Question about application group and custom service group

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Question about application group and custom service group

L1 Bithead

Hi All, 

 

First off I appologize if this question has been answered before.

I have a question regarding the use of application groups and custom service groups in the same security policy. Can traffic identified in the application group use a non standard port that is defined in the custom service group?

 

For example, Can traffic identified as kerberos in an application group use a non-standard port say 555 which is defined in the custom service group of the policy?

 

How would behaviour be different if I use application-default as the service in the policy which has application group? Can traffic identified as kerberos use the port UDP 123 since theres the app-id ntp in the same application group as kerberos?

 

Thanks in advance!

2 REPLIES 2

L1 Bithead

I think I found the answer to this but want to confirm 🙂 

 

 

by minow
on ‎07-01-2015 05:48 AM
 

another important thing to put in mind

1) if you choose application-default this will cause that only the identified application will be allowed on this port for example it you put ssh and web-browsing on the same rule, web-browsing wont be allowed on port 22 but if you will put on the service tab tcp-80 and tcp-22 both ssh and web-browsing will be allowed on both of the port

 

2) another thing is if you put a non tcp/udp application and you do specify a specific service this application wont be matched on that rule

indeed,application-default will enforce the default ports per application, so if you have a group of apps in a policy, they will not be able to use eachother's ports (ftp on port 80 will not work if app-default is enabled)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 1861 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!