- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
11-28-2011 01:00 PM
I have attached a PDF that shows screenshots of the same rule, in four different variations.
I am trying to understand the relationships between using applications and traditional ports.
I have a server that has a static public IP NATed to the private internal IP.
I need telnet, FTP and web browsing allowed on it.
I originally setup the rule to be like # 3. Using the default PA provided service group of service-http that does 80 and 8080 and applications FTP and Telnet. None of the three services worked under this configuration.
I modified the rule to look like # 1 and all three services worked.
So I played with it more to see about how the relationships work between applications and services and came up with two additional variations. # 2 and # 4.
# 2 works like # 1, all three applications work.
# 4, FTP and Telnet do not work, but the website does.
So my question to you all is what is this relationship doing? Why does # 3 not allow any of the three services to work, yet # 4 allows the website to work but not ftp and telnet? Can I mix and match applications and services in the same rule or do I need to break them apart?
This simple example is not a big deal but I have some servers that use known applications like FTP and MSSQL that I would like to switch over to use pure applications for them in the rule but they also have some proprietary ports that are unique to them that I will need to keep listed as services. So before I start mucking with them I'd like to have a better understanding of how this is supposed to be working.
Thanks for any advice and guidance.
11-28-2011 01:48 PM
Well, I should have searched more before posting as I believe my questions were already answered in the following two posts.
https://live.paloaltonetworks.com/message/5821#5821
https://live.paloaltonetworks.com/message/3134#3134
If others have additional thoughts they want to add please post still.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!