Custom Application v default-Application

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Custom Application v default-Application

L1 Bithead

Hi,

 

Am planning to replace the services in my environment with custom applications. My question is this?

 

(1) - Must I use application override to use custom application?

(2)- While using custom application, can I use default-application on the Service Column? Or should this column be set to Any since the default app is not in use

 

Thanks

2 accepted solutions

Accepted Solutions

If your custom app will have a port number, then it is your choice.  As I said earlier "any" will allow your custom app on any port (not recommended), "application-default" will allow your app only on the defined in custom app port number or range. 

 

https://live.paloaltonetworks.com/t5/Learning-Articles/Tips-amp-Tricks-What-Does-Application-default...

 

What do they mean?

  1. Any - This simply means all ports: 1-65535, TCP or UDP. The selected applications are allowed or denied on any protocol or port.
  2. Select - This means that you will have to specify exactly what TCP or UDP port that the application you want to allow or block is going to use. Choose an existing service or choose Service or Service Group to specify a new entry.
  3. Application-Default - Choosing this means that the selected applications are allowed or denied only on their default ports defined by Palo Alto Networks. This option is recommended for allow policies because it prevents applications from running on unusual ports and protocols, which if not intentional, can be a sign of undesired application behavior and usage.

View solution in original post

Community Team Member

Hi @Light-Regions,

 

It is recommended to use custom applications when creating app-overrides.  

You don't need to use app-override on all your custom applications (unless you don't want layer-7 inspection).

 

 

By adding the port numbers for a custom application, you can create policy rules that use the application defaults rather than opening up additional ports on the firewall. This improves your security posture.

 

This getting started guide on custom applications and application override will probably help you :

 

https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Custom-applications-and-app-o...

 

Cheers !

-Kiwi.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

View solution in original post

8 REPLIES 8

L6 Presenter

Hi,

 

A lot of a good article here as well as video training on youtube, but short answer on your questions below:

 

(1) - Must I use application override to use custom application? - No, not necessarily if your application will be identified by signature and parameters you specify.

(2)- While using custom application, can I use default-application on the Service Column? Or should this column be set to Any since the default app is not in use - "any" in service column means your app will be allowed on any port (PAN-OS 7.1.x and above), if "application-default" then your app is allowed only on standard/predefined ports.

 

 

https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Custom-applications-and-app-o...

Thanks a lot TranceforLife,

 

That was a quick turn around. I know that application-default is for standard/predefined ports?

 

What do I set that service column when using my custom applications?

 

Regards

Syl

If your custom app will have a port number, then it is your choice.  As I said earlier "any" will allow your custom app on any port (not recommended), "application-default" will allow your app only on the defined in custom app port number or range. 

 

https://live.paloaltonetworks.com/t5/Learning-Articles/Tips-amp-Tricks-What-Does-Application-default...

 

What do they mean?

  1. Any - This simply means all ports: 1-65535, TCP or UDP. The selected applications are allowed or denied on any protocol or port.
  2. Select - This means that you will have to specify exactly what TCP or UDP port that the application you want to allow or block is going to use. Choose an existing service or choose Service or Service Group to specify a new entry.
  3. Application-Default - Choosing this means that the selected applications are allowed or denied only on their default ports defined by Palo Alto Networks. This option is recommended for allow policies because it prevents applications from running on unusual ports and protocols, which if not intentional, can be a sign of undesired application behavior and usage.

Community Team Member

Hi @Light-Regions,

 

It is recommended to use custom applications when creating app-overrides.  

You don't need to use app-override on all your custom applications (unless you don't want layer-7 inspection).

 

 

By adding the port numbers for a custom application, you can create policy rules that use the application defaults rather than opening up additional ports on the firewall. This improves your security posture.

 

This getting started guide on custom applications and application override will probably help you :

 

https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Custom-applications-and-app-o...

 

Cheers !

-Kiwi.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Thanks very Much Kiwi,

 

That is a very clear answer with clear direction on what to do.

 

Much appreciated.

Thank you TranceforLife,

 

I now understand it a lot clearer.

 

Very many thanks indeed!

 

To keep the security policy list clean, it would be great if I could create a custom application and just change/add my own default ports. This way I can just re-use the application anywhere, inside of perhaps one security policy with all applications for the zone.  I want full analysis of the packet, so application-override isn't appealing.  Once you start adding services, you either have to have an additional policy just for your app/custom service ports, or have to research all application-default ports for all applications you add to the policy, which is tedious and less secure.  Even with service groups, the complication creeps up with duplication of the policy to other areas.

 

I haven't done a deep dive on this since PanOs 7.x, but still in 9.1, I can create an application and leave the custom signature blank without an error, but my new custom application still doesn't get any hits. Let's just say I want to use web-browsing with ports 8070, 8080 and 8090 for any similar web server throughout my enterprise.  Is it possible to create a custom application for this, or any application? If not, I wish they would add that feature.  Seems so logical and clean.

  • 2 accepted solutions
  • 6011 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!