When it comes to creating rules, there are a lot of components that make up the rules. One of the more confusing ones I have been asked about is "Application Default" under Services.
The "Service/URL Category" section is where you can define the port that the application uses.
For example: The application Web-browsing (http) uses TCP port 80.
Inside of any rule, under the Service/URL Category tab, you will have a drop down menu on the left-hand side of the screen.
You will see these following three options:
What do they mean?
Any - This simply means all ports: 1-65535, TCP or UDP. The selected applications are allowed or denied on any protocol or port.
Select - This means that you will have to specify exactly what TCP or UDP port that the application you want to allow or block is going to use. Choose an existing service or choose Service or Service Group to specify a new entry.
Application-Default - Choosing this means that the selected applications are allowed or denied only on their default ports defined by Palo Alto Networks. This option is recommended for allow policies because it prevents applications from running on unusual ports and protocols, which if not intentional, can be a sign of undesired application behavior and usage.
Note: When you use this option, the device still checks for all applications on all ports, but with this configuration, applications are only allowed on their default ports/protocols.
Lets show this in a rule with DNS as an example below:
The first rule is written to allow the DNS application, but only on UDP port 53.
The second rule is written to allow the DNS application, but uses application-default.
This is demonstrating if DNS was using TCP port 53, it would not be allowed by the first rule.
But, the second rule would allow it. However, why and how does it know?
When looking at the DNS application by clicking on Objects > Applications > type DNS and then click on 'dns', to see the following screen:
Notice how the application default ports listed:
Since the first rule only allows UDP port 53, if the application used TCP port 53 or UDP port 5353, then it would not be allowed because application-default was not used. This could also be used to block applications. This is just a simple example to show you how it is much easier to allow application-default instead of trying to specify every TCP or UDP port.
This is also applicable for rules with "any" as the application, it will ensure that whichever application is identified, it will make sure that the application will only use the standard ports.
Please see this article to view more information on application default ports through the CLI: