Application or Service Port

Reply
Highlighted
L0 Member

Application or Service Port

Hoping someone can help me out here:

I have a system that needs to ssh/sftp/http/https.

I attempt to define using applications: ssh/ssl but cannot find any for http or sftp. If I search the applipedia for the port, it shows other apps that are on port 80 or 22, however, they are not listed as http or sftp.

*EDIT: found app for 80 is listed as web-browsing.. so port 80. doh..

Even though ssh and sftp both use port 22, would using the application ssh, prevent sftp from working?

Would using a service-port 22 would allow sftp to work?

Is it recommended to create my own app override or create a new rule for port 22/service-http? to avoid having to do one app and one service port rule?

What is the difference between application ssl and service-https? or ssh vs services-ssh?

Thanks for any clarification,

Don


Accepted Solutions
Highlighted
Not applicable

Hi Don,

ssh and sftp is the same application (called „ssh“) for PAN, because for PAN it’s an encrypted tunnel with the same signature. You can only differentiate between ssh and sftp, the data within the encrypted tunnel, if you interrupt this encrypted tunnel by using the ssh-proxy (on the decryption page; requires PAN OS 4.0).

It’s similar with ssl. From the “outsite” you can see only an encrypted tunnel and you can’t see which data or application is transferred through this tunnel until you interrupt the encryption with the ssl-forward-proxy for outgoing ssl connections or the ssl-inbound-inspection for incoming ssl connections.

http is for PAN more a “transport protocol” than an application. You are right, there is an application that called “web-browsing” but this allows static html code only. If you really want to be sure that your users can work you have to possibilities:

First the traditionally style: allow the service http and the application any. This means that everything that uses the tcp port 80 is allowed. This works but is not a real secure solution.

Second possibility is the PAN style by using dynamic application filters. Add a new application filter. Enter the application filter name “browser-based apps” and select the technology “browser-based”.
Now you create a security rule, select the “browser-based apps” as application, allow and select application-default on the service row.


This means that all applications that can be used with an web browser are allowed on their standard ports. The standard port for an application, you can see within the application definition and is working for all apps.
E.g. if you use the application ssh and allow it on the service application-default, ssh is only allowed on port tcp 22, if you select the application ssh and the service any, than ssh is allowed on all ports. Of cause you can create your own service on tcp port 322 and allow the application ssh only on this port.
The big advantage for the application-default setting is that you can allow different applications within the same rule. E.g. allow the application ssh and web-browsing with application default means that you you allow ssh only on port tcp 22 and static web sites on port tcp 80.
But keep attention if you use the applications in the context with the “any” service from untrusted zones like the internet. This means that the PAN allows all incoming connections to the destinations you allowed in this rule and denies only connections after it detects application signatures that are not allowed. This makes it possible for an attacker to scan the open ports of the allowed destinations with a tcp-syn scan. So I would strongly recommend you to use the “application-default” service for rules allowing traffic from untrusted zones.

But now back to your problem with the usage of http. You can see that there are a lot of browser-based applications that are allowed but you may not want e.g. browser based peer-to-peer applications. To avoid this traffic you create a rule before the “browser-based apps” rule that denies all applications you don’t want. Of cause you can use the dynamic application filters for this, too.

I hope this helps you a little bit and have fun with PAN...

Best regards,

Florian

View solution in original post


All Replies
Highlighted
L2 Linker

Q: Even though ssh and sftp both use port 22, would using the application ssh, prevent sftp from working?

Would using a service-port 22 would allow sftp to work?

A:  Many implementations of sftp use ftp over an ssh connection.  If that is the case for you, allowing the ssh app will allow just about anything to travel over that connection.  Unless you have the SSH tunneling inspection feature enabled, allowing ssh app should be enough.

Q:Is it recommended to create my own app override or create a new rule for  port 22/service-http? to avoid having to do one app and one service  port rule?

A:  The PA can detect applications regardless of what ports they are running on when using the "app" feature.  For instance, if you use HTTP on port 22, the PA will detect it as "web-browsing."  If you use the "service" feature, it will only look for traffic on the port listed.   For example, if you allow tcp/22 through without an app restriction, than HTTP over 22 will work, but also telnet over tcp/22, ftp over tcp/22, etc...

Q: What is the difference between application ssl and service-https? or ssh vs services-ssh?

A:  See the above response; PA can detect application usage regardless of port.

Highlighted
Not applicable

Hi Don,

ssh and sftp is the same application (called „ssh“) for PAN, because for PAN it’s an encrypted tunnel with the same signature. You can only differentiate between ssh and sftp, the data within the encrypted tunnel, if you interrupt this encrypted tunnel by using the ssh-proxy (on the decryption page; requires PAN OS 4.0).

It’s similar with ssl. From the “outsite” you can see only an encrypted tunnel and you can’t see which data or application is transferred through this tunnel until you interrupt the encryption with the ssl-forward-proxy for outgoing ssl connections or the ssl-inbound-inspection for incoming ssl connections.

http is for PAN more a “transport protocol” than an application. You are right, there is an application that called “web-browsing” but this allows static html code only. If you really want to be sure that your users can work you have to possibilities:

First the traditionally style: allow the service http and the application any. This means that everything that uses the tcp port 80 is allowed. This works but is not a real secure solution.

Second possibility is the PAN style by using dynamic application filters. Add a new application filter. Enter the application filter name “browser-based apps” and select the technology “browser-based”.
Now you create a security rule, select the “browser-based apps” as application, allow and select application-default on the service row.


This means that all applications that can be used with an web browser are allowed on their standard ports. The standard port for an application, you can see within the application definition and is working for all apps.
E.g. if you use the application ssh and allow it on the service application-default, ssh is only allowed on port tcp 22, if you select the application ssh and the service any, than ssh is allowed on all ports. Of cause you can create your own service on tcp port 322 and allow the application ssh only on this port.
The big advantage for the application-default setting is that you can allow different applications within the same rule. E.g. allow the application ssh and web-browsing with application default means that you you allow ssh only on port tcp 22 and static web sites on port tcp 80.
But keep attention if you use the applications in the context with the “any” service from untrusted zones like the internet. This means that the PAN allows all incoming connections to the destinations you allowed in this rule and denies only connections after it detects application signatures that are not allowed. This makes it possible for an attacker to scan the open ports of the allowed destinations with a tcp-syn scan. So I would strongly recommend you to use the “application-default” service for rules allowing traffic from untrusted zones.

But now back to your problem with the usage of http. You can see that there are a lot of browser-based applications that are allowed but you may not want e.g. browser based peer-to-peer applications. To avoid this traffic you create a rule before the “browser-based apps” rule that denies all applications you don’t want. Of cause you can use the dynamic application filters for this, too.

I hope this helps you a little bit and have fun with PAN...

Best regards,

Florian

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!