- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-24-2017 08:33 AM
Is there anyway in the traffic monitor, or the ACC or any other logs to see what services are being hit? I can see applications but not specifically services though to can add specific services in the rules
04-24-2017 11:57 AM
If you build out the same rule but specify the applicaiton field as [ ssl web-browsing ] then any application that gets identified further would be denied, which is generally why someone would put in this type of rule.
For example even when you have ssl-decryption disabled applications such as twitter-base, pinterest-base, facebook-base, google-base, and all of that are going to be denied. Once the firewall identifies the application then you would need to have a rule that either specifies the service/port that the application is using with 'any' app allowed or you would need to include said application in a security policy that actually allows the traffic.
04-24-2017 12:00 PM
BPry I could try to identify the applications,through the ACC, and create another rule above the rule with the any -applications and services http,https and see if I can create a stricter rule and the eliminate the less strict rule
04-24-2017 12:05 PM
Forget http and https.
This has nothing to do with application but it is just how default built-in service object is called in firewall.
And Service is just port - nothing to do with Layer 7 application.
So if you permit Service called service-http then you permit tcp/80 and tcp/8080 and if you permit Service called service-https then you permit tcp/443.
04-24-2017 12:14 PM
so create a similar rule with out the services and only add the applications that it is using as seen in the ACC
04-24-2017 12:25 PM
So lets assume you have only 1 security policy that permits only web-browsing application and Service is application-default.
This permits web-browsing on tcp 80.
You open web browser and try to browse web.
Client computer will send TCP SYN.
Firewall will check if this SYN goes on port 80 (that is only port that traffic is permitted out). If not then it is blocked and application is logged as not-applicable (firewall never got to application identification as it is already dropped by not using correct port).
If SYN came on port 80 then it is permitted through.
Server will reply with SYN ACK.
Client will send ACK and complete TCP 3way handshake.
Client will then send HTTP GET (but we don't trust client to identify application).
Server will send back website. Palo will identify if traffic is web-browsing based on what comes back. So in case of HTTP first 4 packet go through firewall without actually knowing application and just relying on Service tcp/80.
If after that firewall identifies it is not web-browsing then session is blocked and application that firewall identified is marked in session log.
You can create top rule to allow web-browsing and Service application-default.
And below that fallback rule to allow any application with Service service-http (or create your custom tcp-80 service).
And then you can run report to see what traffic matched against second rule.
04-24-2017 02:25 PM
I don't believe you will ever really get rid of this rule and I personally wouldn't be too worried about it. To actually strictly use app-id on untrust based traffic you would essentially need to create a rule that incorporated every single app-id but those that you did not wish to allow from your trust to your untrust zone. This wouldn't be that hard to do, but maintaining this rule would take a lot of work as any app-id that PA identifies in the future would also need to be entered into this rule if you wish to allow access.
Depending on your security requirements it's likely not worth the time to actually attempt to fix this rule; 98% of enviroments that you visit will have the exact same type of rule assigned to their trust to untrust zones. Make sure that you have a good security profile assigned to this rule and call it done.
04-24-2017 03:47 PM
@BPry that is where Application Filters help you out.
Instead of creating static Application Groups you create dynamic Application Filters.
04-25-2017 05:50 AM
How do you set up dynamic application filters?
04-26-2017 01:16 AM
just gonna leave this here : What are the recommended applications for internet access? 🙂
04-27-2017 08:25 AM
that is a very good question reaper I need to find out this is a rule I did not create but am currently auditing all the rules
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!