10-22-2018 09:47 PM
Need to know if we use application instead of service in security policy
When we use service then that will enable the firewall to take immediate action with the first observed packet based on port number.
When we use "application" in Rule that will allow the firewall to take action after enough packets are allowed for App-ID identification regardless of the ports being used ?
10-23-2018 12:56 AM
Hi @MP18
Ideally both
The services will be able to block/allow syn packets based on the destination port and applications will be able to identify if the packets flowing over port 80 are really web-browsing and not something else abusing the open port
setting the service to 'application-default' instead of a set of ports will enforce even tighter controls as a mixed rule ( ie. ftp, ssh, dns, ...) will ensure tcp 21 is only used by ftp and not ssh which is allowed in the same rule
10-23-2018 12:38 PM
Hello,
Also remember that the PAN lets the first few packets through so it can analize them. It will then apply the polcies that match. I try and write my policies as strict as possible and use Application everywhere I can so I dont run into an application that likes to port hop or spoof itself as Reaper mentioned.
Regards,
10-23-2018 12:56 AM
Hi @MP18
Ideally both
The services will be able to block/allow syn packets based on the destination port and applications will be able to identify if the packets flowing over port 80 are really web-browsing and not something else abusing the open port
setting the service to 'application-default' instead of a set of ports will enforce even tighter controls as a mixed rule ( ie. ftp, ssh, dns, ...) will ensure tcp 21 is only used by ftp and not ssh which is allowed in the same rule
10-23-2018 06:55 AM
Can you please confirm if this is write for application
When we use "application" in Rule that will allow the firewall to take action after enough packets are allowed for App-ID identification regardless of the ports being used
10-23-2018 10:22 AM
Only if you set Service to any. Then it will allow those specific applications through, regardless of which port the traffic is going through.
If you set Service to application-default, then it will only allow traffic through that matches the list of ports listed in the App-ID information for the application.
If you set a specific port/set of ports in the Service, then it will only allow traffic through that matches the application on the listed ports.
10-23-2018 12:38 PM
Hello,
Also remember that the PAN lets the first few packets through so it can analize them. It will then apply the polcies that match. I try and write my policies as strict as possible and use Application everywhere I can so I dont run into an application that likes to port hop or spoof itself as Reaper mentioned.
Regards,
10-23-2018 02:27 PM
Many thanks Everyone.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
