What is the difference between applications and services and how do they interact?
A service on the Palo Alto Networks firewall, is a TCP or UDP port as it would be defined on a traditional firewall or access list.
I'll try to illustrate the explanations provided with some practical examples.
To start from the beginning, let's first review the original question, "What is the difference between applications and services and how do they interact?"
A service on the Palo Alto Networks firewall is a TCP or UDP port, as it would be defined on a traditional firewall or access list. It simply defines which port is open or closed and does not look beyond Layer 4.
An application is what makes the Palo Alto Networks next-generation firewall so powerful; it goes into Layer 7 inspection to ascertain which application is active in a data flow and will enforce "normal" behavior onto it (e.g., a session identified as DNS that suddenly sends an SQL query is abnormal and will be blocked).
The two concepts above can be used in a variety of different ways, depending on the need of the administrator. Below, you will see four security policies that all do basically the same thing, but each in a different way.
For the following examples, each policy will be considered standalone in its own rulebase as a normal policy is matched top to bottom, first hit, first serve.
Firewall web interface view of policies
A DNS packet sent over UDP port 53 will be allowed by all 4 policies
this is legitimate traffic and all of the policies match on either the application or the port
A DNS packet sent over TCP port 80 will be allowed by policies #1, #2 and #3 but will be blocked by policy #4
in rule #4 each application is forced to use it's own port where the other policies simply list which ports or applications are allowed
An SQL packet sent over TCP port 80 will be allowed by policy #1, #2
none of the policies include SQL as an application, but policy #2 checks for a valid service port
An HTTP packet sent over TCP port 8888 will only be passed by policy #1
policy #1 does not enforce any ports so as long as the application requirement is met, the traffic will pass on any port
So what is good and bad?
The recommended policy will either be a set of applications (or an application filter) with services set to application-default, as this will not only shut unnecessary ports but will also ensure applications are using normal ports. Or you can use a policy with some applications and a few services just in case an application is expected to use a non-default port (e.g., internal HTTP on TCP port 5000).
Leaving applications or services (or worse, both) as "any" is not recommended and should only be used under strict supervision. It may be necessary to use this type of policy in a transitional period when migrating from a different firewall.
In this case, you could create a second policy right above the one that uses "any" in services or applications, where all the applications you are able to identify from traffic logs are added gradually. Eventually, all sessions will start to match the policy you created last and the original one can be deleted.
Firewall web interface of two specific policies
Thanksfor taking time to read this blog.
Don't forget to hit thatLike (thumbs up)button and don't forget tosubscribeto theLIVEcommunity Blog.