10-01-2013 04:05 PM
Maybe my thought process is wrong so I am hoping somebody can set me straight. I have a few non-standard ports that need to be opened on the firewall. They don't belong to any application so I need to allow the ports. What I have done is created custom applications with basically just a name and the ports used (no signatures). I created an application override for these custom applications as well. I then added these custom applications to the security policy along with other known applications that need access.
Is this the best way to open a port on the Palo Altos?
10-06-2013 08:15 PM
Hi,
What you're doing will work, but you don't have to do an application override for this traffic. You can just configure a security policy, with application set to 'any' or 'custom-app' and define the service ports to allow this traffic through. By doing so you can also add security profiles to the traffic to enable inspection.
app-override will not perform any scanning on the traffic and this can cause threat especially if the traffic is to/from Internet.
Refer:
Does application override adversely affect Threat ID?
Hope that helps,
Aditi
10-06-2013 08:15 PM
Hi,
What you're doing will work, but you don't have to do an application override for this traffic. You can just configure a security policy, with application set to 'any' or 'custom-app' and define the service ports to allow this traffic through. By doing so you can also add security profiles to the traffic to enable inspection.
app-override will not perform any scanning on the traffic and this can cause threat especially if the traffic is to/from Internet.
Refer:
Does application override adversely affect Threat ID?
Hope that helps,
Aditi
10-07-2013 08:35 AM
That's exactly the information I was looking for. Thanks so much for the help.
11-19-2013 04:31 PM
Another quick question, I am wondering if I can have applications and service ports being used on the same policy? For example, if I use the web-browsing application and create and use a service using ports 60000-65000, will it allow http traffic as well as traffic on ports 60000-65000? Or should I create a policy that allows web-browsing then a separate rule for the service?
11-20-2013 05:11 PM
Hello Mario,
If you include web-browsing in the application column and 60000-65000 in the service column, that security policy would only allow web-browsing traffic on ports 60000-65000. You would need a separate rule to allow web-browsing on its default port (80).
Best would be to include web-browsing in the application column and mention all the ports in the service column (standard and non-standard ).
Hope that helps!
Thanks and regards,
Kunal Adak
11-21-2013 08:37 AM
Thanks again for the help. I just went ahead and created a second rule with a service using the ports 60000-65000 right after the policy I mentioned previously using web-browsing. My thought is traffic for 60000-65000 won't match the previous policy but will match the very next one which contains these ports. Seems like it's working! Thanks again! 
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
