This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Application and services in security policy rules
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- General Topics
- Re: Application and services in security policy rules
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Application and services in security policy rules
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-08-2022 05:34 PM - edited 06-08-2022 05:48 PM
Hi I have a question,
Following rule,
Application allowed- DNS,SSL,WEB-Browsing
Service allowed - TCP port 22
I understand DNS, SSL and Web-browsing would be allowed on port 22, but my question is SSH traffic would be allowed by this rule as I am allowing port-22 via service.?
Also My second question, would DNS traffic be allowed on its standard port 53 via this rule?
My understanding is Palo matches Both Services and Application together, hence SSH traffic would be blocked in this case and DNS traffic on port 53 would also be blocked?
Referring this article - https://live.paloaltonetworks.com/t5/blogs/what-are-applications-and-services/ba-p/342508
10 REPLIES 10
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-09-2022 01:49 AM
The service configuration limits which ports the applications are allowed to use
Setting tcp-22 in the services limits ALL applications to only be allowed through tcp:22 (so DNS will need to use TCP 22 instead of UDP 53)
if DNS needs to be allowed too, you'll need to add udp53 to the services
Tom Piens
PANgurus - SASE and Strata specialist; (co)managed services, VAR and consultancy
PANgurus - SASE and Strata specialist; (co)managed services, VAR and consultancy
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-09-2022 07:59 AM
Hello,
While there maybe a reason for restricting the application traffic, I would break these out into their own separate policies. This way you have tighter control over applications and which ports they can/should use.
Regards,
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-09-2022 04:09 PM
Hi Reaper,
That makes sense but just confirming SSH traffic will also be blocked in the case as I have not allowed SSH in application section?
Please confirm
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-10-2022 05:21 AM
break application out into their own separate security policies and define whatever port you desire to use except you want all the app on the same port 22 and also define udp port.
Simplicity is the friend of Security, whilst complexity is the Enemy. (Bruce Schneier) PCNSE,CCSA, SEC-Plus, CCNA Security
Related Content
- Which VM-Series deployment model within vSphere allows for firewall insertion into an existing network and will also require additional VLANs for each in VM-Series in the Public Cloud
- XFF: For security Policy in General Topics
- Palo Alto panos-global-protect include port 4443 in GlobalProtect Discussions
- Traffic getting hits on non-allowed URLs in General Topics
- Palo Alto interfaces in Layer 2 - Portchannel - Log Monitor more details in General Topics
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks