mail/dns/www/ftp server in DMZ - need advice


ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

L4 Transporter

mail/dns/www/ftp server in DMZ - need advice


I'm preparing to move my server that is mail/dns/www  into DMZ zone. I did some tests and it seems to be working - but as good as I can test...

Do I should use application (dns,smtp,pop3,imap,ftp,web-browsing) or use a services on ports 53,25,110,21,80,465,993,995)?

What are you using and why?

My NAT rule:


My security policy:


I have of course U-turn policy to allow acces to this server from my local zones.

What about profiles?

I did one group for servers:


Is it make sens to scan trafficwith this all profiles?

Could someone share their policies - please?

I didn't see such topic in this forum and it could be very useful for every new PA user.

With regards


L4 Transporter

Hello Slv,

I would like to answer to the question about using apps or services. The advantages of using Apps is that the PAN would inspect the traffic at application layer and allows only those ports required by that application. ( We should select the service as "App-default" to allow only those ports what the app needs ).  I see your security policy with apps and app default and that is the right way.

In regards to the group of profiles, that is used when there is a need to have same set of profiles for multiple security rules making configuration simpler and is completely fine. Rather than individually selecting the profiles for each security rule we can use a group. If needed to customize profiles then we can use profiles selectively.


L4 Transporter

Thats good that my polices are OK. But I scared that I missed some aplication ...

ie - I moved www server to DMZ few days ago, and I see that I have to add also new appliocations: rss, web-crawler. Until now I think that it should be in web-browing, but after I checked few times traffic logs for denied applications I realized that I'm wrong.

I agree with you about group of profiles. But is is correct to scan traffic using antivirus/anti-spyware/volnerability/data filtering? or maybe one of them is enought? every profile is taking some resources of PAN, and I'd like to use only that are nessasary.

p.s. - sorry for my bad english



L3 Networker


Since you're dealing with new policy, you might want to have a "lose deny" rule below the new one, that way you can verify that the traffic you want is matching and you can tune the deny rule as you see how it's going.  So if you are certain you do not what to host FTP or SSH, add those to the deny rule, watch the monitor and add additional service to the allow or deny rule as needed.  Once you think you have a stable policy, make the deny a 'deny all' rule and that should do it.


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!