Hardening the security rule for service ports

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Hardening the security rule for service ports

L4 Transporter

Hello Experts

 

In my firewall configuration, many security rules have specific application but service ANY. I would like to harden service part as well. Once I veiw the logs for particular security rule to check service ports, there are many pages, I have to manually go. Is there any way I can generate the report for that particular security rule for service ports OR there is any script I can run against paritcular security rule to pull all the service ports (destination ports) from logs?

 

Appreciated your reply 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

you could try a custom report like below, then verify where applications are using 'abnormal' ports (because for those applications you will need to build custom service ports) and set all the rules where the applications use their default ports to service 'application default'

 

2016-11-07_10-27-06.png

 

here's a little video on security policy optimization

 

 

Tom

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

7 REPLIES 7

Cyber Elite
Cyber Elite

you could try a custom report like below, then verify where applications are using 'abnormal' ports (because for those applications you will need to build custom service ports) and set all the rules where the applications use their default ports to service 'application default'

 

2016-11-07_10-27-06.png

 

here's a little video on security policy optimization

 

 

Tom

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

@reaper you are man ! Can I use PAN-Configrator to get the same result? I mean run against each rule and gets the ports from logs?

@reaper I would highly appreciate if you could recommend to convert SERVICE any to specific ports, how many days traffic logs are recommended? same for APPLICAITON any to specific application

Hi @ghostrider

 

that's a tricky question 😉

 

It would depend on how well you know your environment and how likely it is you encounter applications on 'weird' ports

If your organization is running mostly 'the usual' mix of applications, it would be safe to assume 99.9% of all 'good' applications run on their default port, and a month's worth of log for due diligence would suffice. if your environment is highly dynamic and a lot of custom services/servers/applications are used, you may want to invest more time and go back 6 months to make sure you cover all your bases

 

depending on the complexity of your firewall, you can use 'double' security policies: rule 1 has applications and service set to application-default, rule 2 is the original policy and has any app, any port: anything that hits rule 2 and is ok can be added to rule 1

 

this will only work in a not-too-complex deployment however 😉

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

@reaper Thanks 🙂 I run the report using for all rules having service any in qualifier and show the ports and applicaiton with rule name in filter but when I run the report, its just processing like became crazy 🙂 Is there any script I can run for this purpose?

@reaper The solution you gave, how I can run the report agains security rules who have SERVICE ANY?

ehm, i guess you could use the query builder to limit the report to certain rules only, but there is no operator for 'service = any'

 

2016-11-09_13-59-19.png

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 1 accepted solution
  • 4162 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!