use. Choose an existing service or choose Service or Service Group to specify a new entry.
  3. Application-Default - Choosing this means that the selected applications are allowed or denied only on their default ports defined by Palo Alto Networks. This option is recommended for allow policies because it prevents applications from running on unusual ports and protocols, which if not intentional, can be a sign of undesired application behavior and usage.

Note: When you use this option, the device still checks for all applications on all ports, but with this configuration, applications are only allowed on their default ports/protocols.

 

Lets show this in a rule with DNS as an example below:

tnt-2015-06-30-p3.png

The first rule is written to allow the DNS application, but only on UDP port 53.

The second rule is written to allow the DNS application, but uses application-default.

 

This is demonstrating if DNS was using TCP port 53, it would not be allowed by the first rule.

But, the second rule would allow it. However, why and how does it know?

 

When looking at the DNS application by clicking on Objects > Applications > type DNS and then click on 'dns', to see the following screen:

tnt-2015-06-30-p4.png

Notice how the application default ports listed:

tcp/53,udp/53,5353

 

Since the first rule only allows UDP port 53, if the application used TCP port 53 or UDP port 5353, then it would not be allowed because application-default was not used. This could also be used to block applications. This is just a simple example to show you how it is much easier to allow application-default instead of trying to specify every TCP or UDP port.

 

This is also applicable for rules with "any" as the application, it will ensure that whichever application is identified, it will make sure that the application will only use the standard ports.

 

Please see this article to view more information on application default ports through the CLI:

How to View Application-Default Ports for an Application

 

I welcome all feedback in the comments section below.

 

Thanks for reading,

Joe Delio

Comments
by minow
on ‎07-01-2015 05:48 AM

another important thing to put in mind

1) if you choose application-default this will cause that only the identified application will be allowed on this port for example it you put ssh and web-browsing on the same rule, web-browsing wont be allowed on port 22 but if you will put on the service tab tcp-80 and tcp-22 both ssh and web-browsing will be allowed on both of the port

2) another thing is if you put a non tcp/udp application and you do specify a specific service this application wont be matched on that rule

by rabolfathi
on ‎09-21-2015 07:57 AM

Actually, the first rule (UDP-DNS) should work just fine for DNS look-ups for web browsing.  You'd want to enable TCP-UDP for communication among DCs.  Here's a case where I wouldn't use application-default.  Why leave port 5353 open to "Any" in "Untrusted-L3" when you don't use it?

by Sheena
‎07-21-2016 10:43 PM - edited ‎07-21-2016 10:44 PM

I have allowed a specific App of skype and skype-probe with a service of Application default, however when I tried to do a command of telnet (internet ip) random highports, my connection was established and hits the specific security rule for skype. Is it because that the application-default of skype is udp and tcp/dynamic?

by awu
on ‎07-25-2016 03:47 PM

I encountered a problem with application-default (still pretty new to PAN). I have a security policy which allows external access to a webserver inside, so in the policy I put "ssl" and "web-browsing" in the application field, and have "application-default" in the service field. This stops the HTTPS side of the web site from being accessible because only port 443 is allowed when the session is identified as "ssl", and only port 80/tcp is allowed when the session is identified as "web-browsing". To make this site accessible as a HTTPS site I have either use "any" in the service field, or I have to use "service-https (with or without an additonal service-http) in the service field.

 

My explanation to this is that for HTTPS traffic, it is initially identified as SSL (port 443/tcp) and which is allowed in, but once the session is identified as web-browsing (I do have inbound SSL decryption set up ready and is working), the web-browsing's application-default service is 80/tcp only, and hence the session was denied after the secondary security policy lookup (based on what I read there is a secondary security policy lookup after each application shift happens in order to match the session to the most closely matched policy.)

 

If this is true, then this pretty much renders application-default useless when application shift is expected IMHO. However I'm not sure my explanation is correct, and I wonder if this is a known issue (or simply a fact) and if there is any guideline on dealing with this? (since I do see some tech notes say application-default should be used whenever possible?)

 

 

by kuwc
‎10-07-2016 03:10 PM - edited ‎10-07-2016 03:11 PM

I am concerned about using application-default on the policy because some applications like activedirectory, msrpc, ms-netlogon basically have all tcp and udp ports as standard ports. Was thinking of using application groups and custom service groups until I came across this post. When using application group and service groups like minow stated above, traffic on web-browsing app-id can use port 22. This would be less than optimal for the fact that any application identified in the group can use any port in the custom service group.   

 

Is it just me or does anyone else have this issue when transitioning for the other vendor C? On the C platform yes we were filtering traffic only based on ports only but we could restric the ports we allow in a rule and for service like Active Directory which demand a higher range of ports we could use the inspection engine (DCERPC inspect) which takes care of the secondary connections using higher ports. I cannot find a way to get done on the PAs other than allowing higher the ports by using app-id/application-default or app-id/custom service groups.

by
on ‎10-10-2016 01:00 AM

@kuwc since PAN-OS 7.0 the ports will be enforced on the application, so for example if you have web-browsing and ftp allowed, and someone starts an ftp connection on port 80, the handshake will pass through because the port is open and AppID will want to identify the app (up to this point, this is expected behavior, the tcp handshake needs to pass through before an application can be identified)

if then ftp is detected, on non-app-default port 80, the session will be discarded because app-default is being enforced

 

this behavior requires you have PAN-OS 7.0 installed, so if you're not on 7.0 yet, please upgrade and take advantage of the added security :)

 

@awu that secondary check for ports will not kick in for ssl decrypted traffic that gets identified as web-browsing post-decryption, the underlying application will still be ssl and port 443 will still be respected. app-default should only kick in if you are creating an ssl connection on port 80 or a regular http connection on port 443 (which is irregular and not app-default). Not sure what caused your issue but the port is no longer enforced after the primary (ssl) AppID is detected so I'd suspect something else is up

 

@Sheena the telnet app is not an optimal testing tool for this, as it will declare a connected state immediately after the tcp handshake completes at which point skype would have not yet started transmitting identifyable information. a session will run through the security policy twice: the first time, when only 'header' information (ip and port) is available, to see if the porst and ip addresses are allowed, if a positive policy is matched, the tcp handshake will be allowed to take place, so that AppID can kick in as soon as more data is sent that can be identified (at this point telnet will already report it is connected). the second phase is when the payload is transmitted (GET requests etc) and AppID can identify if the connection is truly the application you want, and if not: discard the session altogether. 

 

by mausmus2
on ‎12-21-2016 11:02 AM

Just looking for clarification.

 

If the default service is tcp/dynamic or udp/dynamic, using "application-default", the security policy will accept that application on any port.  You don't have to specify the service as "any".  Correct?

 

BTW, nice article.

by
on ‎12-22-2016 12:38 PM

@mausmus2

Correct, the application will be allowed on any port but you should not set service any 

 

It's important to note that this is an AND condition

AppID must keep identifying the traffic as that specific application for the session to keep being allowed on a port that matches, even if this means dynamic/tcp-udp

This becomes extremely important when a security policy contains multiple applications 

Hope this helps :)

Learn more
Ask Questions Get Answers Join the Live Community
Contributors