Application vs Services

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Application vs Services

L2 Linker

Hi All,

 

I have probolem with dealing with security policy ..

 

i need to allow telnet to specific ports range (2001 - 2005) but by defining them at services field it is working fine but i cant use ping or any other applications even my application foedl is (ANY) , so wondering what is difference between both of them and what i do if want to enable ping and telnet tp sepcific ports at same time ..

 

 

12 REPLIES 12

L6 Presenter

Hi,

 

Did you add "ping" and "ICMP" application within the same policy as telnet? Not sure but ping is not using any ports so maybe your policy is not matching because of this. Create a test policy purely for "ping" and "ICMP" applications with services as "any" and test 

 

 

Yes i can ping when use "Ping" at application field with "Any" at services .. But this is not what i want as i need to enable both ping and telnet to sepcific ports 

 

so how can i combine between services and application at one policy ..

 

 

Let me give you other example ..

 

Web server IP 20.1.1.2 can be accessed through port 8020 , so i added it on service field and it is working fine 

 

but what if i need to ping server as well ? so when i added ping to application , it is failed for both web browsing and ping

 

 

What PAN-OS are you on? The weird thing when you are adding an additional application to the policy web browsing fails :0 You sure you accessing the web-browser on custom port when it is fails? 

I`m suing version 6 and tried on version 7 as well

 

after second test , it is working now but no Ping !!

 

Application field :  ICMP,PING ,WEB-BROWSING

Services field: Port 8020

 

so now i can access web server on 8020 only but i can`t ping it 

As l said earlier ping doesn't use any port, but your policy has criteria on service to match specific port. My guess ping is not matching your policy. 

Ok , is ther any workaround for this ?

 

 

As per my previous comment add same rule for ping but with "any" as a service and put it above already existing rule for web-browsing or use service "any" in the already existing rule (less secure but your web server will only accept connection on the port you specified anyway).

I guess it will not provide any security , but still option

 

Thank you 

Hi,

 

It will provide still based on your others criterias but not based on the destination port.

Yes exactly , totally right

 

Thank you 🙂

the application and service fields are mutually inclusive (like an AND operation)

if you have

apps web-browsing, telnet , ping 

service 8020

this means the applications must match web-browsing or telnet  or ping AND their destination port must be 8020.

so if you add ping in a policy with a service set to a specific port, ping will fail as it can not match the destination port. any application not matching the destination port of 8020 will also fail

 

you'll need to create separate policies so ping can be set to application-default (because, if ping does match a port, something is terribly wrong)

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 3840 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!