This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Eval question

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Eval question

derasa
L0 Member

‎04-17-2014 03:28 PM

Given a flow and properly written policy to allow Facebook and its myriad apps/widgets on port 80/443, other than the admin management overhead (i.e., having to open ports 80 and 443), how is what Palo Alto does different from what Checkpoint does?

This question addresses the quote below (found on the link shown).

http://researchcenter.paloaltonetworks.com/2012/12/app-id-cache-pollution-response/

  • Port 80 allow – open the floodgates. The always-on nature of port-based traffic classification, means old-guard firewalls will first need to open the application default port controlling the application. To control Facebook, you need to allow tcp/80 and tcp/443. Based on the June 2012 Application Usage and Risk Report, you may be allowing more than 500 (42%) other applications that you may or may not want on the network. This means the strength of a default deny all policy is significantly weakened. If you are using Check Point, or any other port-based firewall, ask them if the above statement is true and how they recommend managing it.

In other words, if I allow ports 80/443 in my port policy and an application policy to allow Facebook apps only, I expect Checkpoint to be able to identify Facebook and non-Facebook traffic--then allow only the Facebook traffic and discard/block the rest.  I expect Palo Alto to do the same--with the exception that the admin would not incur the management overhead of dealing with explicitly opening ports.  Can someone elaborate on how Checkpoint (or any firewall that claims NG capabilities) opens "the floodgates."?

Just looking for an objective/technical answer.

thanks

0 Likes Likes
1 REPLY 1

jvalentine
L7 Applicator

‎04-17-2014 03:58 PM

In the Checkpoint firewall, you'll create a port-based rule that permits outbound TCP/80, TCP/443 traffic.  Then, you'll leave the firewall policy and go to the AppBlade and create a 2nd policy that deals with applications.  It's quite the pain. 

0 Likes Likes
  • 1692 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks