how to create policy and how to identify which ports are being used on PAN

Reply
Highlighted
L2 Linker

how to create policy and how to identify which ports are being used on PAN

Hi Guys,

 

I am new to Palo Alto. I recently joined the firm and they are using any any as policy for internal to Public, Internal to WAN zone. My tasks is to identify the ports which are being used and apply the ACL.

 

My question to experts is how to find out which ports are being used and how should I apply this ACL on PAN.

 

I have little idea that I can check ports under traffic tab and need to create service object to apply on zones. 

 

Guys please suggest me the best approach and guide me  on how I should achieve this goal.  

 

Thanks 


Accepted Solutions
Highlighted
Cyber Elite

@shafi021,

You shouldn't be looking at building out a port list, you should be looking at see what applications are being identified. Identify the applications that you are seeing come across the firewall and whether or not they should be allowed, and build out exceptions for any application that isn't being properly identified. 

A couple notes:

- It's easiest if you simply build out two application-groups for sanctioned and unsanctioned applications. 

- Your setup doesn't sound like they've done anything outside of just installing this box. Look at following the published best-practices and actually using your NGFW to its capabilities. 

View solution in original post

Tags (1)
Highlighted
L4 Transporter

If you're running 9.0 code, you can use the Policy Optimizer to help you identify what applications are currently being seen on the existing rule.  It will easily allow you to apply just these apps to the rule, or clone a new rule with the selected applications.
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/app-id-features/policy-optimizer.ht...

Custom reports would also be very helpful to you.  You can build and save report queries with all kinds of different options to pull info from the logs, and organize it into convenient summaries.
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/monitoring/view-and-manage-reports/custom-...

View solution in original post


All Replies
Highlighted
Cyber Elite

@shafi021,

You shouldn't be looking at building out a port list, you should be looking at see what applications are being identified. Identify the applications that you are seeing come across the firewall and whether or not they should be allowed, and build out exceptions for any application that isn't being properly identified. 

A couple notes:

- It's easiest if you simply build out two application-groups for sanctioned and unsanctioned applications. 

- Your setup doesn't sound like they've done anything outside of just installing this box. Look at following the published best-practices and actually using your NGFW to its capabilities. 

View solution in original post

Tags (1)
Highlighted
L4 Transporter

If you're running 9.0 code, you can use the Policy Optimizer to help you identify what applications are currently being seen on the existing rule.  It will easily allow you to apply just these apps to the rule, or clone a new rule with the selected applications.
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/app-id-features/policy-optimizer.ht...

Custom reports would also be very helpful to you.  You can build and save report queries with all kinds of different options to pull info from the logs, and organize it into convenient summaries.
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/monitoring/view-and-manage-reports/custom-...

View solution in original post

Highlighted
L2 Linker

Thank you for your response guys

Highlighted
L2 Linker

Hi @OwenFuller , we are using PAN OS 8 and not going to be on 9 soon. I configured Netflow and I can see which ports are being used. Some of the applications on my flow analysis are showing as unknown App because my org is using some non standard ports, but I can find those ports under Traffic log on PAN. My question is, is it possible to use application and service object ( where I am going to add ports) together on Zone policy. we have 3 zones, Pub, Inside and WAN. what do you suggest , how should I proceed?

Highlighted
L4 Transporter

Yes, you can use “any” app with a particular service port instead of a pre-defined app.  Another option is to define a custom application based on the ports used. I would also check the Monitor tab to see how Palo identifies the applications, and adjust your security policies accordingly. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!