Hi I have a question,
Application allowed- DNS,SSL,WEB-Browsing
Service allowed - TCP port 22
I understand DNS, SSL and Web-browsing would be allowed on port 22, but my question is SSH traffic would be allowed by this rule as I am allowing port-22 via service.?
Also My second question, would DNS traffic be allowed on its standard port 53 via this rule?
My understanding is Palo matches Both Services and Application together, hence SSH traffic would be blocked in this case and DNS traffic on port 53 would also be blocked?
Referring this article - https://live.paloaltonetworks.com/t5/blogs/what-are-applications-and-services/ba-p/342508
The service configuration limits which ports the applications are allowed to use
Setting tcp-22 in the services limits ALL applications to only be allowed through tcp:22 (so DNS will need to use TCP 22 instead of UDP 53)
if DNS needs to be allowed too, you'll need to add udp53 to the services
break application out into their own separate security policies and define whatever port you desire to use except you want all the app on the same port 22 and also define udp port.
You absolutely can. However the point with the applications is that you dont have to. So instead of a policy that is like:
application = ssh and service = 22/tcp, you can just put in application = ssh.
Thats really it. The firewall knows and can see ssh and knows its only allowed on port 22/tcp by default.
Hope that helps.
So that means.
Lets says I allowed 5 applications in my rule 1 with "application-default"
The traffic from that rule would be allowed on all standard ports.
Now I have another non standard port to allow.
So I have to make another rule and allow ALL apps on that TCP- NON-STANDARD port.
Does'it not open up all application traffic on that port.
Would'nt it be better if I use the non standard port in same rule 1 and somehow palo allows my 5 applications on their standard ports and also the non standard I added in services section.
That way I can have the traffic going to non standard port allowed and also applications to standard ports allowed in same rule.
That poses less secuirty risk rather than allowing all apps on that non standard port in a new rule?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!