- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
02-14-2012 12:15 AM
Hello
Sometimes I just get the TCP ports for firewall configuration changes. Since the configuration on the Paloalto should based on the AppID's rather than TCP ports, is there a way to search for AppID's which are using a defines TCP Port (eg. tcp-9000)?
Since every App has a "Standard Ports" Attribute, the Information are there, but it seems neither the Firewall GUI itself nor on the Applipedia (http://apps.paloaltonetworks.com/applipedia/) supports such a filtering possibility. Is there another way?
02-15-2012 11:04 AM
From PAN-OS 4.1 onwards, the search box under Objects>Applications can be used to search for apps by port numbers. The Applipedia page on research center also supports search by ports.
02-14-2012 03:21 AM
My guess is they use http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers for the well known and registered standard ports.
02-14-2012 05:44 AM
Sounds like a good feature request which you should contact your Sales rep about.
However I have another opinion regarding how the appid should be used. If your webserver only listens to lets say TCP80 I then see no reason for why one would use "any" or "service-default" regarding ports (other than a test or for protocols that uses large port-ranges).
My opinion is to setup the PAN as you would with a regular SPI-fw with the addition of selecting proper appid for each flow. With the disclaimer that there are some special cases where "service-default" is handy.
One of the reasons is that in many cases the PAN must let one or more packets through the firewall before the appid can successfully be detected. This will, even if its a small one, unnecessary expose your resource for the surroundings.
02-14-2012 06:16 AM
Good one, last year at one of the competitors international get together in Barcelona there was a technical speech and they pointed out how risky it can be to allow inbound traffic based on APP-ID... Usually it's a good idea to only allow inbound web traffic to your webservers on the standard application port 80 for http for example.
Might be a bit off topic though...
It surely would be nice to be able to lookup the applications standard ports as per PAN definition if there is such a thing. There are apps that do not have standard ports like Skype for example.
02-14-2012 11:43 PM
Looking at Wikipedia isn't always helpful. E.g. if you are looking for allowing icmp-echo-requests, the app don't contain icmp or echo, it's the ping app.
So I am looking for TCP-9000. Wikipedia shows me three entries and the third one (SqueezeCenter) is the one I am looking for. Applipedia don't contains something with "Squeeze" which leads me to the question: Is this app supported or is their just a different name? It seems, without testing you will never find out.
02-15-2012 02:14 AM
So did you contat your sales rep yet to highlight this as a feature request?
02-15-2012 11:04 AM
From PAN-OS 4.1 onwards, the search box under Objects>Applications can be used to search for apps by port numbers. The Applipedia page on research center also supports search by ports.
02-17-2012 02:04 PM
I tried an Applipedia search and entered 53 in the search field. The result showed 22 apps... The search result showed not only exact matches but also every app that contains 53 e.g. 9053. Might need some improvement.
07-18-2012 11:06 AM
Try Applipedia for Android 😉
Other than matching only the relevant entries, it will also match applications with default port ranges, eg. udp/50-60.
Cheers from CH
07-18-2012 11:54 AM
Try "tcp/53" or "udp/53" without the quotes in the search field. Doesn't seem to work on the Palo box itself under Objects > Applications though
07-18-2012 12:54 PM
That's right. It is somewhat cumbersome to search for applications by means of default ports on the firewall (objects->applications).
The only workaround is Applipedia for Android (not sure about Applipedia for iPhone/iPad).
07-18-2012 01:09 PM
Yes the Android Applipedia app also allows searching based on port. Thanks!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!