Implementing Applications Over Services

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Implementing Applications Over Services

L0 Member

We recently completed a migration and I am in clean up mode.  I would like to utilize applications but we do some no decryptions exceptions rules that bypass decryption.  I am concerned that without decrypting, the rule will break and traffic won't flow.  What is a safe way to begin transitioning from services to applications?  

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

@Jim.Couch,

Build the application rule above the rule that you currently have utilizing services. Once you verify that the application rule has been tuned to match traffic properly (without decryption you'll need to make adjustments for WinRM over HTTPS as an example) the service rule should stop getting hit.

 

When it comes to cleaning up the service rules that all depends on your environment and appetite of risk. I've had some people just delete the service rule when the application rule is matching traffic, I'll have some people setup alerting whenever the service rule is hit but leave it there for a month just as backup, I'll have have some people set the service rule to deny the traffic with the rule set to alert on any traffic and leave it around for a month; it all depends on your environment and what you decide to do.

View solution in original post

2 REPLIES 2

Cyber Elite
Cyber Elite

@Jim.Couch,

Build the application rule above the rule that you currently have utilizing services. Once you verify that the application rule has been tuned to match traffic properly (without decryption you'll need to make adjustments for WinRM over HTTPS as an example) the service rule should stop getting hit.

 

When it comes to cleaning up the service rules that all depends on your environment and appetite of risk. I've had some people just delete the service rule when the application rule is matching traffic, I'll have some people setup alerting whenever the service rule is hit but leave it there for a month just as backup, I'll have have some people set the service rule to deny the traffic with the rule set to alert on any traffic and leave it around for a month; it all depends on your environment and what you decide to do.

Its funny you mention building the application rule above it because I've used that technique in many other situations but I just didnt think about it on this one for some reason.  I really appreciate the thoughts and information.

 

Jim

 

  • 1 accepted solution
  • 1240 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!