This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Application and services in security policy rules

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Application and services in security policy rules

jatin.singh06
L1 Bithead

‎06-08-2022 05:34 PM - edited ‎06-08-2022 05:48 PM

Hi I have a question,

 

 

 

Following rule,

 

Application allowed- DNS,SSL,WEB-Browsing

 

Service allowed - TCP port 22

 

jatinsingh06_1-1654734297058.png

I understand DNS, SSL and Web-browsing would be allowed on port 22, but my question is SSH  traffic  would be allowed by this rule as I am allowing port-22 via service.?

 

Also My second question, would DNS traffic  be allowed on its standard  port 53 via this rule?

 

 

My understanding is Palo matches Both Services and Application together, hence SSH traffic would be blocked in this case and DNS traffic on port 53 would  also be blocked?

 

Referring this article - https://live.paloaltonetworks.com/t5/blogs/what-are-applications-and-services/ba-p/342508

 

 

10 REPLIES 10

OtakarKlier
Cyber Elite
Cyber Elite
In response to jatin.singh06

‎06-10-2022 10:22 AM

Hello,

Correct, you will need to have ssh in the application field to allow the traffic. You will not need a 'service'/port since that is implied in the application.

https://applipedia.paloaltonetworks.com/

OtakarKlier_0-1654881751380.png

Regards,

 

0 Likes Likes

Sec101
L4 Transporter
In response to OtakarKlier

‎06-10-2022 01:11 PM

It would be nice if you could get away with an "and"  for app default- AND any port you specify in the rule. 

0 Likes Likes

OtakarKlier
Cyber Elite
Cyber Elite

‎06-10-2022 01:14 PM

Hello,

You absolutely can. However the point with the applications is that you dont have to. So instead of a policy that is like:

application = ssh and service = 22/tcp, you can just put in application = ssh.

 

Thats really it. The firewall knows and can see ssh and knows its only allowed on port 22/tcp by default.

 

Hope that helps.

0 Likes Likes

Sec101
L4 Transporter
In response to OtakarKlier

‎06-10-2022 01:31 PM - edited ‎06-10-2022 01:32 PM

I was under the impression that one rule was either app-default OR you pick the service.

Like
app=ssh

service
app-default OR tcp/22  




0 Likes Likes

jatin.singh06
L1 Bithead
In response to OtakarKlier

‎06-10-2022 01:45 PM

So that means.

Lets says I allowed 5 applications in my rule 1 with "application-default"

The traffic from that rule would be allowed on all standard ports.

 

Now I have another non standard port to allow.

So I have to make another rule and allow ALL apps on that TCP- NON-STANDARD  port.

 

Does'it not open up all application traffic on that port.

 

Would'nt it be better if I use the non standard port in same rule 1 and somehow palo allows my 5 applications on their standard ports and also the non standard I added in services section.

 

That way I can have the traffic going to non standard port allowed and also applications to standard ports allowed in same rule.

 

That poses less secuirty risk rather than allowing all apps on that non standard port in a new rule?

 

@OtakarKlier @reaper

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks