application override VS service

Announcements
Attention: The LIVEcommunity is experiencing an interruption with videos in some areas. We apologize for any inconvenience this may cause. Thank you for your patience as we work towards a solution to restore videos.
Reply
Highlighted
L0 Member

application override VS service

I have new application.

I need to know what is the difference between application override policy and the security policy by using the service port number both are stateful inspection firewall at Layer-4?

 

Service:
Allows you to select a Layer 4 (TCP or UDP) port for the application. You can choose any, specify a port, or use application-default to permit use of the standards-based port for the application.

 

Application Override:
Identify sessions that you do not want processed by the App-ID engine, which is a Layer-7 inspection. Traffic matching an application override policy forces the firewall to handle the session as a regular stateful inspection firewall at Layer-4.

 

my reference:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/policy-types.html

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/security-policy/components-of-a-sec...

 

 

Highlighted
L7 Applicator

Re: application override VS service

the service port let's you determine on which port TCP is allowed to connect

 

so if you set port 80, tcp is allowed to connect on pot 80, app-id can then determine if the session is web-browsing  or ftp os ssh or something else. because you allowed port 80, the session will be allowed through and app-id will simply identify the app

 

if you use application-default, app-id will use it's knowledge of the data flow to determine if the port it sees in the tcp session matches what it sees in the payload, so if a tcp session on port 80 comes in, that's fine, but after it sends payload and app-id determines that the session is actually LDAP, it will drop the connection as it is using a non-default port

 

in both the above cases, app-id will keep track of the flow and make sure the application is behaving as expected, applying the right heuristics etc to determine if there are any threats or application switches happening

 

application-override tells app-id and content-id (if used with a custom app) to not inspect a session at all and simply label it as the custom app. so if you set app override on port 80, that opens up port 80 to all underlying applications and threats

reaper - PANgurus.com
I drink and I know things
Highlighted
L7 Applicator

Re: application override VS service

Hello,

I would suggest to stay away from overrides if you can. They bypass the threat engine so there could be potentially malicious traffic.

 

Regards,

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!