06-01-2018 03:43 AM - edited 06-01-2018 03:44 AM
What are the risky ports we should not allow from user zone (internal network) to external network (internet / external network)? Like we don't allow 21/23 etc, please suggest other ports too.....
06-01-2018 05:18 AM
in the new age of Next Generation firewalls, ports do not matter as much as they used to
today a lot more protocols and applications use port 80 and 443 where older, more traditional, protocols would use their own port
App-ID will assist tremendously in identifying exactly what is traversing the firewall, versus simply monitoring the ports
each application comes with "application default" ports which will also help to close off 'unusual' ports
So if you create, for example, a rule that allows web-browsing, ssl and DNS and set the service ports to 'application default', only ports 80,443 and 53 will be 'open' for this rule
'threat' wise, ports 80 and 443 pose far more risks than any other ports combined, so leveraging App-ID with content scanning and threat protection would be a more secure route than relying on just ports
06-01-2018 04:09 AM
Go the other way, only allow 80, 443 and maybe few others on explicit requests. And implement app policy.
06-01-2018 04:13 AM
I think 80 is also should not be allowed, we used to allow http/https app id instead of ports but what are the most critical ports we should allow anyhow like 21/23.
06-01-2018 05:18 AM
in the new age of Next Generation firewalls, ports do not matter as much as they used to
today a lot more protocols and applications use port 80 and 443 where older, more traditional, protocols would use their own port
App-ID will assist tremendously in identifying exactly what is traversing the firewall, versus simply monitoring the ports
each application comes with "application default" ports which will also help to close off 'unusual' ports
So if you create, for example, a rule that allows web-browsing, ssl and DNS and set the service ports to 'application default', only ports 80,443 and 53 will be 'open' for this rule
'threat' wise, ports 80 and 443 pose far more risks than any other ports combined, so leveraging App-ID with content scanning and threat protection would be a more secure route than relying on just ports
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
