09-05-2017 07:37 AM
Hi,
Am planning to replace the services in my environment with custom applications. My question is this?
(1) - Must I use application override to use custom application?
(2)- While using custom application, can I use default-application on the Service Column? Or should this column be set to Any since the default app is not in use
Thanks
09-05-2017 08:09 AM
If your custom app will have a port number, then it is your choice. As I said earlier "any" will allow your custom app on any port (not recommended), "application-default" will allow your app only on the defined in custom app port number or range.
What do they mean?
09-05-2017 08:26 AM
Hi @Light-Regions,
It is recommended to use custom applications when creating app-overrides.
You don't need to use app-override on all your custom applications (unless you don't want layer-7 inspection).
By adding the port numbers for a custom application, you can create policy rules that use the application defaults rather than opening up additional ports on the firewall. This improves your security posture.
This getting started guide on custom applications and application override will probably help you :
Cheers !
-Kiwi.
09-05-2017 07:52 AM - edited 09-05-2017 07:55 AM
Hi,
A lot of a good article here as well as video training on youtube, but short answer on your questions below:
(1) - Must I use application override to use custom application? - No, not necessarily if your application will be identified by signature and parameters you specify.
(2)- While using custom application, can I use default-application on the Service Column? Or should this column be set to Any since the default app is not in use - "any" in service column means your app will be allowed on any port (PAN-OS 7.1.x and above), if "application-default" then your app is allowed only on standard/predefined ports.
09-05-2017 08:04 AM
Thanks a lot TranceforLife,
That was a quick turn around. I know that application-default is for standard/predefined ports?
What do I set that service column when using my custom applications?
Regards
Syl
09-05-2017 08:09 AM
If your custom app will have a port number, then it is your choice. As I said earlier "any" will allow your custom app on any port (not recommended), "application-default" will allow your app only on the defined in custom app port number or range.
What do they mean?
09-05-2017 08:26 AM
Hi @Light-Regions,
It is recommended to use custom applications when creating app-overrides.
You don't need to use app-override on all your custom applications (unless you don't want layer-7 inspection).
By adding the port numbers for a custom application, you can create policy rules that use the application defaults rather than opening up additional ports on the firewall. This improves your security posture.
This getting started guide on custom applications and application override will probably help you :
Cheers !
-Kiwi.
09-06-2017 12:11 AM
Thanks very Much Kiwi,
That is a very clear answer with clear direction on what to do.
Much appreciated.
09-06-2017 12:13 AM
Thank you TranceforLife,
I now understand it a lot clearer.
Very many thanks indeed!
06-02-2020 12:16 PM - edited 06-02-2020 12:19 PM
To keep the security policy list clean, it would be great if I could create a custom application and just change/add my own default ports. This way I can just re-use the application anywhere, inside of perhaps one security policy with all applications for the zone. I want full analysis of the packet, so application-override isn't appealing. Once you start adding services, you either have to have an additional policy just for your app/custom service ports, or have to research all application-default ports for all applications you add to the policy, which is tedious and less secure. Even with service groups, the complication creeps up with duplication of the policy to other areas.
I haven't done a deep dive on this since PanOs 7.x, but still in 9.1, I can create an application and leave the custom signature blank without an error, but my new custom application still doesn't get any hits. Let's just say I want to use web-browsing with ports 8070, 8080 and 8090 for any similar web server throughout my enterprise. Is it possible to create a custom application for this, or any application? If not, I wish they would add that feature. Seems so logical and clean.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
