This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Hardening the security rule for service ports

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Hardening the security rule for service ports

Go to solution
ghostrider
L4 Transporter

‎11-06-2016 08:00 AM

Hello Experts

 

In my firewall configuration, many security rules have specific application but service ANY. I would like to harden service part as well. Once I veiw the logs for particular security rule to check service ports, there are many pages, I have to manually go. Is there any way I can generate the report for that particular security rule for service ports OR there is any script I can run against paritcular security rule to pull all the service ports (destination ports) from logs?

 

Appreciated your reply 

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
reaper
Cyber Elite
Cyber Elite

‎11-07-2016 01:35 AM

you could try a custom report like below, then verify where applications are using 'abnormal' ports (because for those applications you will need to build custom service ports) and set all the rules where the applications use their default ports to service 'application default'

 

2016-11-07_10-27-06.png

 

here's a little video on security policy optimization

 

 

Tom

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

7 REPLIES 7

Go to solution
reaper
Cyber Elite
Cyber Elite

‎11-07-2016 01:35 AM

you could try a custom report like below, then verify where applications are using 'abnormal' ports (because for those applications you will need to build custom service ports) and set all the rules where the applications use their default ports to service 'application default'

 

2016-11-07_10-27-06.png

 

here's a little video on security policy optimization

 

 

Tom

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Go to solution
ghostrider
L4 Transporter
In response to reaper

‎11-07-2016 04:01 AM

@reaper you are man ! Can I use PAN-Configrator to get the same result? I mean run against each rule and gets the ports from logs?

0 Likes Likes

Go to solution
ghostrider
L4 Transporter
In response to reaper

‎11-08-2016 01:47 AM

@reaper I would highly appreciate if you could recommend to convert SERVICE any to specific ports, how many days traffic logs are recommended? same for APPLICAITON any to specific application

0 Likes Likes

Go to solution
reaper
Cyber Elite
Cyber Elite
In response to ghostrider

‎11-08-2016 02:13 AM

Hi @ghostrider

 

that's a tricky question 😉

 

It would depend on how well you know your environment and how likely it is you encounter applications on 'weird' ports

If your organization is running mostly 'the usual' mix of applications, it would be safe to assume 99.9% of all 'good' applications run on their default port, and a month's worth of log for due diligence would suffice. if your environment is highly dynamic and a lot of custom services/servers/applications are used, you may want to invest more time and go back 6 months to make sure you cover all your bases

 

depending on the complexity of your firewall, you can use 'double' security policies: rule 1 has applications and service set to application-default, rule 2 is the original policy and has any app, any port: anything that hits rule 2 and is ok can be added to rule 1

 

this will only work in a not-too-complex deployment however 😉

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Go to solution
ghostrider
L4 Transporter
In response to reaper

‎11-08-2016 12:05 PM

@reaper Thanks 🙂 I run the report using for all rules having service any in qualifier and show the ports and applicaiton with rule name in filter but when I run the report, its just processing like became crazy 🙂 Is there any script I can run for this purpose?

0 Likes Likes

Go to solution
ghostrider
L4 Transporter
In response to ghostrider

‎11-09-2016 04:08 AM

@reaper The solution you gave, how I can run the report agains security rules who have SERVICE ANY?

0 Likes Likes

Go to solution
reaper
Cyber Elite
Cyber Elite
In response to ghostrider

‎11-09-2016 05:01 AM

ehm, i guess you could use the query builder to limit the report to certain rules only, but there is no operator for 'service = any'

 

2016-11-09_13-59-19.png

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 1 accepted solution
  • 4724 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks