This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Application Groups "service" in security policy

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Application Groups "service" in security policy

froggyj
Not applicable

‎06-10-2014 04:41 PM

I have the following scenario I came across and just curious if this is expected behavior. It is recommended when "whitelisting" and application to use the application-default service (so it only works on its default port), or if you are "blacklisting" to use the service "any" (to block the app on any port used). I'm not so sure this works using groups though? Here is an example:

Rule 1 - Allowed Exception During Lunch - YouTube - application-default - ALLOW

Rule 2 - Whitelist - Application Group which includes SSL etc... - application-default - ALLOW

Rule 3 - Blacklist - Application Group to Deny which includes SSL as part of a filter - any  - DENY<--use ANY service for deny rules

When I try to commit it gives me a warning that YouTube has a dependency of SSL, which is denied by the Blacklist rule. This doesn't make sense as SSL is allowed in rule 2 so therefore in my mind it "should" work. What am I missing? and when using application groups do you have to leave the service as "any" or can you use the application-default just fine and if you have a list of 5 applications, each one of those will only work on its respective default port.

0 Likes Likes
2 REPLIES 2

nchong
L2 Linker

‎06-10-2014 08:30 PM

I recall that this issue is caused by the commit validation not expanding the search beyond the original rule. However this an error with the validation message, it will not affect the actual traffic. When a session is initiated it will first match the SSL application in Rule 2 and when APP-ID shifts to you-tube the traffic will then match Rule 1.

Regards,

Narong

0 Likes Likes

kbe
L3 Networker
In response to nchong

‎06-11-2014 01:01 AM

Thats right.

The warning is normal and can be ignored. There are many applications that also bring up this warning if you use a cleanup-rule as last rule.

In your scenario it shpuld work as expected like Narong explained.

You can use application default when working with application groups. Each application will then only work on its default port(s) that are defined in the application-default.

But why are you using a blacklist? If you define apps that are allowed, all other apps should be denied by default. You do not need a special deny rule. Only allowed traffic should flow.

0 Likes Likes
  • 2776 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks