Adding a Custom Application/Ports to Security Policy

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L4 Transporter

Adding a Custom Application/Ports to Security Policy

Maybe my thought process is wrong so I am hoping somebody can set me straight. I have a few non-standard ports that need to be opened on the firewall. They don't belong to any application so I need to allow the ports. What I have done is created custom applications with basically just a name and the ports used (no signatures). I created an application override for these custom applications as well. I then added these custom applications to the security policy along with other known applications that need access.

Is this the best way to open a port on the Palo Altos?


Accepted Solutions
Highlighted
L4 Transporter

Hi,

What you're doing will work, but you don't have to do an application override for this traffic. You can just configure a security policy, with application set to 'any' or 'custom-app' and define the service ports to allow this traffic through. By doing so you can also add security profiles to the traffic to enable inspection.

app-override will not perform any scanning on the traffic and this can cause threat especially if the traffic is to/from Internet.

Refer:

Does application override adversely affect Threat ID?

Hope that helps,

Aditi

View solution in original post


All Replies
Highlighted
L4 Transporter

Hi,

What you're doing will work, but you don't have to do an application override for this traffic. You can just configure a security policy, with application set to 'any' or 'custom-app' and define the service ports to allow this traffic through. By doing so you can also add security profiles to the traffic to enable inspection.

app-override will not perform any scanning on the traffic and this can cause threat especially if the traffic is to/from Internet.

Refer:

Does application override adversely affect Threat ID?

Hope that helps,

Aditi

View solution in original post

Highlighted
L4 Transporter

That's exactly the information I was looking for. Thanks so much for the help.

Highlighted
L4 Transporter

Another quick question, I am wondering if I can have applications and service ports being used on the same policy? For example, if I use the web-browsing application and create and use a service using ports 60000-65000, will it allow http traffic as well as traffic on ports 60000-65000? Or should I create a policy that allows web-browsing then a separate rule for the service?

Highlighted
L5 Sessionator

Hello Mario,

If you include web-browsing in the application column and 60000-65000 in the service column, that security policy would only allow web-browsing traffic on ports 60000-65000. You would need a separate rule to allow web-browsing on its default port (80).

Best would be to include web-browsing in the application column and mention all the ports in the service column (standard and non-standard ).

Hope that helps!

Thanks and regards,

Kunal Adak

Highlighted
L4 Transporter

Thanks again for the help. I just went ahead and created a second rule with a service using the ports 60000-65000 right after the policy I mentioned previously using web-browsing. My thought is traffic for 60000-65000 won't match the previous policy but will match the very next one which contains these ports. Seems like it's working! Thanks again! :smileyhappy:

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!