11-18-2016 11:15 AM
Hello, in the security policy that is setup. Is it best to set the application and services the same?
So this will help keep that security policy safe from outside device try to see what other application can be use on that security policy.
example would be a nmap script using get commands with additionals handshakes in the script, so the logging would look like
zone untrust zone trust source 1.1.1.1 dest 2.2.2.2 port 80 application is portmapper action is allow
you set the security policy to allow untrust zone to trust zone with application any services 80 and 443.
could this be use as a DOS attack if the application is not set the same as services is?
11-18-2016 11:24 AM - edited 11-19-2016 01:51 AM
Very good video tutorial:
https://live.paloaltonetworks.com/t5/Featured-Articles/Configuring-Your-Security-Policy/ta-p/78659
APP-ID should recognise application even if it is running on the standard ports or pretend to be another application. It checks for signature etc., not just port numbers.
I do not advise you to allow anything initiated from the Untrust (Internet) zone > Trust zone (unless you want your internal server to be accessible from the Internet)
11-28-2016 11:22 AM
Sorry for the late reply on this.
I did watch this video before posting a question, I did see it is a good idea to make sure set application.
Can not setting Application be used a DOS attack, will it make the processors work harder to determined what application it is?
If so could that lead to breaking Palo Alto device?
11-28-2016 12:31 PM
The application inspection is actually one of the leading reasons that people buy a Palo Alto product, and while it does but an increase load under the processor it is something that they are designed to allow. Further, the Palo Alto can actually be better at mitegratting a DoS attack when setup properly because it can drop packets for applications that you do not have publically available.
If you are worried about a DoS attack I would recommend that you setup DoS Profiles and Zone Protection profiles on your untrust interface; both of these will allow you to not only be alerted when you have a potential DoS attempt, but will automatically start to drop packets if your set limits are exceeded.
To point out as well, the PA firewall will actually stop doing application inspection if your processor reaches a certain percentage on new requests. This feature is to allow the firewall to continue to pass traffic and not 'lock up' because it's busy decrypting and analyzing the applicaiton.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
