7.1 default behavior changes

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

7.1 default behavior changes

L4 Transporter

So I was reading about OS 7.1 because I am planning on upgrading from 7.0.12 to 7.1 and found some information of the default behavior of app-idappid.PNG

 

 

12 REPLIES 12

L6 Presenter

So how is that any different that it used to be

my other question is if it is a lot different is it going to break anything? How can I check to see what it may break

Hey,

 

This is from KB:

 -----------------------------------------------------------------------------------------------------------------------------------------------------

In earlier PAN-OS release versions, the Service setting 'application-default' was not enforced when configured with the Application setting Any.

 -----------------------------------------------------------------------------------------------------------------------------------------------------

So prior 7.1 if your policy has an application option configured as "any" all applications were permitted (even on none default ports).

After 7.1 if your policy has an application option configured as any and services "application-default", your all application will be permitted on standard (default) ports ONLY. Let's say if you are running a web server on port 8080, traffic will not match and most likely will be denied (al least l had this scenario :D).

 

Thx,

Myky

I was operating under that thought that thats how it has always worked and I don't see it as a change. So are you saying application default was not really only the standard ports it was more like an any

Correct, before 7.1 

before 7.1 application "any" = services "application-default" or "any" was the same thing and was allowing any app on any port

after 7.1 application "any" = services "application-default"  allows app only on the default ports, if services "any" then on any port.

so application-default was really an any? 

Yes, correct before 7.1 services application-defaul=any BUT only if your policy has the application tab set to any. 

But if you have specific application named in your rule with application-default it goes my the specific applications and is not based on the services setting. So the change is only in regard to the services. I need to review my firewall and see how that will affect me when I upgrade

 

So what is going on in this rule for example

 

rule.PNG

For your example, upgrade to the 7.1.X release will not take any effect. Look for this rules:

 

rule.PNG

So it will only apply to rules that have the service set to application-default

Behaviour change affects you only if you have rule where application is "any" AND service is "application-default"

It does not affect if you have set application/application filter/application group or if you have manually set service to some port number.

 

Your example has no affect or change needed.

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
  • 4228 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!