- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-11-2017 06:17 AM
Hi All,
I have probolem with dealing with security policy ..
i need to allow telnet to specific ports range (2001 - 2005) but by defining them at services field it is working fine but i cant use ping or any other applications even my application foedl is (ANY) , so wondering what is difference between both of them and what i do if want to enable ping and telnet tp sepcific ports at same time ..
03-11-2017 07:36 AM - edited 03-11-2017 07:55 AM
Hi,
Did you add "ping" and "ICMP" application within the same policy as telnet? Not sure but ping is not using any ports so maybe your policy is not matching because of this. Create a test policy purely for "ping" and "ICMP" applications with services as "any" and test
03-11-2017 08:58 AM
Yes i can ping when use "Ping" at application field with "Any" at services .. But this is not what i want as i need to enable both ping and telnet to sepcific ports
so how can i combine between services and application at one policy ..
03-11-2017 09:14 AM
Let me give you other example ..
Web server IP 20.1.1.2 can be accessed through port 8020 , so i added it on service field and it is working fine
but what if i need to ping server as well ? so when i added ping to application , it is failed for both web browsing and ping
03-11-2017 09:19 AM - edited 03-11-2017 10:01 AM
What PAN-OS are you on? The weird thing when you are adding an additional application to the policy web browsing fails :0 You sure you accessing the web-browser on custom port when it is fails?
03-11-2017 09:27 AM
I`m suing version 6 and tried on version 7 as well
after second test , it is working now but no Ping !!
Application field : ICMP,PING ,WEB-BROWSING
Services field: Port 8020
so now i can access web server on 8020 only but i can`t ping it
03-11-2017 10:05 AM
As l said earlier ping doesn't use any port, but your policy has criteria on service to match specific port. My guess ping is not matching your policy.
03-11-2017 10:07 AM
Ok , is ther any workaround for this ?
03-11-2017 10:17 AM - edited 03-12-2017 04:51 AM
As per my previous comment add same rule for ping but with "any" as a service and put it above already existing rule for web-browsing or use service "any" in the already existing rule (less secure but your web server will only accept connection on the port you specified anyway).
03-11-2017 09:44 PM
I guess it will not provide any security , but still option
Thank you
03-12-2017 04:59 AM
Hi,
It will provide still based on your others criterias but not based on the destination port.
03-12-2017 06:54 AM
Yes exactly , totally right
Thank you 🙂
03-13-2017 02:17 AM
the application and service fields are mutually inclusive (like an AND operation)
if you have
apps web-browsing, telnet , ping
service 8020
this means the applications must match web-browsing or telnet or ping AND their destination port must be 8020.
so if you add ping in a policy with a service set to a specific port, ping will fail as it can not match the destination port. any application not matching the destination port of 8020 will also fail
you'll need to create separate policies so ping can be set to application-default (because, if ping does match a port, something is terribly wrong)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!