Is it better to have policy rules base on application instead of service ports?

cancel
Showing results for 
Search instead for 
Did you mean: 

Is it better to have policy rules base on application instead of service ports?

Not applicable

I'm migrating a traditional layer 4 firewall policy to PAN firewall.  I'm wondering if I should convert all policies to application id based, or I should leave it as service ports based, or I should do both (i.e. app-id + server ports)?

Thank you.

1 ACCEPTED SOLUTION

Accepted Solutions

In most cases, I would not recommend leaving the service/port definition as "any", particularly on inbound rules. For inbound rules, there is not really a good reason to wait to drop a session based on App-ID when you know you don't want the traffic coming in on that port in the first place. As a general rule, inbound policy should always include "application-default" or the specific port you know you have the service running on. For outbound rules, it is best to have the firewall policy reflect what your intention is. For example, if you want to allow users to run web-browsing or ssh on random ports, use "any" in the service column and they will be allowed to do that. I wouldn't necessarily recommend that, but the key is the write the policy that is appropriate for your environment. When you are protecting servers, allowing traffic on random ports is almost always a bad idea. When you are protecting users, it may still be a bad idea, but that will largely depend on your environment and the risk you are willing to allow and the threat protection you are employing on the outbound (and inbound response) traffic. Generally speaking, the smaller you can get the surface area of exposure, the better you can manage the risk. App-ID allows you to do that in important ways, but it doesn't mean you should increase the port-based surface area just because you can.

Mike

View solution in original post

4 REPLIES 4

Not applicable

Probably a mix of both, as PA doesn't know about all possible applications.

For web filetering rules, application based is good.

Now for datacenter/production needs ... what would happen if suddendly after an APP ID update , it won't recognize MSSQL protocol ? In addition, many apps aren't running on officially supported ports.

In most cases, I would not recommend leaving the service/port definition as "any", particularly on inbound rules. For inbound rules, there is not really a good reason to wait to drop a session based on App-ID when you know you don't want the traffic coming in on that port in the first place. As a general rule, inbound policy should always include "application-default" or the specific port you know you have the service running on. For outbound rules, it is best to have the firewall policy reflect what your intention is. For example, if you want to allow users to run web-browsing or ssh on random ports, use "any" in the service column and they will be allowed to do that. I wouldn't necessarily recommend that, but the key is the write the policy that is appropriate for your environment. When you are protecting servers, allowing traffic on random ports is almost always a bad idea. When you are protecting users, it may still be a bad idea, but that will largely depend on your environment and the risk you are willing to allow and the threat protection you are employing on the outbound (and inbound response) traffic. Generally speaking, the smaller you can get the surface area of exposure, the better you can manage the risk. App-ID allows you to do that in important ways, but it doesn't mean you should increase the port-based surface area just because you can.

Mike

View solution in original post

No solution can identify apps before the TCP 3 way handshaking completes. For traditional fw, the port based policy can make traffic deny decision by the syn packet which contains port no./service and IP information.

For PA, if you choose "any" for service, that means you are ignoring the port no. check and we will allow a lot of first few packets from connections coming in/ sending out until we identify the app after we receive the fourth or later packets. So in order to make PA to be really "more secure" than a traditional fw and allowing less packets that we should not allow than a traditional fw, you should put at least application-default for a policy.

Thanks Jones.  I have a more clear understanding now. Smiley Happy

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!