service versus using an application for Rule match

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

service versus using an application for Rule match

Cyber Elite
Cyber Elite

 

Need to know if we use application instead of service in security policy 

 

When we use service then that will enable the firewall to take immediate action with the first observed packet based on port number.

 

When  we  use "application" in Rule that will allow the firewall to take action after enough packets are allowed  for App-ID identification regardless of the ports being used ?

 

 

 

 

MP

Help the community: Like helpful comments and mark solutions.
2 accepted solutions

Accepted Solutions

Cyber Elite
Cyber Elite

Hi @MP18

 

Ideally both

The services will be able to block/allow syn packets based on the destination port and applications will be able to identify if the packets flowing over port 80 are really web-browsing and not something else abusing the open port

 

setting the service to 'application-default' instead of a set of ports will enforce even tighter controls as a mixed rule ( ie. ftp, ssh, dns, ...) will ensure tcp 21 is only used by ftp and not ssh which is allowed in the same rule

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

Hello,

Also remember that the PAN lets the first few packets through so it can analize them. It will then apply the polcies that match. I try and write my policies as strict as possible and use Application everywhere I can so I dont run into an application that likes to port hop or spoof itself as Reaper mentioned.

 

Regards,

View solution in original post

5 REPLIES 5

Cyber Elite
Cyber Elite

Hi @MP18

 

Ideally both

The services will be able to block/allow syn packets based on the destination port and applications will be able to identify if the packets flowing over port 80 are really web-browsing and not something else abusing the open port

 

setting the service to 'application-default' instead of a set of ports will enforce even tighter controls as a mixed rule ( ie. ftp, ssh, dns, ...) will ensure tcp 21 is only used by ftp and not ssh which is allowed in the same rule

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Can you please confirm if this is write for application 

 

When  we  use "application" in Rule that will allow the firewall to take action after enough packets are allowed  for App-ID identification regardless of the ports being used 

MP

Help the community: Like helpful comments and mark solutions.

Only if you set Service to any.  Then it will allow those specific applications through, regardless of which port the traffic is going through.

 

If you set Service to application-default, then it will only allow traffic through that matches the list of ports listed in the App-ID information for the application.

 

If you set a specific port/set of ports in the Service, then it will only allow traffic through that matches the application on the listed ports.

Hello,

Also remember that the PAN lets the first few packets through so it can analize them. It will then apply the polcies that match. I try and write my policies as strict as possible and use Application everywhere I can so I dont run into an application that likes to port hop or spoof itself as Reaper mentioned.

 

Regards,

Many thanks Everyone.

MP

Help the community: Like helpful comments and mark solutions.
  • 2 accepted solutions
  • 3582 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!