- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
05-09-2017 01:47 PM
So how is that any different that it used to be
05-09-2017 01:49 PM
my other question is if it is a lot different is it going to break anything? How can I check to see what it may break
05-09-2017 02:06 PM - edited 05-09-2017 02:07 PM
Hey,
This is from KB:
-----------------------------------------------------------------------------------------------------------------------------------------------------
In earlier PAN-OS release versions, the Service setting 'application-default' was not enforced when configured with the Application setting Any.
-----------------------------------------------------------------------------------------------------------------------------------------------------
So prior 7.1 if your policy has an application option configured as "any" all applications were permitted (even on none default ports).
After 7.1 if your policy has an application option configured as any and services "application-default", your all application will be permitted on standard (default) ports ONLY. Let's say if you are running a web server on port 8080, traffic will not match and most likely will be denied (al least l had this scenario :D).
Thx,
Myky
05-10-2017 06:09 AM
I was operating under that thought that thats how it has always worked and I don't see it as a change. So are you saying application default was not really only the standard ports it was more like an any
05-10-2017 06:40 AM - edited 05-10-2017 06:57 AM
Correct, before 7.1
before 7.1 application "any" = services "application-default" or "any" was the same thing and was allowing any app on any port
after 7.1 application "any" = services "application-default" allows app only on the default ports, if services "any" then on any port.
05-10-2017 07:00 AM
so application-default was really an any?
05-10-2017 07:02 AM - edited 05-10-2017 07:03 AM
Yes, correct before 7.1 services application-defaul=any BUT only if your policy has the application tab set to any.
05-10-2017 07:13 AM
But if you have specific application named in your rule with application-default it goes my the specific applications and is not based on the services setting. So the change is only in regard to the services. I need to review my firewall and see how that will affect me when I upgrade
So what is going on in this rule for example
05-10-2017 08:19 AM
For your example, upgrade to the 7.1.X release will not take any effect. Look for this rules:
05-10-2017 08:30 AM
So it will only apply to rules that have the service set to application-default
05-10-2017 01:01 PM
Behaviour change affects you only if you have rule where application is "any" AND service is "application-default"
It does not affect if you have set application/application filter/application group or if you have manually set service to some port number.
Your example has no affect or change needed.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!