Best Practice: Allowing a known application together with a custom service.

Reply
Highlighted

Best Practice: Allowing a known application together with a custom service.

Let's say we have 2 zones seperated by our PA firewall, Zone A and Zone B. Traffic between Zone A and Zone B is only allowed for some applications/services from dedicated devices in Zone A to dedicated devices in Zone B.

 

We have a custom Service which uses TCP port 7777 named CustomService1.

 

Device 1 in Zone A needs to access Device 2 in Zone B on our custom service AND by https. Is this possible in 1 rule?

Or do we need to configure this like:

 

rule 1 = zone: Zone A | Address: Device 1 | zone: Zone B | Address: Device 2 | Application: web-browsing | Service: application defaults | action: Allow

rule 2 = zone: Zone A | Address: Device 1 | zone: Zone B | Address: Device 2 | Application: any | Service: CustomService1 | action: Allow

 

Highlighted
L3 Networker

Re: Best Practice: Allowing a known application together with a custom service.

2 rules is going to be an OR.  If you want it to match an application & port, they need to be within the same rule.  Everything you match on in the same rule is an AND.

 

If you do those 2 seperate rules, it's going to allow ALL web browsing traffic on its default ports(80/443) as well as allow all traffic, web browsing or not, over tcp port 7777.  You could test the single rule requiring both app web-browsing/ssl & your custom service.

Highlighted
Community Team Member

Re: Best Practice: Allowing a known application together with a custom service.

Hi @jeroenverstraeten ,

 

Yes you can combine applications with non-standard ports in one single rule :

What-s-a-service-anyway

 

Cheers !

-Kiwi.

 
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!