What Are Applications and Services?

Community Team Member

What is the difference between applications and services.png

What is the difference between applications and services and how do they interact?

A service on the Palo Alto Networks firewall, is a TCP or UDP port as it would be defined on a traditional firewall or access list. 

 

I'll try to illustrate the explanations provided with some practical examples.

 

To start from the beginning, let's first review the original question, "What is the difference between applications and services and how do they interact?"

 

Concept 1

A service on the Palo Alto Networks firewall is a TCP or UDP port, as it would be defined on a traditional firewall or access list. It simply defines which port is open or closed and does not look beyond Layer 4.

 

Concept 2

An application is what makes the Palo Alto Networks next-generation firewall so powerful; it goes into Layer 7 inspection to ascertain which application is active in a data flow and will enforce "normal" behavior onto it (e.g., a session identified as DNS that suddenly sends an SQL query is abnormal and will be blocked).

 

The two concepts above can be used in a variety of different ways, depending on the need of the administrator. Below, you will see four security policies that all do basically the same thing, but each in a different way.

 

For the following examples, each policy will be considered standalone in its own rulebase as a normal policy is matched top to bottom, first hit, first serve.

 

Firewall web interface view of policiesFirewall web interface view of policies

 

  1. A DNS packet sent over UDP port 53 will be allowed by all 4 policies
    • this is legitimate traffic and all of the policies match on either the application or the port
  2. A DNS packet sent over TCP port 80 will be allowed by policies #1, #2 and #3 but will be blocked by policy #4
    • in rule #4 each application is forced to use it's own port where the other policies simply list which ports or applications are allowed
  3. An SQL packet sent over TCP port 80 will be allowed by policy #1, #2
    • none of the policies include SQL as an application, but policy #2 checks for a valid service port
  4. An HTTP packet sent over TCP port 8888 will only be passed by policy #1
    • policy #1 does not enforce any ports so as long as the application requirement is met, the traffic will pass on any port

So what is good and bad?

The recommended policy will either be a set of applications (or an application filter) with services set to application-default, as this will not only shut unnecessary ports but will also ensure applications are using normal ports. Or you can use a policy with some applications and a few services just in case an application is expected to use a non-default port (e.g., internal HTTP on TCP port 5000).

 

Leaving applications or services (or worse, both) as "any" is not recommended and should only be used under strict supervision. It may be necessary to use this type of policy in a transitional period when migrating from a different firewall.

 

In this case, you could create a second policy right above the one that uses "any" in services or applications, where all the applications you are able to identify from traffic logs are added gradually. Eventually, all sessions will start to match the policy you created last and the original one can be deleted.

 

Firewall web interface of two specific policiesFirewall web interface of two specific policies

 

 

Thanks for taking time to read this blog.

Don't forget to hit that Like (thumbs up) button and don't forget to subscribe to the LIVEcommunity Blog.

 

Thanks @reaper for the original blog !

 

Stay Secure,
Kiwi out!

 
2,850 Views
Comments
L0 Member

For  3. condition an SQL packet sent over TCP port 80 traffic should hit also example 1 police. Am I wrong? 

 

2,474 Views
Community Team Member

@eyyupbarut ,

 

Yes you are correct.  Lemme add that

2,386 Views
Ask Questions Get Answers Join the Live Community
Labels