Services

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Services

L4 Transporter

Is there anyway in the traffic monitor, or the ACC or any other logs to see what services are being hit? I can see applications but not specifically services though to can add specific services in the rules

26 REPLIES 26

@jdprovine,

If you build out the same rule but specify the applicaiton field as [ ssl web-browsing ] then any application that gets identified further would be denied, which is generally why someone would put in this type of rule.

For example even when you have ssl-decryption disabled applications such as twitter-base, pinterest-base, facebook-base, google-base, and all of that are going to be denied. Once the firewall identifies the application then you would need to have a rule that either specifies the service/port that the application is using with 'any' app allowed or you would need to include said application in a security policy that actually allows the traffic.

BPry I could try to identify the applications,through the ACC, and create another rule above the rule with the any -applications and services http,https and see if I can create a stricter rule and the eliminate the less strict rule

Forget http and https.

This has nothing to do with application but it is just how default built-in service object is called in firewall.

And Service is just port - nothing to do with Layer 7 application.

So if you permit Service called service-http then you permit tcp/80 and tcp/8080 and if you permit Service called service-https then you permit tcp/443.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

so create a similar rule with out the services and only add the applications that it is using as seen in the ACC

So lets assume you have only 1 security policy that permits only web-browsing application and Service is application-default.

This permits web-browsing on tcp 80.

 

You open web browser and try to browse web.
Client computer will send TCP SYN.
Firewall will check if this SYN goes on port 80 (that is only port that traffic is permitted out). If not then it is blocked and application is logged as not-applicable (firewall never got to application identification as it is already dropped by not using correct port).
If SYN came on port 80 then it is permitted through.
Server will reply with SYN ACK.
Client will send ACK and complete TCP 3way handshake.
Client will then send HTTP GET (but we don't trust client to identify application).
Server will send back website. Palo will identify if traffic is web-browsing based on what comes back. So in case of HTTP first 4 packet go through firewall without actually knowing application and just relying on Service tcp/80.
If after that firewall identifies it is not web-browsing then session is blocked and application that firewall identified is marked in session log.

 

You can create top rule to allow web-browsing and Service application-default.

And below that fallback rule to allow any application with Service service-http (or create your custom tcp-80 service).
And then you can run report to see what traffic matched against second rule.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

@jdprovine,

I don't believe you will ever really get rid of this rule and I personally wouldn't be too worried about it. To actually strictly use app-id on untrust based traffic you would essentially need to create a rule that incorporated every single app-id but those that you did not wish to allow from your trust to your untrust zone. This wouldn't be that hard to do, but maintaining this rule would take a lot of work as any app-id that PA identifies in the future would also need to be entered into this rule if you wish to allow access.

Depending on your security requirements it's likely not worth the time to actually attempt to fix this rule; 98% of enviroments that you visit will have the exact same type of rule assigned to their trust to untrust zones. Make sure that you have a good security profile assigned to this rule and call it done.

@BPry that is where Application Filters help you out.

Instead of creating static Application Groups you create dynamic Application Filters.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

How do you set up dynamic application filters?

Thanks

just gonna leave this here : What are the recommended applications for internet access? 🙂

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

that is a very good question reaper I need to find out this is a rule I did not create but am currently auditing all the rules

  • 5822 Views
  • 26 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!