Services

cancel
Showing results for 
Search instead for 
Did you mean: 

Services

L4 Transporter

Is there anyway in the traffic monitor, or the ACC or any other logs to see what services are being hit? I can see applications but not specifically services though to can add specific services in the rules

26 REPLIES 26

Cyber Elite
Cyber Elite

Not that I'm aware. You could just modify the port information since that essentially will determine the service; but the PA being application base the end-goal would really be to app-id all traffic and create custom app-ids where needed.

By service you mean destination port?

If yes then just add this column into Monitor > Traffic view.

 

port.PNG

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI

no I mean services, I have it set to show my port in my traffic monitor already, but I want to be sure what palo alto is defining as services since they give the option to add it in their rules I was surprised there was no option to filter by services

Service field under Policies > Security and is just destination port number.
If you want to filter traffic in Monitor > Traffic then just use filer.

 

For example filter below will show traffic towards port 443

( port.dst eq 443 )

 

port2.PNG

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI

Services = port number (eg TCP port 80)

 

@Raido_Rattameister you were quicker  :0

Okay

So if I have the application web-browsing or http are they alway port 80

 or if I have https or ssl are they always port 443

I guess I am curious why it is interchangeable to either use the application or the the port

If you create policy to allow tcp/80 then this will allow any application that is capable of running over port 80 (even Skype).

If you allow application web-browsing and service application-default then web-browsing can run only on default port.

Now if you need to access website that runs on some random port then you need to create policy where application is web-browsing and service is destination port you need.

 

Good example is if you decrypt SSL.

In this case first you need to permit SSL on default port that is 443.

Now if Palo removes decryption then inside SSL there is web-browsing.

But on what port it runs on? 443

So you need dedicated rule to allow web-browsing on tcp/443 as 443 is not in default list of web-browsing application.

 

So service is just port number.

Application is Layer 7 application identified by the firewall.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI

Thats was a greate response Radio so what do you think is going on in this example that is from a reul on my firewall

 

service.PNG

@jdprovine

Under the applications tab under objects every application will list the 'standard' ports that the application will utilize. In the case of web-browsing then yes the only port allowed is tcp/80; SSL only lists tcp/443; SMTP will list tcp/25,587.

 

The application and port/service settings are not really 'interchangable', yes SMTP will function fine if I open tcp-25 but then anything else could also potentially use tcp-25.

A better example would be something like a large SQLenvironment where I have a large amount of non-standard ports open for the different database connections; in this case I will specify the application as mssql-db/mon depending on the connection and then specify a custom service for  something like tcp-64280 or tcp-63180. Obviously I don't want every single application that could use these ports to actually be allowed, so as long as I have mssql specified I can rest realatively easy knowing that only the sql connections will actually be allowed. If you simply allow the service and specify 'application any' then you are missing the vast majority of the advantages that come with a Palo Alto firwall.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!