Demystifying Application Default

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Team Member

When it comes to setting up rules, there are a lot of components that make up these rules. One of the more confusing parts I've been asked about is this thing called "application-default" under the Service section.

 

kiwi_0-1687268122518.png

 

The "Service/URL Category" section is where you have the opportunity to specify the port that the application operates on.

The Web-browsing application for example uses TCP port 80.

 

When you're setting up a rule, under the "Service/URL Category" tab you'll notice a dropdown menu on the left side of the screen. Here, you'll come across three options:

 

  • "Any"
  • "Select"
  • "Application-default"

kiwi_1-1687268347820.png

Let me explain what each of these options means:

 

  • Any: This option covers all ports from 1 to 65535, whether they use TCP or UDP protocol. When you choose this option, the selected applications will be allowed or denied on any protocol or port.
  • Select: With this option, you'll need to specify the exact TCP or UDP port that the application you want to allow or block will be using. You can either choose from existing services or service groups, or create a new entry.

    kiwi_2-1687269002802.png

     

  • Application-Default: this means that the selected applications will be allowed or denied only on their default ports as defined by Palo Alto Networks. This option is recommended for allow policies because it prevents applications from running on unusual ports and protocols. If an application tries to use a port or protocol other than its default, it could indicate unexpected behavior or unauthorized usage.  That way, this option helps maintain control and security.

 

Let's review this with an easy to understand example:

 

kiwi_3-1687269612993.png

 

The first rule in the above example is set up to allow the DNS application, specifically on UDP port 53. This means that DNS traffic will only be allowed on that specific port. The second rule allows the DNS application as well, but it utilizes the "application-default" setting. This means that the DNS application will be allowed on its default ports, as defined by Palo Alto Networks.

 

That means that if DNS was using TCP port 53, it would not match on the first rule (which only allows UDP port 53).

There will be a match on the second rule.  So why is that and how does it know ?

 

To understand this better you'll want to explore the DNS application. Under Objects > Applications search for "DNS"  and select the "dns-base" application (*). This will take you to a screen where you can view detailed information about this application. Alternatively you can find the same information online in Palo Alto Networks' Applipedia.

 

kiwi_5-1687270408221.png

 

Notice the listed default ports for the application: udp/53,5353, tcp/53

 

Following our example from above, the first rule allow DNS only over UDP port 53. DNS using TCP port 53 or port 5353 would not match this rule because the "application-default" option was not set. This example highlights the convenience of using "application-default" instead of trying to specify each individual TCP or UDP port, making the rule configuration process much simpler.

 

This also applies to rules where the application is set to "any". In such cases, it guarantees that regardless of the identified application, traffic will be restricted to using the standard ports only.

 

For all you CLI fanboys/girls out there, you can also check the application-default ports using the CLI (don't forget to go into configuration mode first !):

 

 

 

> configure
Entering configuration mode
[edit] 
# show predefined application dns
dns {
  category networking;
  subcategory infrastructure;
  technology network-protocol;
  alg yes;
  appident yes;
  ident-by-sport yes;
  ident-by-dport yes;
  vulnerability-ident yes;
  evasive-behavior no;
  consume-big-bandwidth no;
  used-by-malware yes;
  able-to-transfer-file no;
  has-known-vulnerability yes;
  tunnel-other-application no;
  prone-to-misuse no;
  pervasive-use yes;
  per-direction-regex no;
  decode dns;
  preemptive yes;
  cachable yes;
  file-forward yes;
  references {
    Wikipedia {
      link http://en.wikipedia.org/wiki/Domain_name_system;
    }
  }
  default {
    port [ tcp/53 upd/53,5353];
    extended-port [ tcp/53 tcp/853/secure udp/53,5353];
  }
  tunnel-applications tcp-over-dns;
  risk 3;
}

 

 

 

(*) NOTE: Important to know that in the DNS example used above the app-id decoder was enhanced in content version 8586-7445 to include dns-base and dns-non-rfc.

 

  • 8962 Views
  • 0 comments
  • 4 Likes
Register or Sign-in
Labels