security policies: application vs service

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

security policies: application vs service

L1 Bithead

how are application and service treated in a given policy?

multiple apps in a policy?

multiple services in a policy?

apps and services in a policy?

how are the different scenarios and'ed or or'ed?

Thanks

David

8 REPLIES 8

L5 Sessionator

Hello David,

Scenario-1:

Application - Web-browsing and service - any

In above policy firewall will allow traffic if it identified as web-browsing on any service

Scenario-2:

Application - web-browsing and service - application-default

In above policy firewall will allow traffic if identified as web-browsing and destined for port 80(default port for web browsing)

Scenario-3:

Application - any and service - tcp/80

In above policy firewall will allow traffic if traffic is destined to port 80 irrespective of application

So it's like an AND operation between application and service.

Hope this hepls.

Regards,

Hari Yadavalli

L7 Applicator

Hello David,

The Application will be identified based on the application signature available on database or a custom application created by a user. So you may select multiple application on a given policy at the same time. The "service" option is a second layer of security to allow application on their well-known port ( applicatipn default) or any port ( any).

If you have configured multiple "services" based on the port number, you can select only related application on the policy to allow that traffic.

Example: If you select an application as "web-browsing", and set service as " application default". The pAN firewall will only allow web-browsing traffic on TCP/80. But if you select application as "web-browsing" and service as any, it will allow we-browsing traffic on any TCP port.

Hope this helps.

Thanks

L6 Presenter

Hello David,

Services are port numbers in traditional firewall. Lets say on any other vendor firewall to allow "web-browsing" its required to allow port 80.

If some one tunnel gaming traffic in http header still that will be allowed in traditional firewall because that will flow on port 80.

To avoid this security violation, palo alto networks has application field in policy. In this scenario traffic will be identified as gaming traffic and it will be blocked.

In palo alto networks firewall one has to specify both application and services.

Regards,

Hardik Shah

Hello dthibodeaux,

You can understand it this way:

In a security policy, the match will be for ((source zone, address ,user, hip, destination zone, address, service, URL category)). To this, the ACTION is applied ie allow/deny. If Security profiles are attached, then the ACTION will be based on decision taken by security profiles like url, threat etc.

For example:

source zone- SZn1, SZn2...(or Any)

source address- Saddr1, Saddr2...(or Any)

soure user- Susr1, Susr2...(or Any)

hip profile- Hp1, Hp2...(or Any)

Destination zone- Dzn1, Dzn2....(or Any)

Destination address- Daddr1, Daddr2....(or Any)

Service- Srvc1, Srvc2...(or Any)

URL-Category - Ctgry1, Ctgry2...(or Any)

Logic will be like this(Rule match is top to down approach):

RULE1:

((Szn1 or Szn2 or...) AND (Saddr1 or Saddr2 or...) AND ( Susr1 or Susr2 or....) AND (Hp1 or Hp2 or...) AND (Dzn1 or Dzn2 or...) AND (Daddr1 or Daddr2 or ...) AND (Srvc1 or Srvc2 or....) AND (Ctgry1 or Ctgry2 or...))

RULE2:

((Szn1 or Szn2 or...) AND (Saddr1 or Saddr2 or...) AND ( Susr1 or Susr2 or....) AND (Hp1 or Hp2 or...) AND (Dzn1 or Dzn2 or...) AND (Daddr1 or Daddr2 or ...) AND (Srvc1 or Srvc2 or....) AND (Ctgry1 or Ctgry2 or...))


To this match, the ACTION is applied based on security profiles.

Let us know if that helps.

Regards,

Dileep

Sorry I missed 'APPLICATIONS' in the above example. But same logic is applied for Applications as well. ie

((Szn1 or Szn2 or...) AND (Saddr1 or Saddr2 or...) AND ( Susr1 or Susr2 or....) AND (Hp1 or Hp2 or...) AND (Dzn1 or Dzn2 or...) AND (Daddr1 or Daddr2 or ...) AND (App1 or App2 or ...) AND (Srvc1 or Srvc2 or....) AND (Ctgry1 or Ctgry2 or...))

Regards,

Dileep

L4 Transporter

hey

application and services in paloalto secyrity policy..

leaving for a second the application part Paloalto should be like all other layer 4 FW so first the policy will build a "layer 4" security policy based on

source destenation and service and by this policy it will allow / block traffic.

when you put in the applications part of the policy Paloalto should still build first a Layer 4 policy (that because application can only be recognized after certain amount of packets).

so first Paloalto will see a ip packet and will look for an allow rule in the built "layer 4" policy if a match is found for allow the PA will allow traffic to pass until it be able to recognize the application.

once the application is recognized the PA will check if the application is match on the rule, if it is not match it will look for other rulle that match both application and service port, if not found it will drop the traffic (this is why you may see traffic matched on not relevant rule)

so here you get paloalto addition to the services cullomn which is the application defaults so you almost shouldn't care on what ports application are running,

ACCEPT on allow rules:

1) the application usse ANY ports

2) your application does not use default ports

if you put an allow rule with service any (or application defaults with application that use any service) remember that PA will first allow traffic based on the "Layer 4" policy so you will allow port scan to your resource untill the application is found.

in a deny rule it is important to e the ANY in the service because you want to block the application no matter the port is running on

and also non tcp/usd application will not match on a rule with specific services (only any / application defaults)

so when building this Layer 4 policy on a rule with application defaults the PA will take all the ports in the application information

pay another attention on the "hirarchy" of an application and that during a session the PA may re-evaluate the recognized application based on the application configuration

  • 13417 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!